OpenBMC community telecon - 11/27 Agenda
Tom Joseph
tomjose at linux.vnet.ibm.com
Fri Dec 15 00:51:28 AEDT 2017
Hey Vernon,
There are a few points about IPMI User accounts where more details are
needed.
a) IPMI User configuration(password/privilege) is done for a per channel
basis. How do you plan to implement where the same user would have
different passwords/privileges?
b) IPMI user accounts are mapped to User ID, and all user account
related commands refer to user id to identify an account. I hope we need
to consider that when we design.
c) User ID 1 account has no user name. Would we support this account?
d) Can you add API's to map enable/disable IPMI accounts, so that IPMI
user accounts can be enabled/disabled by retaining all other properties?
Regards,
Tom
On Wednesday 06 December 2017 06:19 AM, Vernon Mauery wrote:
> On 04-Dec-2017 05:02 PM, Vernon Mauery wrote:
>> On 04-Dec-2017 05:06 PM, Brad Bishop wrote:
>>> multi configuration images / runtime configurability
>>> user management
>>> secure coding guidelines
>>>
>>> —————————
>>> Monday, 10:00pm EDT
>>> 888-426-6840
>>> password: 85891389
>>
>> For the discussion on user management.
>>
>> Overview:
>> 1. User management is done via PAM.
>> 2. If IPMI is being used, PAM loads the pam_ipmi.so password module.
>> a. pam_ipmi.so intercepts password changes and saves the password
>> for IPMI-enabled users to a file that can be read at a later time
>> to initiate an RMCP+ session. (encrypted or obfuscated with
>> a per-BMC key so no passwords are written directly in flash.)
>> b. pam_ipmi.so implements a method to decrypt passwords and provide
>> them to host-ipmi (for test password command) and net-ipmi (for
>> session initiation)
>> 3. If a user is not enabled for IPMI, their password will not be saved
>> in the ipmi database, and thus must be reset if/when that user gains
>> IPMI capability.
>> 4. If a user loses IPMI capability, their password is reset to force a
>> password change so their password is secure again.
>> 5. Capabilities is done via unix groups
>> a. Groups like ipmi, webserver, redfish, ssh, sol can provide
>> login or 'channel' access.
>> b. Groups like user-manager, media, power, sensor, etc., can provide
>> fine-grained access for various capabilities. Providers of
>> capabilities should check to see that accessors (users) have the
>> required permission.
>> 6. Admin-defined 'super-groups'
>> a. Provide a set of pre-defined groups of capabilities that can be
>> assigned to users: Admin, User, Operator or similar that each have
>> groups associated with them.
>> b. Changes to groups via APIs can make sure that if a user is
>> assigned to a 'super-group' will stay assigned to the sub-groups
>> c. Changes made to users via manual commands may override API groups
>
> Items yet to be decided:
> 1. How providers of services export the service/permission pairs so
> the user manager can manage the permission groups.
> 2. How to manage the permissions groups (is there a PAM group mechanism?)
> 3. How to create users (call adduser?)
> 4. Do we force users to have different passwords for RMCP+ and other
> logins because RMCP+ passwords are insecurely stored? Or is this a
> policy thing that we allow system administrators to choose?
>
>
> --Vernon
>
>>
>> Methods:
>> 1. CREATE_USER
>> Privilege-required: USER-MANAGER
>> Args:
>> UserName - STRING (16 bytes only - else role change to IPMI
>> can't be done)
>> Password - Byte Array (Max of 20 bytes if IPMID is chosen. For
>> others can send more bytes, but change role to
>> IPMI will
>> request password again under 20 bytes)
>> Roles - STRING with comma separated
>> Return:
>> SUCCESS ERR_USERNAME_EXIST ERR_PASSWORD_FAILS ERR_ROLE_FAILS
>> ERR_PASSWORD_ROLE_FAIL ERR_NO_RESOURCE ERR_UNKNOWN
>> ERR_AUTHORIZATION_FAIL
>>
>> 2. DELETE_USER
>> Privilege-required: USER-MANAGER
>> Args:
>> UserName - STRING
>> Return:
>> SUCCESS ERR_USERNAME_NOT_EXIST ERR_UNKNOWN
>> ERR_AUTHORIZATION_FAIL
>>
>> 3. CHANGE ROLE / CHANGE_PASSWORD (OTHERS)
>> Privilege-required: USER-MANAGER
>> Args:
>> UserName - STRING
>> New Password (if changed) - Byte Array
>> New Role (if changed) - Array of STRING
>> Return:
>> SUCCESS ERR_USERNAME_NOT_EXIST ERR_UNKNOWN
>> ERR_AUTHORIZATION_FAIL
>> ERR_PASSWORD_FAILS ERR_PASSWORD_ROLE_FAIL ERR_NO_RESOURCE
>>
>> 4. CHANGE_PASSWORD (SELF)
>> Privilege-required: Any Valid user
>> Args:
>> New Password - Byte Array
>> Return:
>> SUCCESS ERR_PASSWORD_FAILS ERR_PASSWORD_ROLE_FAIL ERR_UNKNOWN
>>
>> 5. LIST_USER_DETAILS
>> Privilege-required: USER-MANAGER
>> Args:
>> NULL
>> Return:
>> Array of:
>> USER_NAME (String)
>> ROLES (String)
>>
>> Signals:
>> 1. UPDATED_USER_SIGNAL
>> Args:
>> UserName of updated user
>> UpdateType:
>> Role changed / User Deleted / User created / Password
>> Changed etc.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20171214/ca6de036/attachment.html>
More information about the openbmc
mailing list