[yocto-security] Design for initial expired default password

Joseph Reynolds jrey at linux.ibm.com
Sat Aug 24 08:00:17 AEST 2019 

On 7/25/19 3:43 AM, Richard Purdie wrote:
> On Wed, 2019-07-24 at 18:06 -0500, Joseph Reynolds wrote:
>> I pushed an OpenBMC design to [Gerrit review][] for the OpenBMC
>> project
>> for a new distro or image feature (disabled by default) which causes
>> the
>> initial password to be disabled by default, so the password has to
>> be
>> changed before using the BMC.
>>
>> This design is intended to make it easier to comply with the new CA
>> law
>> [SB-327][] which becomes effective on 2020-01-01 (in 5 months).
>>
>> - Joseph
>>
>> [Gerrit review]:
>> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849
>> [SB-327]:
>> https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
> I'm fine with adding a mechanism like this. I'd suggest it should be an
> image feature rather than a distro feature as you'll only realistically
> know the users, image usage and so on in the image recipe itself
> (locking up an initramfs would be bad).

Thanks.  I am proceeding with my design.  I need help with the direction 
for the EXPIRED_PASSWORD image feature implementation.

Should the password be expired when the user is added?  Like this code 
in useradd_base.bblcass:
```
eval flock -x $rootdir${sysconfdir} -c  \"$PSEUDO passwd --expire 
$username\" || true
password_change_date=`grep "^$username:" <$rootdir/etc/shadow | cut -d: -f3`
if test 0 != $password_change_date; then
     bbfatal "${PN}: passwd --expire $username failed."
fi
```

Or should the passwords be expired as a post-processing step?  Where 
would this code go?  Get list of users who have passwords, and expire 
each of them:
```
usernames=`grep '^[^\:]*:[^\:\*\!]' <$rootdir/etc/shadow | cut -d: -f1`
for username in $usernames; do
     eval flock -x $rootdir${sysconfdir} -c  \"$PSEUDO passwd --expire 
$username\" || true
     password_change_date=`grep "^$username:" <$rootdir/etc/shadow | cut 
-d: -f3`
     if test "x0" != "x$password_change_date"; then
         bbfatal "${PN}: passwd --expire $username failed."
     fi
done
```

I am not knowledgeable about how /etc/passwd and /etc/shadow are 
populated and would appreciate some guidance how which approach you 
think is best.

- Joseph

> Cheers,
>
> Richard
>

More information about the openbmc mailing list