TMOUT
Hey guys, so we talked about this... well, a long time ago and decided to do it but it never got implemented. So I'm going to implement it now and its likely going to cause some people pain for now. I'm going to set the default bash TMOUT value to 32400 (9 hours). If you need to overwrite this, you can do it in your bashrc though its recommended that you not do that. I'm going to add this to the security policy as this is a security measure. I'll do it tomorrow morning so get ready. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
Mike McGrath wrote: Trying to prevent stuff like this: XXX pts/7XXX 06Jul08 10:11 0.06s 0.10s sshd: XXX [priv] ^^^ holy moly :) holy alright -Jeroen ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On Wed, 23 Jul 2008, Jorge Bras wrote: Hi there, If people start using screen they just have to reconnect, et voila, continue to work. At least for me, screen was the solution. just my 2 cents. Even in screen's case it'd kill the session during the timeout, unless someone unset $TMOUT Perhaps thats what we'll do, and if people have a problem with it, they can set their own $TMOUT value in their .bashrc file. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On 2008-07-23 09:07:58 AM, Mike McGrath wrote: On Wed, 23 Jul 2008, Jorge Bras wrote: If people start using screen they just have to reconnect, et voila, continue to work. At least for me, screen was the solution. A downside with that solution is that if I detach a screen session and end my SSH session, the next time I reattach, I lose my SSH agent, and that means having to type SSH passwords repeatedly until I completely destroy and reconstruct the screen session. Even in screen's case it'd kill the session during the timeout, unless someone unset $TMOUT Perhaps thats what we'll do, and if people have a problem with it, they can set their own $TMOUT value in their .bashrc file. Hey, if it's not particularly frowned upon to override that value (with the knowledge that you have to be extremely careful in locking your laptop/desktop), then I'm all for it :-) Thanks, Ricky pgp8BMgiKbghC.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
2008/7/23 Ricky Zhou [EMAIL PROTECTED]: On 2008-07-23 09:07:58 AM, Mike McGrath wrote: On Wed, 23 Jul 2008, Jorge Bras wrote: If people start using screen they just have to reconnect, et voila, continue to work. At least for me, screen was the solution. A downside with that solution is that if I detach a screen session and end my SSH session, the next time I reattach, I lose my SSH agent, and that means having to type SSH passwords repeatedly until I completely destroy and reconstruct the screen session. The trick to using screen and an ssh agent is to reset the environment variables that point to your ssh connection. Here is a script I use to store the connection information in a file that is sourced by my shell if it can't find my agent, and the ss alias I use to rejoin my session from another location. I found this somewhere on the web and modified it. ~ % grep ssh-env .zaliases alias -- ss='~/bin/ssh-env screen -d -R' ~ % cat bin/ssh-env #!/bin/sh SSHVARS=SSH_CLIENT SSH_TTY SSH_AUTH_SOCK SSH_CONNECTION DISPLAY for x in ${SSHVARS} ; do echo export $x=\$(eval echo \$$x)\ done 1$HOME/.ssh/env ~ % grep .ssh/env .zshenv ssh-add -l /dev/null 21 || { [[ -r ~/.ssh/env ]] source ~/.ssh/env } -- Jared Brothers ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On Wed, Jul 23, 2008 at 07:44:25PM -0500, Mike McGrath wrote: The idea is more to ensure that sessions aren't just left open for someone to come upon and mess with. 6 days is a long time to have been logged in especially in idle. Means there's a shell who knows where protected by who knows what. I'd hate for someone to start a screen session on their remote machine, ssh into ours, and just leave it there for days having their machine get hacked, someone attaching to that screen session. Just one such example of an attack, the more obvious is having company over for the night, mind if I use your computer? sort of thing, or in a dorm room, or who knows what. Its not complete protection, but I think its a good first step. Ok. I wonder if there is a way to launch vlock or similar instead of just forcing an autologout then? ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On 2008-07-23 08:39:07 PM, Chuck Anderson wrote: 1. Isn't it a bad idea to be storing your SSH keys long term in process memory of a remote system anyway? Or are these keys only for Fedora stuff? Yes and yes :-) Thanks, Ricky pgp6iOgBkiQGs.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
bash $TMOUT
So, I'd like to set a $TMOUT for all of our bash sessions. I see a lot of shells just needlessly open. This is going to piss people off though, I haven't even done it yet and its pissing me off :) Are there any very vocal oppositions to this? Any alternatives? I'd like to at a minimum install it on fedorapeople. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
Mike McGrath wrote: So, I'd like to set a $TMOUT for all of our bash sessions. I see a lot of shells just needlessly open. This is going to piss people off though, I haven't even done it yet and its pissing me off :) Are there any very vocal oppositions to this? Any alternatives? I'd like to at a minimum install it on fedorapeople. I object your honour! a) It's a PITA, login, get distracted for an hour or two and find out that your session died b) I think this is the problem I have with proxy4 (now proxy1) where it cuts me off after an hour... hmmm c) Fedora People is a different story, yes please do, 3 hours maybe... - Nigel -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On Wed, 23 Jul 2008, Nigel Jones wrote: Mike McGrath wrote: So, I'd like to set a $TMOUT for all of our bash sessions. I see a lot of shells just needlessly open. This is going to piss people off though, I haven't even done it yet and its pissing me off :) Are there any very vocal oppositions to this? Any alternatives? I'd like to at a minimum install it on fedorapeople. I object your honour! a) It's a PITA, login, get distracted for an hour or two and find out that your session died b) I think this is the problem I have with proxy4 (now proxy1) where it cuts me off after an hour... hmmm c) Fedora People is a different story, yes please do, 3 hours maybe... I was thinking 8 hours.. and the problems you're seeing with proxy4 is something else. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On Tue, 22 Jul 2008, Mike McGrath wrote: On Wed, 23 Jul 2008, Nigel Jones wrote: Mike McGrath wrote: So, I'd like to set a $TMOUT for all of our bash sessions. I see a lot of shells just needlessly open. This is going to piss people off though, I haven't even done it yet and its pissing me off :) Are there any very vocal oppositions to this? Any alternatives? I'd like to at a minimum install it on fedorapeople. I object your honour! a) It's a PITA, login, get distracted for an hour or two and find out that your session died b) I think this is the problem I have with proxy4 (now proxy1) where it cuts me off after an hour... hmmm c) Fedora People is a different story, yes please do, 3 hours maybe... I was thinking 8 hours.. and the problems you're seeing with proxy4 is something else. Trying to prevent stuff like this: XXX pts/7XXX 06Jul08 10:11 0.06s 0.10s sshd: XXX [priv] ^^^ holy moly :) -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list