Re: Security Working Group meeting - Wednesday August 4

[Patrick Williams <patrick@stwcx.xyz>]

[-- Attachment #1: Type: text/plain, Size: 2497 bytes --]

On Tue, Aug 03, 2021 at 05:57:52PM -0500, Joseph Reynolds wrote:

>  3. (Joseph): Change the SSH server per-session idle timeout to an hour
>     (was unlimited)?  (Sent idea to upstream project
>     yocto-security@yoctoproject.org
>     <mailto:yocto-security@yoctoproject.org>.)  Alternatively, update
>     both SSH and BMCWeb to 30 minutes.

Facebook has had this implemented in our BMC for a long time.  We use to
have to patch SSH but that stopped working and we ended up using the TMOUT
variable.  Relevant commits are [1,2].

>      1. Guidelines:
>          1. NIST SP800-63B requires a timeout of 30 minutes for
>             "assurance level 2" (high confidence that the authentication
>             is still valid), or 15 minutes for "assurance level 2" (very
>             high confidence).
>             https://pages.nist.gov/800-63-3/sp800-63b.html
>             <https://pages.nist.gov/800-63-3/sp800-63b.html>
>          2. OWASP suggests idle timeouts of 15-30 minutes.
>             https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration
>             <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration>

15 minutes seems more than enough to me.  We have ours set to 5 minutes on the
console and 30 minutes on the SSH, but I think those are relatively arbitrary.
Ideally whatever you implement can be configured with a Yocto variable so if
someone feels your choice is "wrong" they can easily override it in their own
machine.

>      2. Alternatively, use the bash shell’s TMOUT variable?

Whatever you do, I think you need to take into account the serial console as
well.  Not just SSH.

>      3. See Yocto discussion (representative archived email):
>         https://lists.yoctoproject.org/g/yocto-security/message/381
>         <https://lists.yoctoproject.org/g/yocto-security/message/381>

I agree with Richard even in the context of OpenBMC itself:

   > There is never going to be one "right" solution for everyone but 
   > making it easy/clear for users to do it would be ideal (which includes
   > making it easy for OpenBMC to configure what they need).

Whatever you pick someone is going to argue it is wrong.

1. https://github.com/facebook/openbmc/commit/8171ad7183269e3050f7f37b9b3956ce54b0ee87
2. https://github.com/facebook/openbmc/commit/59d7b23a9c2aa08efde19f913df446a82e1f6804

-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]