Disable Local Users Proposal

Matt Spinler mspinler at linux.vnet.ibm.com
Wed Aug 15 01:26:38 AEST 2018 

On 2018-08-13 03:21, Ratan Gupta wrote:
> Hi Matt,
> 
> Please find my comments inline
> 
> Ratan
> 
> 
> 
> On Saturday 11 August 2018 02:57 AM, Matt Spinler wrote:
>> Hi,
>> 
>> We have a requirement to disable all local accounts on the BMC,
>> including root, so the only logins allowed would be via LDAP 
>> authenticated
>> accounts.
>> 
>> It was recommended that I do this by removing the pam_unix module from
>> /etc/pam.d/common-auth and/or common-account(I think?), and also 
>> remove
>> ~/.ssh/authorized_keys if present.
> By removing the authorized_keys means if somebody have uploaded their
> keys to enable the password
> less login.
> so by doing so we are removing that possibility.Is it correct or is
> there some other intent?

It would disable them when the property is set, but then I guess other
users could add them again.  Not sure what else I could do here.

>> 
>> I see that the upcoming user manager code in
>> https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-user-manager/+/10112/ 
>> doesn't deal with system accounts, which we also need to disable, so 
>> my proposal
>> is to add an 'AllLocalAccountsDisabled' property to 
>> xyz.openbmc_projects.Users.Manager
>> to do the disable/reenable by modifying the PAM files.
>> 
>> I'm thinking this would be independent of the UserEnabled property in 
>> the
>> Users.Attributes interface, though I could also do the 
>> UserEnabled(false)
>> on all existing users and disallow anyone from setting to true.
> I agree with you on introducing other property
> "AllLocalAccountsDisabled" but we should
> be consistent that each individual user status should also show its
> status as disabled.
> it should not be that if admin does enumerate on the users namespace
> then manager
> interface shows that AllLocalAccountsDisabled is true but each
> individual user property show the
> userEnabled as true.


Yea, good point.  Will make them agree.

I put up the D-Bus interface at
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/11934/


>> 
>> There seems to be a bug in the REST server right now that still allows 
>> REST
>> access with a root login with root disabled, so that would need to be 
>> fixed,
>> but eventually one could still use LDAP authenticated users to make 
>> REST calls.
>> 
>> This would not affect IPMI.
>> 
>> Comments/ideas welcome
>> 
>> Matt
>>

More information about the openbmc mailing list