Security Working Group meeting - Wednesday August 4
jrey at linux.ibm.com
Wed Aug 4 08:57:52 AEST 2021
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday August 4 at 10:00am PDT.
We'll discuss the following items on the agenda
and anything else that comes up:
1. (Joseph): IBM ACF design (2FA authentication for the special IBM
service account) is in review -
2. (Joseph): Updated password hash algorithm from MD5 to SHA512 (while
keeping the same cleartext password)
3. (Joseph): Change the SSH server per-session idle timeout to an hour
(was unlimited)? (Sent idea to upstream project
yocto-security at yoctoproject.org
<mailto:yocto-security at yoctoproject.org>.) Alternatively, update
both SSH and BMCWeb to 30 minutes.
1. NIST SP800-63B requires a timeout of 30 minutes for
"assurance level 2" (high confidence that the authentication
is still valid), or 15 minutes for "assurance level 2" (very
2. OWASP suggests idle timeouts of 15-30 minutes.
2. Alternatively, use the bash shell’s TMOUT variable?
3. See Yocto discussion (representative archived email):
Access, agenda and notes are in the wiki:
More information about the openbmc