Re: bash $TMOUT
On 2008-07-23 08:39:07 PM, Chuck Anderson wrote: > 1. Isn't it a bad idea to be storing your SSH keys long term in > process memory of a remote system anyway? Or are these keys only for > Fedora stuff? Yes and yes :-) Thanks, Ricky pgp6iOgBkiQGs.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On Wed, Jul 23, 2008 at 07:44:25PM -0500, Mike McGrath wrote: > The idea is more to ensure that sessions aren't just left open for someone > to come upon and mess with. 6 days is a long time to have been logged in > especially in idle. Means there's a shell who knows where protected by > who knows what. I'd hate for someone to start a screen session on their > remote machine, ssh into ours, and just leave it there for days having > their machine get hacked, someone attaching to that screen session. > > Just one such example of an attack, the more obvious is having company > over for the night, "mind if I use your computer?" sort of thing, or in a > dorm room, or who knows what. Its not complete protection, but I think > its a good first step. Ok. I wonder if there is a way to launch "vlock" or similar instead of just forcing an autologout then? ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On Wed, 23 Jul 2008, Chuck Anderson wrote: > On Wed, Jul 23, 2008 at 04:40:37PM -0400, Ricky Zhou wrote: > > On 2008-07-23 09:07:58 AM, Mike McGrath wrote: > > > On Wed, 23 Jul 2008, Jorge Bras wrote: > > > > If people start using screen they just have to reconnect, et voila, > > > > continue > > > > to work. > > > > At least for me, screen was the solution. > > A downside with that solution is that if I detach a screen session > > and end my SSH session, the next time I reattach, I lose my SSH agent, > > and that means having to type SSH passwords repeatedly until I > > completely destroy and reconstruct the screen session. > > 1. Isn't it a bad idea to be storing your SSH keys long term in > process memory of a remote system anyway? Or are these keys only for > Fedora stuff? > > 2. Doesn't running screen with shells and stuff in it kinda defeat the > purpose of $TMOUT? I mean, if the idea is to free up resources, you > aren't really freeing up much if you can keep an idle screen session > with 10 shells open in it with emacs or whathaveyou. > 1) yes 2) The idea is more to ensure that sessions aren't just left open for someone to come upon and mess with. 6 days is a long time to have been logged in especially in idle. Means there's a shell who knows where protected by who knows what. I'd hate for someone to start a screen session on their remote machine, ssh into ours, and just leave it there for days having their machine get hacked, someone attaching to that screen session. Just one such example of an attack, the more obvious is having company over for the night, "mind if I use your computer?" sort of thing, or in a dorm room, or who knows what. Its not complete protection, but I think its a good first step. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On Wed, Jul 23, 2008 at 04:40:37PM -0400, Ricky Zhou wrote: > On 2008-07-23 09:07:58 AM, Mike McGrath wrote: > > On Wed, 23 Jul 2008, Jorge Bras wrote: > > > If people start using screen they just have to reconnect, et voila, > > > continue > > > to work. > > > At least for me, screen was the solution. > A downside with that solution is that if I detach a screen session > and end my SSH session, the next time I reattach, I lose my SSH agent, > and that means having to type SSH passwords repeatedly until I > completely destroy and reconstruct the screen session. 1. Isn't it a bad idea to be storing your SSH keys long term in process memory of a remote system anyway? Or are these keys only for Fedora stuff? 2. Doesn't running screen with shells and stuff in it kinda defeat the purpose of $TMOUT? I mean, if the idea is to free up resources, you aren't really freeing up much if you can keep an idle screen session with 10 shells open in it with emacs or whathaveyou. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
2008/7/23 Ricky Zhou <[EMAIL PROTECTED]>:
> On 2008-07-23 09:07:58 AM, Mike McGrath wrote:
>> On Wed, 23 Jul 2008, Jorge Bras wrote:
>> > If people start using screen they just have to reconnect, et voila,
>> > continue
>> > to work.
>> > At least for me, screen was the solution.
> A downside with that solution is that if I detach a screen session
> and end my SSH session, the next time I reattach, I lose my SSH agent,
> and that means having to type SSH passwords repeatedly until I
> completely destroy and reconstruct the screen session.
The trick to using screen and an ssh agent is to reset the environment
variables that point to your ssh connection. Here is a script I use to
store the connection information in a file that is sourced by my shell if
it can't find my agent, and the "ss" alias I use to rejoin my session from
another location. I found this somewhere on the web and modified it.
