TMOUT

2009-01-20 Thread Mike McGrath 
Hey guys, so we talked about this... well, a long time ago and decided to
do it but it never got implemented.  So I'm going to implement it now and
its likely going to cause some people pain for now.

I'm going to set the default bash TMOUT value to 32400 (9 hours).  If you
need to overwrite this, you can do it in your bashrc though its
recommended that you not do that.

I'm going to add this to the security policy as this is a security
measure.  I'll do it tomorrow morning so get ready.

-Mike

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: bash $TMOUT

2008-07-23 Thread Jeroen van Meeuwen 

Mike McGrath wrote:

Trying to prevent stuff like this:

XXX pts/7XXX 06Jul08 10:11   0.06s  0.10s sshd: XXX [priv]
 ^^^ holy moly :)


  holy alright 


-Jeroen

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: bash $TMOUT

2008-07-23 Thread Mike McGrath 
On Wed, 23 Jul 2008, Jorge Bras wrote:


 Hi there,

 If people start using screen they just have to reconnect, et voila, continue
 to work.
 At least for me, screen was the solution.

 just my 2 cents.


Even in screen's case it'd kill the session during the timeout, unless
someone unset $TMOUT

Perhaps thats what we'll do, and if people have a problem with it, they
can set their own $TMOUT value in their .bashrc file.

-Mike

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: bash $TMOUT

2008-07-23 Thread Ricky Zhou 
On 2008-07-23 09:07:58 AM, Mike McGrath wrote:
 On Wed, 23 Jul 2008, Jorge Bras wrote:
  If people start using screen they just have to reconnect, et voila, continue
  to work.
  At least for me, screen was the solution.
A downside with that solution is that if I detach a screen session
and end my SSH session, the next time I reattach, I lose my SSH agent,
and that means having to type SSH passwords repeatedly until I
completely destroy and reconstruct the screen session.

 Even in screen's case it'd kill the session during the timeout, unless
 someone unset $TMOUT
 
 Perhaps thats what we'll do, and if people have a problem with it, they
 can set their own $TMOUT value in their .bashrc file.
Hey, if it's not particularly frowned upon to override that value (with
the knowledge that you have to be extremely careful in locking your
laptop/desktop), then I'm all for it :-)

Thanks,
Ricky


pgp8BMgiKbghC.pgp
Description: PGP signature
___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: bash $TMOUT

2008-07-23 Thread Jared Brothers 
2008/7/23 Ricky Zhou [EMAIL PROTECTED]:
 On 2008-07-23 09:07:58 AM, Mike McGrath wrote:
 On Wed, 23 Jul 2008, Jorge Bras wrote:
  If people start using screen they just have to reconnect, et voila, 
  continue
  to work.
  At least for me, screen was the solution.
 A downside with that solution is that if I detach a screen session
 and end my SSH session, the next time I reattach, I lose my SSH agent,
 and that means having to type SSH passwords repeatedly until I
 completely destroy and reconstruct the screen session.

The trick to using screen and an ssh agent is to reset the environment
variables that point to your ssh connection.  Here is a script I use to
store the connection information in a file that is sourced by my shell if
it can't find my agent, and the ss alias I use to rejoin my session from
another location.  I found this somewhere on the web and modified it.

~ % grep ssh-env .zaliases
alias -- ss='~/bin/ssh-env  screen -d -R'

~ % cat bin/ssh-env
#!/bin/sh
SSHVARS=SSH_CLIENT SSH_TTY SSH_AUTH_SOCK SSH_CONNECTION DISPLAY
for x in ${SSHVARS} ; do
   echo export $x=\$(eval echo \$$x)\
done 1$HOME/.ssh/env

~ % grep .ssh/env .zshenv
ssh-add -l /dev/null 21 || { [[ -r ~/.ssh/env ]]  source ~/.ssh/env }

-- 
Jared Brothers

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: bash $TMOUT

2008-07-23 Thread Chuck Anderson 
On Wed, Jul 23, 2008 at 07:44:25PM -0500, Mike McGrath wrote:
 The idea is more to ensure that sessions aren't just left open for someone
 to come upon and mess with.  6 days is a long time to have been logged in
 especially in idle.  Means there's a shell who knows where protected by
 who knows what.  I'd hate for someone to start a screen session on their
 remote machine, ssh into ours, and just leave it there for days having
 their machine get hacked, someone attaching to that screen session.
 
