Design proposal to Non-Interactive password update for REST client
Patrick Williams
patrick at stwcx.xyz
Tue Aug 15 02:35:15 AEST 2017
On Fri, Aug 11, 2017 at 09:48:48PM +0530, vishwa wrote:
> This email is about openbmc/openbmc#1714 ( REST API to update root
> password )
>
> Goal is to do Non-interactive password updates to enable a REST client
> to update the root password.
>
> My proposal is to use `getspent(3)` and `putspent(3)` and here is the flow.
>
> REST client will provide a method that takes std::string as parameter.
>
> The Provider at the BMC will receive the password and does these:
>
> - Executes `getspent(3)` for "root" and gets the entries.
Make sure you're using getspent_r for this.
Should be done based on any user, not just 'root'. We might only
support 'root' now but will want to easily add support for other users
in the near future.
> - Parses the `sp_pwdp` and extracts `encryption method` , `salt`.
Is there a portable way to do this? Is there any library that exists
already?
Tom and I spoke previously about a possible non-standard crypt algorithm
in order to satisfy some of the requirements of IPMI RMCP+'s
authentication protocol without storing plaintext passwords. Please
follow up with him and see if what you are proposing here will mesh with
what he was planning.
> - Makes a call to `crypt(3)` with the extracted `salt` and `user
> input` and generates encrypted pass-code
The salt can/should be random for each password, shouldn't it? It
sounds like you are attempting to reuse the salt from the previous
password and that is not required nor preferred to the best of my
knowledge.
> - Populates the structure and calls `putspent(3)` to update the password
>
> Please let me know your opinion on this.
>
> Thank you,
>
> !! Vishwa !!
>
--
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20170814/f913b22a/attachment.sig>
More information about the openbmc
mailing list