Add SSH session idle timeouts
Andrew Jeffery
andrew at aj.id.au
Tue Aug 10 09:34:43 AEST 2021
Hi Joseph,
On Tue, 10 Aug 2021, at 00:32, Joseph Reynolds wrote:
> [NIST SP800-63B][] requires a timeout of 30 minutes for "assurance
> level
> 2" (high confidence that the authentication is still valid), or 15
> minutes for "assurance level 2" (very high confidence).
You've listed "assurance level 2" here twice; I assume the level increases.
>
> Idle session timeouts can technically be implemented one one of three
> places:
> 1. In the communication layer, for example, the SSH client session can
> timeout.
> 2. In the application. For example, the Bash shell TMOUT variable.
> 3. In a layer between the interface and the application. For example,
> the "screen" application can provide a timeout function.
>
> For example, suppose you want your host console sessions (ssh -p 2200)
> to time out and close the session. OpenSSH does not offer an session
> idle timeout, and [obmc-console][] does not offer a timeout, so how can
> we provide this function? One idea is to have the SSH server for port
> 2200 connect to an application like "screen", set its TMOUT variable,
> and connect that to the console socket. Or can we add timeout support
> directly to obmc-console?
> [obmc console]: https://github.com/openbmc/obmc-console
Right, let's not be allergic to touching the code for these projects.
obmc-console is an OpenBMC application, and both OpenSSH and dropbear
are open-source, so if we need to make changes in any then we have a
path forward.
Whether that's appropriate is a separate question, but let's not create
a maze unnecessarily.
Andrew
More information about the openbmc
mailing list