Move away from default password
Joseph Reynolds
jrey at linux.ibm.com
Tue Jun 18 02:46:10 AEST 2019
There is some interest in moving OpenBMC away from a default password.
- email:
https://lists.ozlabs.org/pipermail/openbmc/2019-June/016515.html (which
references a RestrictionMode design:
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/21195)
Having a default password is a security risk. Note that changing to a
different default password is not a good solution. For example, if a
bad actor learns the default password from one device, that actor will
likely know the password for many of them.
I am exploring two options for OpenBMC, and want your feedback.
1. Unique password per BMC.
In this approach, there is a way to change the factory default password.
Example flow: assemble the BMC, test it, factory reset, generate unique
password (such as `pwgen`), then use a new function “save factory
default settings” which would save the current setting into a new
“factory settings” flash partition. After that, a factory reset
would reset to the factory installed password, not to the setting in the
source code.
Presumably the new factory default would be printed on a sticker, or
something.
Are there any other factory settings (settings unique to each device)
that would benefit from being set like this?
One downside to this approach is someone who orders 100 systems has to
enter 100 unique passwords.
2. Create new account on first access.
Specifically, default OpenBMC to use a new RestrictionMode=SetupAccess
which:
- (A) requires users to set up their credentials (at least: remove the
default password) before they can leave that mode, and
- (B) does not let the user do anything else, including other
provisioning or operating the host, while in this mode.
So we could manufacture the BMC with a default password, but require it
to be changed as the first step to provision the BMC.
We might want to make network services react to this new mode, for
example, the phosphor-webui GUI would likely want to handle this
specially, and most REST APIs would be restricted.
Note this approach gives an attacker a window of time before the
credentials are set up.
I believe both of these approaches represent reasonable security
practices which may satisfy laws regarding consumer products. For
example, CA Law SB-327
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
Are there guidelines we can follow? Can you find additional
vulnerabilities with these approaches? Can we do better than this
without requiring additional infrastructure?
I plan to discuss this at the 2019-06-26 Security working group meeting:
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/
and would be happy to see ideas here.
- Joseph
More information about the openbmc
mailing list