Move away from default password

Joseph Reynolds jrey at linux.ibm.com
Fri Jun 21 02:00:23 AEST 2019


On 2019-06-17 17:58, Stewart Smith wrote:
> Adriana Kobylak <anoo at linux.ibm.com> writes:
>>>> 1. Unique password per BMC.
>>>> In this approach, there is a way to change the factory default
>>>> password.  Example flow: assemble the BMC, test it, factory reset,
>>>> generate unique password (such as `pwgen`), then use a new function
>>>> “save factory default settings” which would save the current
>>>> setting into a new “factory settings” flash partition. After 
>>>> that,
>>>> a factory reset would reset to the factory installed password, not 
>>>> to
>>>> the setting in the source code.
>> 
>> How would this new "factory settings" flash partition be protected
>> against being modified by an unauthorized or malicious user?
> 
> My guess would be it'd be protected the same way that the default
> password is today: not at all. If an attacker can write to flash, the
> only way to reset the box is to dediprog the BMC flash chip.

Access to the flash would be protected from attack by network agents via 
password access to the BMC at two critical points.

In this scenario:
1. The factory assembles and tests the BMC, then changes its password to 
a new value.  The password hash is stored on the flash "factory 
settings" partition.  The BMC is then shipped to its new owner with the 
new password.
At this point, only the owner has password access to the BMC (unless the 
factory keeps a record of the new password).
2. The owner installs the BMC and configures it, including its network.  
For example, change the password, creates new accounts, and set up IP.
At this point, only the owner and owner's agents have password access to 
the BMC.

At this point, one of the owner's agents could use ssh to access the 
flash partition.  (But why would they need to?)



More information about the openbmc mailing list