BMCWeb changes for expired password design

Joseph Reynolds jrey at linux.ibm.com
Wed Aug 14 06:09:42 AEST 2019


Ed,

Please review the "expired password" design: 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849

Implementing this requires a few BMCWeb changes:
- For the `/login` URI: when a correct but expired password is given, 
indicate the password was expired via HTTP response body: 
"Unauthorized.  Password expired.  Use Redfish APIs to change the 
password.", and do not create a session.
- For Basic Auth (https://user:password@host): when a correct but 
expired password is given, give HTTP response code 403 or similar.
- For Redfish sessions: when a correct password is given, create the 
session as usual, but set the PasswordChangeRequired field (based on 
PAM_NEW_AUTHTOK_REQD).
- Limit access from sessions which have PasswordChangeRequired=True as 
follows:
     + The session can only be used to GET its own account and session 
information, PATCH its own account's password, and log out.
     + Successfully changing the password terminates the session. That 
is, the session does not change from PasswordChangeRequired=True to 
PasswordChangeRequired=False.
     + Other uses get HTTP response code 403 (or similar).
- The existing password changing mechanism would be used, with the 
additional behavior that when ((PasswordChangeRequired=True) and (the 
password was successfully changed)), the session will terminate.

These changes are based on the design and the Redfish 
PasswordChangeRequired handling specifications (referenced by the 
design).  Would you take a BMCWeb patch to implement this?

- Joseph



More information about the openbmc mailing list