Security Working Group meeting - Wednesday September 18 - results - add idle timeout
Joseph Reynolds
jrey at linux.ibm.com
Sat Aug 21 02:19:58 AEST 2021
On 8/18/21 7:49 PM, Jeremy Kerr wrote:
> Hi Joseph,
>
>> 5 How to add session timeouts to host console?
>>
>> DISCUSSION:
>>
>> See the diagram in the README under
>> https://github.com/openbmc/obmc-console
>> <https://github.com/openbmc/obmc-console>.
>>
>> We thought obmc-console-client was the right place to implement the
>> timeout mechanism.
> OK, but that diagram doesn't really cover the detail you'd need to base
> such a decision on; there's the ssh server between port 2222 and the
> obmc-console-client program.
Here is my understanding of the code which establishes new connections.
My knowledge here is limited; please correct me or ad anything I missed.
1. The service to listen at port 2200 ("host console") is here:
github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-phosphor/console/obmc-console_git.bb
2. That service uses systemd service files under:
github.com/openbmc/obmc-console/tree/master/conf
3. The `obmc-console-ssh at .service` handles each new connection by
running dropbear which connects the instance to the obmc-console-client
program.
When a network client reaches TCP port 2200, I understand the flow is:
1. When the obmc-console-ssh.socket gets a new connection, it activates
an instance of obmc-console-ssh at .service.
2. The obmc-console-ssh instance runs the dropbear program.
3. The dropbear program creates an SSH session which connects the
network session user to the obmc-console-client program.
Given that flow, I see the following choices for where to enforce an
idle timeout:
1. Do systemd sockets have a timeout mechanism? I found controls for
when the listening socket is idle, but not for a socket handling
connection instance. However, my knowledge in this area is very limited.
2. The dropbear SSH server has a session idle timeout mechanism (command
line parameter: `dropbear ... -I 3600`).
3. Add a new parameter to the obmc-console-client. See
https://github.com/openbmc/obmc-console/issues/18
4. Run a new program between dropbear and obmc-console-client to provide
the idle timeout, for example, like the`screen` command with TMOUT set
to the desired timeout.
Of these options, I think the easiest is to have dropbear provide the
timeout, but note that OpenSSH does not provide an idle session
timeout. I believe the right solution is to add a timeout to
obmc-console-client, as proposed in obmc-console/issues/18.
Joseph
>
> [obmc-console-client is just a *really* simple bridge between stdio and
> a unix domain socket. It doesn't own the network socket, nor do any
> authentication or authorisation]
>
> We can definitely do an optional timeout in obmc-console-client, but I
> want to make sure that's really what you want first.
>
> Cheers,
>
>
>
> Jeremy
>
More information about the openbmc
mailing list