Fix #307: pin sshd LoginGraceTime to cover the 2FA push window#392
Open
Om-singhaI wants to merge 1 commit into
Open
Fix #307: pin sshd LoginGraceTime to cover the 2FA push window#392Om-singhaI wants to merge 1 commit into
Om-singhaI wants to merge 1 commit into
Conversation
SSH logins into a container authenticate through sssd -> the LDAP gateway, which fires a push-notification 2FA and allows up to 60s for it to be answered (ldap_opt_timeout in sssd.conf.template). sshd's default LoginGraceTime can drop the connection before that window closes, so a user answering the push in time still gets disconnected. Add a dedicated sshd_config.d drop-in that sets LoginGraceTime to 75s -- above the 60s 2FA timeout, leaving headroom for the TCP and key-exchange handshake that precedes the LDAP bind -- and copy it into the base image.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
Fixes #307 — SSH Timeout too short. The SSH login window can be shorter than the 2FA timeout, so a user who answers the push in time still gets disconnected.
Root cause (my reading — please confirm)
SSH logins into a container authenticate through
sssd→ the LDAP gateway, which fires a push‑notification 2FA. The sssd side already allows up to 60s for the push to be answered:But the container's sshd has no matching
LoginGraceTime, so sshd's default grace window can drop the connection before that 60s push window closes.Change
Add a dedicated
sshd_config.ddrop-in settingLoginGraceTime 75and copy it into the base image. 75s sits just above the 60s 2FA timeout, leaving headroom for the TCP + key-exchange handshake that precedes the LDAP bind.images/base/50-login-grace-time.conf(new)images/base/Dockerfile— copy the drop-in into/etc/ssh/sshd_config.d/Follows the existing drop-in pattern (
50-sss-ssh-authorizedkeys.conf) and keeps the change config-only.Notes / open question
The issue is terse, so I inferred the mechanism from the code rather than a live repro. If the intended value is exactly 60s (matching the issue text) rather than 75s with headroom, I'm happy to change it. And if the real timeout lives somewhere other than the container's sshd (e.g. a gateway/proxy in front), point me at it and I'll move the fix.