~ % grep ssh-env .zaliases
alias -- ss='~/bin/ssh-env && screen -d -R'
~ % cat bin/ssh-env
#!/bin/sh
SSHVARS="SSH_CLIENT SSH_TTY SSH_AUTH_SOCK SSH_CONNECTION DISPLAY"
for x in ${SSHVARS} ; do
echo "export $x=\"$(eval echo \$$x)\""
done 1>$HOME/.ssh/env
~ % grep .ssh/env .zshenv
ssh-add -l >/dev/null 2>&1 || { [[ -r ~/.ssh/env ]] && source ~/.ssh/env }
--
Jared Brothers
___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On Wed, 23 Jul 2008, Ricky Zhou wrote: > On 2008-07-23 09:07:58 AM, Mike McGrath wrote: > > On Wed, 23 Jul 2008, Jorge Bras wrote: > > > If people start using screen they just have to reconnect, et voila, > > > continue > > > to work. > > > At least for me, screen was the solution. > A downside with that solution is that if I detach a screen session > and end my SSH session, the next time I reattach, I lose my SSH agent, > and that means having to type SSH passwords repeatedly until I > completely destroy and reconstruct the screen session. > > > Even in screen's case it'd kill the session during the timeout, unless > > someone unset $TMOUT > > > > Perhaps thats what we'll do, and if people have a problem with it, they > > can set their own $TMOUT value in their .bashrc file. > Hey, if it's not particularly frowned upon to override that value (with > the knowledge that you have to be extremely careful in locking your > laptop/desktop), then I'm all for it :-) > yeah, so far nothing's really "happened" because of bad voodoo. I'm not quite convinced a firm policy will help anything but at a minimum I think $TMOUT will help clean up old sessions. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On 2008-07-23 09:07:58 AM, Mike McGrath wrote: > On Wed, 23 Jul 2008, Jorge Bras wrote: > > If people start using screen they just have to reconnect, et voila, continue > > to work. > > At least for me, screen was the solution. A downside with that solution is that if I detach a screen session and end my SSH session, the next time I reattach, I lose my SSH agent, and that means having to type SSH passwords repeatedly until I completely destroy and reconstruct the screen session. > Even in screen's case it'd kill the session during the timeout, unless > someone unset $TMOUT > > Perhaps thats what we'll do, and if people have a problem with it, they > can set their own $TMOUT value in their .bashrc file. Hey, if it's not particularly frowned upon to override that value (with the knowledge that you have to be extremely careful in locking your laptop/desktop), then I'm all for it :-) Thanks, Ricky pgp8BMgiKbghC.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On Wed, Jul 23, 2008 at 09:07:58AM -0500, Mike McGrath wrote: > Perhaps thats what we'll do, and if people have a problem with it, they > can set their own $TMOUT value in their .bashrc file. Can we have tcsh? ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On Wed, 23 Jul 2008, Jorge Bras wrote: > > Hi there, > > If people start using screen they just have to reconnect, et voila, continue > to work. > At least for me, screen was the solution. > > just my 2 cents. > Even in screen's case it'd kill the session during the timeout, unless someone unset $TMOUT Perhaps thats what we'll do, and if people have a problem with it, they can set their own $TMOUT value in their .bashrc file. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
Hi there, If people start using screen they just have to reconnect, et voila, continue to work. At least for me, screen was the solution. just my 2 cents. ./bras On Jul 23, 2008, at 4:13 AM, Mike McGrath wrote: So, I'd like to set a $TMOUT for all of our bash sessions. I see a lot of shells just needlessly open. This is going to piss people off though, I haven't even done it yet and its pissing me off :) Are there any very vocal oppositions to this? Any alternatives? I'd like to at a minimum install it on fedorapeople. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
Mike McGrath wrote: Trying to prevent stuff like this: XXX pts/7XXX 06Jul08 10:11 0.06s 0.10s sshd: XXX [priv] ^^^ holy moly :) holy alright -Jeroen ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On Tue, 22 Jul 2008, Mike McGrath wrote: > On Wed, 23 Jul 2008, Nigel Jones wrote: > > > Mike McGrath wrote: > > > So, I'd like to set a $TMOUT for all of our bash sessions. I see a > > > lot of shells just needlessly open. This is going to piss people off > > > though, I haven't even done it yet and its pissing me off :) > > > > > > Are there any very vocal oppositions to this? Any alternatives? I'd like > > > to at a minimum install it on fedorapeople. > > > > > I object your honour! > > > > a) It's a PITA, login, get distracted for an hour or two and find out that > > your session died > > b) I think this is the problem I have with proxy4 (now proxy1) where it cuts > > me off after an hour... hmmm > > c) Fedora People is a different story, yes please do, 3 hours maybe... > > > > I was thinking 8 hours.. and the problems you're seeing with proxy4 is > something else. > Trying to prevent stuff like this: XXX pts/7XXX 06Jul08 10:11 0.06s 0.10s sshd: XXX [priv] ^^^ holy moly :) -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
On Wed, 23 Jul 2008, Nigel Jones wrote: > Mike McGrath wrote: > > So, I'd like to set a $TMOUT for all of our bash sessions. I see a > > lot of shells just needlessly open. This is going to piss people off > > though, I haven't even done it yet and its pissing me off :) > > > > Are there any very vocal oppositions to this? Any alternatives? I'd like > > to at a minimum install it on fedorapeople. > > > I object your honour! > > a) It's a PITA, login, get distracted for an hour or two and find out that > your session died > b) I think this is the problem I have with proxy4 (now proxy1) where it cuts > me off after an hour... hmmm > c) Fedora People is a different story, yes please do, 3 hours maybe... > I was thinking 8 hours.. and the problems you're seeing with proxy4 is something else. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: bash $TMOUT
Mike McGrath wrote: So, I'd like to set a $TMOUT for all of our bash sessions. I see a lot of shells just needlessly open. This is going to piss people off though, I haven't even done it yet and its pissing me off :) Are there any very vocal oppositions to this? Any alternatives? I'd like to at a minimum install it on fedorapeople. I object your honour! a) It's a PITA, login, get distracted for an hour or two and find out that your session died b) I think this is the problem I have with proxy4 (now proxy1) where it cuts me off after an hour... hmmm c) Fedora People is a different story, yes please do, 3 hours maybe... - Nigel -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
