BMCWeb changes for expired password design
Joseph Reynolds
jrey at linux.ibm.com
Wed Aug 14 06:09:42 AEST 2019
Ed,
Please review the "expired password" design:
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849
Implementing this requires a few BMCWeb changes:
- For the `/login` URI: when a correct but expired password is given,
indicate the password was expired via HTTP response body:
"Unauthorized. Password expired. Use Redfish APIs to change the
password.", and do not create a session.
- For Basic Auth (https://user:password@host): when a correct but
expired password is given, give HTTP response code 403 or similar.
- For Redfish sessions: when a correct password is given, create the
session as usual, but set the PasswordChangeRequired field (based on
PAM_NEW_AUTHTOK_REQD).
- Limit access from sessions which have PasswordChangeRequired=True as
follows:
+ The session can only be used to GET its own account and session
information, PATCH its own account's password, and log out.
+ Successfully changing the password terminates the session. That
is, the session does not change from PasswordChangeRequired=True to
PasswordChangeRequired=False.
+ Other uses get HTTP response code 403 (or similar).
- The existing password changing mechanism would be used, with the
additional behavior that when ((PasswordChangeRequired=True) and (the
password was successfully changed)), the session will terminate.
These changes are based on the design and the Redfish
PasswordChangeRequired handling specifications (referenced by the
design). Would you take a BMCWeb patch to implement this?
- Joseph
More information about the openbmc
mailing list