 Just one such example of an attack, the more obvious is having company
 over for the night, mind if I use your computer? sort of thing, or in a
 dorm room, or who knows what.  Its not complete protection, but I think
 its a good first step.

Ok.  I wonder if there is a way to launch vlock or similar instead 
of just forcing an autologout then?

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: bash $TMOUT

2008-07-23 Thread Ricky Zhou 
On 2008-07-23 08:39:07 PM, Chuck Anderson wrote:
 1. Isn't it a bad idea to be storing your SSH keys long term in 
 process memory of a remote system anyway?  Or are these keys only for 
 Fedora stuff?
Yes and yes :-)

Thanks,
Ricky


pgp6iOgBkiQGs.pgp
Description: PGP signature
___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

bash $TMOUT

2008-07-22 Thread Mike McGrath 
So, I'd like to set a $TMOUT for all of our bash sessions.  I see a
lot of shells just needlessly open.  This is going to piss people off
though, I haven't even done it yet and its pissing me off :)

Are there any very vocal oppositions to this?  Any alternatives?  I'd like
to at a minimum install it on fedorapeople.

-Mike

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: bash $TMOUT

2008-07-22 Thread Nigel Jones 

Mike McGrath wrote:

So, I'd like to set a $TMOUT for all of our bash sessions.  I see a
lot of shells just needlessly open.  This is going to piss people off
though, I haven't even done it yet and its pissing me off :)

Are there any very vocal oppositions to this?  Any alternatives?  I'd like
to at a minimum install it on fedorapeople.
  

I object your honour!

a) It's a PITA, login, get distracted for an hour or two and find out 
that your session died
b) I think this is the problem I have with proxy4 (now proxy1) where it 
cuts me off after an hour... hmmm

c) Fedora People is a different story, yes please do, 3 hours maybe...

- Nigel

-Mike

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

  


___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: bash $TMOUT

2008-07-22 Thread Mike McGrath 
On Wed, 23 Jul 2008, Nigel Jones wrote:

 Mike McGrath wrote:
  So, I'd like to set a $TMOUT for all of our bash sessions.  I see a
  lot of shells just needlessly open.  This is going to piss people off
  though, I haven't even done it yet and its pissing me off :)
 
  Are there any very vocal oppositions to this?  Any alternatives?  I'd like
  to at a minimum install it on fedorapeople.
 
 I object your honour!

 a) It's a PITA, login, get distracted for an hour or two and find out that
 your session died
 b) I think this is the problem I have with proxy4 (now proxy1) where it cuts
 me off after an hour... hmmm
 c) Fedora People is a different story, yes please do, 3 hours maybe...


I was thinking 8 hours..  and the problems you're seeing with proxy4 is
something else.

-Mike

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: bash $TMOUT

2008-07-22 Thread Mike McGrath 
On Tue, 22 Jul 2008, Mike McGrath wrote:

 On Wed, 23 Jul 2008, Nigel Jones wrote:

  Mike McGrath wrote:
   So, I'd like to set a $TMOUT for all of our bash sessions.  I see a
   lot of shells just needlessly open.  This is going to piss people off
   though, I haven't even done it yet and its pissing me off :)
  
   Are there any very vocal oppositions to this?  Any alternatives?  I'd like
   to at a minimum install it on fedorapeople.
  
  I object your honour!
 
  a) It's a PITA, login, get distracted for an hour or two and find out that
  your session died
  b) I think this is the problem I have with proxy4 (now proxy1) where it cuts
  me off after an hour... hmmm
  c) Fedora People is a different story, yes please do, 3 hours maybe...
 

 I was thinking 8 hours..  and the problems you're seeing with proxy4 is
 something else.


Trying to prevent stuff like this:

XXX pts/7XXX 06Jul08 10:11   0.06s  0.10s sshd: XXX [priv]
 ^^^ holy moly :)

-Mike

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list