Disable Local Users Proposal
Thomaiyar, Richard Marian
richard.marian.thomaiyar at linux.intel.com
Wed Aug 15 03:48:46 AEST 2018
Hi Matt,
I am not sure, whether you want to permanently disable local accounts or
only make it in a configurable way ?
In order to disable the root user login, have you tried password expiry
logic (D-bus interface API provides option to disable the user, which
relies on this), which can be set in the /etc/shadow file during
compilation itself. Won't this fix your problem instead of removing the
pam modules ? In case if your requirement is to disable it permanently
to avoid user creation etc, then user D-Bus interfaces should not be
implemented(i.e it should never be exposed). (Also what about serial
port login ? by default it will land up in shell or will be disabled
for local accounts here too ?).
Related to the D-Bus interfaces to disable the local accounts (under
review), i am not sure, how it is going to be different than disabling
each user ? Because even this property can be set to TRUE and then users
can be created / configured right ?
Regards,
Richard
On 8/14/2018 8:56 PM, Matt Spinler wrote:
> On 2018-08-13 03:21, Ratan Gupta wrote:
>> Hi Matt,
>>
>> Please find my comments inline
>>
>> Ratan
>>
>>
>>
>> On Saturday 11 August 2018 02:57 AM, Matt Spinler wrote:
>>> Hi,
>>>
>>> We have a requirement to disable all local accounts on the BMC,
>>> including root, so the only logins allowed would be via LDAP
>>> authenticated
>>> accounts.
>>>
>>> It was recommended that I do this by removing the pam_unix module from
>>> /etc/pam.d/common-auth and/or common-account(I think?), and also remove
>>> ~/.ssh/authorized_keys if present.
>> By removing the authorized_keys means if somebody have uploaded their
>> keys to enable the password
>> less login.
>> so by doing so we are removing that possibility.Is it correct or is
>> there some other intent?
>
> It would disable them when the property is set, but then I guess other
> users could add them again. Not sure what else I could do here.
>
>>>
>>> I see that the upcoming user manager code in
>>> https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-user-manager/+/10112/
>>> doesn't deal with system accounts, which we also need to disable, so
>>> my proposal
>>> is to add an 'AllLocalAccountsDisabled' property to
>>> xyz.openbmc_projects.Users.Manager
>>> to do the disable/reenable by modifying the PAM files.
>>>
>>> I'm thinking this would be independent of the UserEnabled property
>>> in the
>>> Users.Attributes interface, though I could also do the
>>> UserEnabled(false)
>>> on all existing users and disallow anyone from setting to true.
>> I agree with you on introducing other property
>> "AllLocalAccountsDisabled" but we should
>> be consistent that each individual user status should also show its
>> status as disabled.
>> it should not be that if admin does enumerate on the users namespace
>> then manager
>> interface shows that AllLocalAccountsDisabled is true but each
>> individual user property show the
>> userEnabled as true.
>
>
> Yea, good point. Will make them agree.
>
> I put up the D-Bus interface at
> https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/11934/
>
>
>
>>>
>>> There seems to be a bug in the REST server right now that still
>>> allows REST
>>> access with a root login with root disabled, so that would need to
>>> be fixed,
>>> but eventually one could still use LDAP authenticated users to make
>>> REST calls.
>>>
>>> This would not affect IPMI.
>>>
>>> Comments/ideas welcome
>>>
>>> Matt
>>>
>
More information about the openbmc
mailing list