Skip to content

Fix #307: pin sshd LoginGraceTime to cover the 2FA push window#392

Open
Om-singhaI wants to merge 1 commit into
mieweb:mainfrom
Om-singhaI:fix/307-ssh-login-grace-time
Open

Fix #307: pin sshd LoginGraceTime to cover the 2FA push window#392
Om-singhaI wants to merge 1 commit into
mieweb:mainfrom
Om-singhaI:fix/307-ssh-login-grace-time

Conversation

@Om-singhaI

Copy link
Copy Markdown

Issue

Fixes #307SSH Timeout too short. The SSH login window can be shorter than the 2FA timeout, so a user who answers the push in time still gets disconnected.

Root cause (my reading — please confirm)

SSH logins into a container authenticate through sssd → the LDAP gateway, which fires a push‑notification 2FA. The sssd side already allows up to 60s for the push to be answered:

# images/base/sssd.conf.template
# set a timeout long enough for a push notification to be responded to
ldap_opt_timeout = 60

But the container's sshd has no matching LoginGraceTime, so sshd's default grace window can drop the connection before that 60s push window closes.

Change

Add a dedicated sshd_config.d drop-in setting LoginGraceTime 75 and copy it into the base image. 75s sits just above the 60s 2FA timeout, leaving headroom for the TCP + key-exchange handshake that precedes the LDAP bind.

  • images/base/50-login-grace-time.conf (new)
  • images/base/Dockerfile — copy the drop-in into /etc/ssh/sshd_config.d/

Follows the existing drop-in pattern (50-sss-ssh-authorizedkeys.conf) and keeps the change config-only.

Notes / open question

The issue is terse, so I inferred the mechanism from the code rather than a live repro. If the intended value is exactly 60s (matching the issue text) rather than 75s with headroom, I'm happy to change it. And if the real timeout lives somewhere other than the container's sshd (e.g. a gateway/proxy in front), point me at it and I'll move the fix.

SSH logins into a container authenticate through sssd -> the LDAP
gateway, which fires a push-notification 2FA and allows up to 60s for
it to be answered (ldap_opt_timeout in sssd.conf.template). sshd's
default LoginGraceTime can drop the connection before that window
closes, so a user answering the push in time still gets disconnected.

Add a dedicated sshd_config.d drop-in that sets LoginGraceTime to 75s
-- above the 60s 2FA timeout, leaving headroom for the TCP and
key-exchange handshake that precedes the LDAP bind -- and copy it into
the base image.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: SSH Timeout too short

1 participant