[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security standards



On Mon, Mar 14, 2005 at 11:51:57PM -0500, Willie Northway wrote:
> On Mar 14, 2005, at 10:32 PM, gelle@xxxxxxxxx wrote:
> >Since we don't audit desktop security (screensaver locking, etc) I 
> >wonder
> >about this risk of this, since they could be open over weekends, 
> >holidays,
> >etc.  This seems like a big vulnerability to me.
> 
> I wholeheartedly agree. I'd suggest cutting off anyone's session that's 
> been idle for longer than an hour or two. I'd suggest using something 
> like these parameters in /etc/openssh/sshd_config (or whatever the 
> equivalent is for Solaris):
> 
> ClientAliveInterval 300		#every 5 minutes
> ClientAliveCountMax 18		#5 min. x 18 tries == 90 minutes

and it is entirely counter-productive to those who use screen or something
similar...

> These are totally arbitrary values. But seriously, how difficult is it 
> to enter your username and password to login again?

not very, esp if you use ssh-agent and a public-key...but if you do then an
inactive logout on the server end does no good to securing your workstation.

As Wes stated, this is not a technical problem...

Adi