Initial expired passwords - low level designs
Joseph Reynolds
jrey at linux.ibm.com
Tue Aug 20 03:02:37 AEST 2019
This is an attempt to over-communicate progress on the [Initial expired
passwords design][], currently in review. This email has the
significant and tricky work items needed to implement the design.
Emails about the BMCWeb pieces that need to be changed are [here][]; in
contrast, this email attempts to decompose the overall design.
[Initial expired passwords design]:
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849
[here][]: https://lists.ozlabs.org/pipermail/openbmc/2019-August/017625.html
The "initial expired passwords design" includes the following work. An
understanding of that design is a pre-requisite to understand the items
here.
1. Implement the new EXPIRED_PASSWORD image feature (initially off).
This ensures the password is expired for all local users. The right
place to do this piece is in Yocto/OpenEmbedded; see
https://lists.yoctoproject.org/pipermail/yocto-security/2019-July/000114.html
2. Enhance BMCWeb to handle Redfish PasswordChangeRequired (reference:
https://www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.7.0.pdf
("Redfish Specification" version 1.7.0 or later) section 13.2.6.1).
This further breaks down into:
2a. Add the PasswordChangeRequired field to
/redfish/v1/SessionManager/Sessions/<session>. This new field comes
from PAM_NEW_AUTHTOK_REQD.
2b. Add the PasswordChangeRequired field to
/redfish/v1/AccountManager/Accounts/<account>. Does this require D-Bus
changes?
2c. Tweak the authority model to handle privilege ConfigureSelf which
applies only to *your* Session or Account and is intended to encompass
all the privileges needed change your own expired password. I am
pursuing this question in private Redfish forums (issue 1986).
2d. Tweak the authority for the
/redfish/v1/AccountManager/Accounts/<account> "Password" property as a
Redfish "property override". The Password property needs to have a
different authority than the other ManagerAccount properties in that
same account.
3. Enhance phosphor-webui to handle the expired password dialog at
login. This will use the enhanced Redfish APIs. See
https://github.com/ibm-openbmc/dev/issues/1048
4. Enhance Dropbear SSH so a user can change their expired password.
See
https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2016q2/001895.html
This piece is optional, but I would like this to be available. The
alternative is to use the OpenSSH server instead of Dropbear. The right
place to do this piece is in Dropbear.
- Joseph
More information about the openbmc
mailing list