Add new parameter -M for max. duration by sch-m · Pull Request #409 · mkj/dropbear

sch-m · 2026-03-04T08:20:32Z

Some technical guidelines (e.g., TR-03148) and cybersecurity baselines
require a hard maximum connection duration / session timeout for remote
connections. Therefore, a parameter is hereby introduced that can be
used to configure the maximum connection duration. The default value is
0 (disabled).

Use authdone instead of connect_time as dependency for authentication timeout checking. This prevents connect_time from being set to 0 unnecessarily and allows it to be used for other purposes. Signed-off-by: Martin Schiller <ms@dev.tdt.de>

sch-m · 2026-03-04T14:02:22Z

@mkj I don't understand why the check fails here and max_duration_secs seems to be set to 1, even though the default value is actually 0. Make check runs without any problems for me.

mkj · 2026-03-05T01:28:40Z

@mkj I don't understand why the check fails here and max_duration_secs seems to be set to 1, even though the default value is actually 0. Make check runs without any problems for me.

I guess github runners are slower than local systems so it might take longer than a second? max_duration_secs set to 1 looks like a real problem though?

sch-m · 2026-03-05T07:16:29Z

max_duration_secs set to 1 looks like a real problem though?

But I can't see any errors in my changes. DEFAULT_MAX_DURATION = 0. So how can opts.max_duration_secs = 1 be? The -M option isn't set anywhere in the tests.

Some technical guidelines (e.g., TR-03148) and cybersecurity baselines require a hard maximum connection duration / session timeout for remote connections. Therefore, a parameter is hereby introduced that can be used to configure the maximum connection duration. The default value is 0 (disabled). Signed-off-by: Martin Schiller <ms@dev.tdt.de>

mkj · 2026-03-05T13:43:37Z

Aah, it'll be because that CI option flips any 0 options to 1, it'll need an exclusion. Don't worry about it, I'll fix it up. Sorry for the noise there.

dropbear/.github/workflows/build.yml

Lines 229 to 240 in 75f699b

    
                 - name: nondefault 
        
                   if: ${{ matrix.nondefault }} 
        
                   run: | 
        
                     # Turn on anything that's off by default. Rough but seems sufficient 
        
                     grep ' 0$' src/default_options.h | sed 's/0$/1/' >> localoptions.h 
        
                     # PAM clashes with password 
        
                     echo "#define DROPBEAR_SVR_PASSWORD_AUTH 0" >> localoptions.h 
        
                     # 1 second timeout is too short 
        
                     sed -i "s/DEFAULT_IDLE_TIMEOUT 1/DEFAULT_IDLE_TIMEOUT 99/" localoptions.h 
        
                     # DROPBEAR_SVR_DROP_PRIVS is on by default, turn it off 
        
                     echo "#define DROPBEAR_SVR_DROP_PRIVS 0" >> localoptions.h 
        
                     echo "#define DROPBEAR_SVR_LOCALSTREAMFWD 0" >> localoptions.h

sch-m · 2026-03-05T13:47:01Z

Aah, it'll be because that CI option flips any 0 options to 1, it'll need an exclusion. Don't worry about it, I'll fix it up. Sorry for the noise there.

Thank you for the clarification.

mkj · 2026-04-16T16:07:23Z

Thanks, this is merged. While testing I noticed an existing bug in the timeout handling, now fixed. #418

sch-m · 2026-04-17T07:26:12Z

Thank you very much.

sch-m force-pushed the pr/20260304-max_duration branch from 3451d0c to 362215a Compare March 4, 2026 10:43

sch-m force-pushed the pr/20260304-max_duration branch from 362215a to b849519 Compare March 5, 2026 12:17

sch-m marked this pull request as draft March 5, 2026 12:17

sch-m force-pushed the pr/20260304-max_duration branch 3 times, most recently from 7e1dc96 to 6e354ea Compare March 5, 2026 13:28

sch-m force-pushed the pr/20260304-max_duration branch from 6e354ea to db80283 Compare March 5, 2026 13:45

sch-m marked this pull request as ready for review March 5, 2026 13:45

mkj closed this Apr 16, 2026

sch-m deleted the pr/20260304-max_duration branch April 17, 2026 07:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add new parameter -M for max. duration#409

Add new parameter -M for max. duration#409
sch-m wants to merge 2 commits intomkj:masterfrom
TDT-AG:pr/20260304-max_duration

sch-m commented Mar 4, 2026

Uh oh!

sch-m commented Mar 4, 2026

Uh oh!

mkj commented Mar 5, 2026

Uh oh!

sch-m commented Mar 5, 2026

Uh oh!

mkj commented Mar 5, 2026

Uh oh!

sch-m commented Mar 5, 2026

Uh oh!

mkj commented Apr 16, 2026

Uh oh!

sch-m commented Apr 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

sch-m commented Mar 4, 2026

Uh oh!

sch-m commented Mar 4, 2026

Uh oh!

mkj commented Mar 5, 2026

Uh oh!

sch-m commented Mar 5, 2026

Uh oh!

mkj commented Mar 5, 2026

Uh oh!

sch-m commented Mar 5, 2026

Uh oh!

mkj commented Apr 16, 2026

Uh oh!

sch-m commented Apr 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants