Questions about changing default username or password

Joseph Reynolds jrey at
Thu Jul 11 02:01:28 AEST 2019

I believe we share the desire for network access to the BMC to be secure 
by default, specifically to move away from the model where a well-known 
userid has a default password (#1 below).  I understand an [OpenBMC 
Security modes 
document, currently in review, addresses host access to the BMC. 
Although that design addresses a related topic, am I restricting myself 
to the BMC's network operations.

Here are several models -- with my comments:

1. The userid has a default password. -- This is what we have now and it 
is not secure.  Note that merely changing to a different default 
password in your customized firmware image is also not secure because 
that password will become known to attackers

2. Each BMC device has an unique password. -- This may be difficult to 
consume for large scale deployments

3. The userid has a default expired password which does not let you use 
the device until you change the password.

4. The device has an initial setup which challenges you to change the 
password. -- Example:

5. The userid has no password access, and uses only certificate-based 

These models have different security characteristics.  For example, the 
expired password model  (#3 above) and the initial setup model (#4 
above) work by reducing the time window an attacker has, with the 
explicit assumption that the BMC is configured soon after powering it 
on.  The unique password model (#2 above) and the certificate auth (#5 
above) requires a way to generate and set the credentials, and then 
communicate them to the new device owner.

Which model seems best to you?

It may be that we support multiple models.  Whatever happens, I would 
like to eventually move away from supporting the default password model 
(#1 above).

I am exploring the "expired password" model (#3 above) and plan to push 
a design for review.

A challenge to make this work is to tie together BMCWeb, IPMI, and SSH 
access.  For example, it won't help to secure BMCWeb and network IPMI 
but leave a default SSH password.  Also, some installations enable a 
subset of the function (example: disable network IPMI and SSH, leaving 
only BMCWeb), so the function to let you change the password has to be 
on the interfaces which are still enabled (example: BMCWeb).

Please let me know your thoughts.

- Joseph

On 6/2/19 1:25 PM, Thomaiyar, Richard Marian wrote:
> For #1 --> you can inherit extrausers class and override the users 
> accordingly, and the password
> For #2 --> There is no direct way to update /etc/ipmi_pass, but once 
> this image is flashed, login to bmc serial console, then try to 
> execute passwd and update the password to the desired one (during this 
> scenario, the new password is stored back in /etc/ipmi_pass). Now copy 
> this /etc/ipmi_pass from your BMC to your development environment, and 
> override it using bbappend.
> Note: Our ultimate goal is to get rid of the default user name and 
> password from the system (to whichever project it is feasible for 
> security reason -- 
> Let me know if you need any further clarifications
> Regards,
> Richard
> On 5/31/2019 5:56 AM, Simon Zhu(朱英澍) wrote:
>> Hello ,
>>     I want to change default username and password in local.conf.sample.
>>     But caused an invalid username error.
>>     I fixed it in the following way in 
>> /openbmc/openbmc/meta/recipes-extended/shadow/
>>     I moved the patch shadow-relaxed-usernames.patch from 
>> SRC_URI_append_class-target to SRC_URI.
>>     And If I changed the default username or password, I failed to 
>> use IPMI through lanplus interface because of authentication failure.
>>     I need to generate my own ipmi_pass and install it to 
>> /etc/ipmi_pass。
>>     Do these two issues need to be fixed?
>> Best regards,
>> Simon

More information about the openbmc mailing list