Design proposal to Non-Interactive password update for REST client
vishwa
vishwa at linux.vnet.ibm.com
Mon Aug 28 21:34:57 AEST 2017
On 08/14/2017 10:05 PM, Patrick Williams wrote:
> On Fri, Aug 11, 2017 at 09:48:48PM +0530, vishwa wrote:
>> This email is about openbmc/openbmc#1714 ( REST API to update root
>> password )
>>
>> Goal is to do Non-interactive password updates to enable a REST client
>> to update the root password.
>>
>> My proposal is to use `getspent(3)` and `putspent(3)` and here is the flow.
>>
>> REST client will provide a method that takes std::string as parameter.
>>
>> The Provider at the BMC will receive the password and does these:
>>
>> - Executes `getspent(3)` for "root" and gets the entries.
> Make sure you're using getspent_r for this.
Sure
>
> Should be done based on any user, not just 'root'. We might only
> support 'root' now but will want to easily add support for other users
> in the near future.
Okay. I will have [User] and [Password] in the yaml.
>> - Parses the `sp_pwdp` and extracts `encryption method` , `salt`.
> Is there a portable way to do this? Is there any library that exists
> already?
I tried to look for that and did not find. I will continue looking.
> Tom and I spoke previously about a possible non-standard crypt algorithm
> in order to satisfy some of the requirements of IPMI RMCP+'s
> authentication protocol without storing plaintext passwords. Please
> follow up with him and see if what you are proposing here will mesh with
> what he was planning.
I told Tom about this and he would get back to me.
BTW, I put the proposal of using crypt() after looking at:
https://github.com/shadow-maint/shadow/blob/master/src/passwd.c#L245
and
https://github.com/shadow-maint/shadow/blob/6fbc11ce2178205968c37853db752729359c9893/lib/encrypt.c
>> - Makes a call to `crypt(3)` with the extracted `salt` and `user
>> input` and generates encrypted pass-code
> The salt can/should be random for each password, shouldn't it? It
> sounds like you are attempting to reuse the salt from the previous
> password and that is not required nor preferred to the best of my
> knowledge.
>
Okay. I can generate a random string from [a-zA-Z0-9./] as needed by crypt()
>> - Populates the structure and calls `putspent(3)` to update the password
>>
>> Please let me know your opinion on this.
>>
>> Thank you,
>>
>> !! Vishwa !!
>>
More information about the openbmc
mailing list