[yocto-security] Design for initial expired default password
Joseph Reynolds
jrey at linux.ibm.com
Sat Aug 24 08:00:17 AEST 2019
On 7/25/19 3:43 AM, Richard Purdie wrote:
> On Wed, 2019-07-24 at 18:06 -0500, Joseph Reynolds wrote:
>> I pushed an OpenBMC design to [Gerrit review][] for the OpenBMC
>> project
>> for a new distro or image feature (disabled by default) which causes
>> the
>> initial password to be disabled by default, so the password has to
>> be
>> changed before using the BMC.
>>
>> This design is intended to make it easier to comply with the new CA
>> law
>> [SB-327][] which becomes effective on 2020-01-01 (in 5 months).
>>
>> - Joseph
>>
>> [Gerrit review]:
>> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849
>> [SB-327]:
>> https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
> I'm fine with adding a mechanism like this. I'd suggest it should be an
> image feature rather than a distro feature as you'll only realistically
> know the users, image usage and so on in the image recipe itself
> (locking up an initramfs would be bad).
Thanks. I am proceeding with my design. I need help with the direction
for the EXPIRED_PASSWORD image feature implementation.
Should the password be expired when the user is added? Like this code
in useradd_base.bblcass:
```
eval flock -x $rootdir${sysconfdir} -c \"$PSEUDO passwd --expire
$username\" || true
password_change_date=`grep "^$username:" <$rootdir/etc/shadow | cut -d: -f3`
if test 0 != $password_change_date; then
bbfatal "${PN}: passwd --expire $username failed."
fi
```
Or should the passwords be expired as a post-processing step? Where
would this code go? Get list of users who have passwords, and expire
each of them:
```
usernames=`grep '^[^\:]*:[^\:\*\!]' <$rootdir/etc/shadow | cut -d: -f1`
for username in $usernames; do
eval flock -x $rootdir${sysconfdir} -c \"$PSEUDO passwd --expire
$username\" || true
password_change_date=`grep "^$username:" <$rootdir/etc/shadow | cut
-d: -f3`
if test "x0" != "x$password_change_date"; then
bbfatal "${PN}: passwd --expire $username failed."
fi
done
```
I am not knowledgeable about how /etc/passwd and /etc/shadow are
populated and would appreciate some guidance how which approach you
think is best.
- Joseph
> Cheers,
>
> Richard
>
More information about the openbmc
mailing list