Move away from default password
Thomaiyar, Richard Marian
richard.marian.thomaiyar at linux.intel.com
Tue Jun 18 04:01:42 AEST 2019
Joseph,
#1 is not yet covered in any docs yet, but
https://github.com/openbmc/docs/blob/master/user_management.md#deployment---out-of-factory
this covers the out of factory deployment.
Regards,
Richard
On 6/17/2019 10:16 PM, Joseph Reynolds wrote:
> There is some interest in moving OpenBMC away from a default password.
> - email:
> https://lists.ozlabs.org/pipermail/openbmc/2019-June/016515.html
> (which references a RestrictionMode design:
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/21195)
>
> Having a default password is a security risk. Note that changing to a
> different default password is not a good solution. For example, if a
> bad actor learns the default password from one device, that actor will
> likely know the password for many of them.
>
> I am exploring two options for OpenBMC, and want your feedback.
>
> 1. Unique password per BMC.
> In this approach, there is a way to change the factory default
> password. Example flow: assemble the BMC, test it, factory reset,
> generate unique password (such as `pwgen`), then use a new function
> “save factory default settings” which would save the current setting
> into a new “factory settings” flash partition. After that, a factory
> reset would reset to the factory installed password, not to the
> setting in the source code.
> Presumably the new factory default would be printed on a sticker, or
> something.
> Are there any other factory settings (settings unique to each device)
> that would benefit from being set like this?
> One downside to this approach is someone who orders 100 systems has to
> enter 100 unique passwords.
>
> 2. Create new account on first access.
> Specifically, default OpenBMC to use a new RestrictionMode=SetupAccess
> which:
> - (A) requires users to set up their credentials (at least: remove
> the default password) before they can leave that mode, and
> - (B) does not let the user do anything else, including other
> provisioning or operating the host, while in this mode.
> So we could manufacture the BMC with a default password, but require
> it to be changed as the first step to provision the BMC.
> We might want to make network services react to this new mode, for
> example, the phosphor-webui GUI would likely want to handle this
> specially, and most REST APIs would be restricted.
> Note this approach gives an attacker a window of time before the
> credentials are set up.
>
> I believe both of these approaches represent reasonable security
> practices which may satisfy laws regarding consumer products. For
> example, CA Law SB-327
> https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
>
> Are there guidelines we can follow? Can you find additional
> vulnerabilities with these approaches? Can we do better than this
> without requiring additional infrastructure?
>
> I plan to discuss this at the 2019-06-26 Security working group
> meeting:
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/
> and would be happy to see ideas here.
>
> - Joseph
>
More information about the openbmc
mailing list