Disable Local Users Proposal
Matt Spinler
mspinler at linux.vnet.ibm.com
Sat Aug 11 07:27:11 AEST 2018
Hi,
We have a requirement to disable all local accounts on the BMC,
including root, so the only logins allowed would be via LDAP
authenticated
accounts.
It was recommended that I do this by removing the pam_unix module from
/etc/pam.d/common-auth and/or common-account(I think?), and also remove
~/.ssh/authorized_keys if present.
I see that the upcoming user manager code in
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-user-manager/+/10112/
doesn't deal with system accounts, which we also need to disable, so my
proposal
is to add an 'AllLocalAccountsDisabled' property to
xyz.openbmc_projects.Users.Manager
to do the disable/reenable by modifying the PAM files.
I'm thinking this would be independent of the UserEnabled property in
the
Users.Attributes interface, though I could also do the
UserEnabled(false)
on all existing users and disallow anyone from setting to true.
There seems to be a bug in the REST server right now that still allows
REST
access with a root login with root disabled, so that would need to be
fixed,
but eventually one could still use LDAP authenticated users to make REST
calls.
This would not affect IPMI.
Comments/ideas welcome
Matt
More information about the openbmc
mailing list