Move away from default password
Joseph Reynolds
jrey at linux.ibm.com
Fri Jun 21 02:00:23 AEST 2019
On 2019-06-17 17:58, Stewart Smith wrote:
> Adriana Kobylak <anoo at linux.ibm.com> writes:
>>>> 1. Unique password per BMC.
>>>> In this approach, there is a way to change the factory default
>>>> password. Example flow: assemble the BMC, test it, factory reset,
>>>> generate unique password (such as `pwgen`), then use a new function
>>>> “save factory default settings” which would save the current
>>>> setting into a new “factory settings” flash partition. After
>>>> that,
>>>> a factory reset would reset to the factory installed password, not
>>>> to
>>>> the setting in the source code.
>>
>> How would this new "factory settings" flash partition be protected
>> against being modified by an unauthorized or malicious user?
>
> My guess would be it'd be protected the same way that the default
> password is today: not at all. If an attacker can write to flash, the
> only way to reset the box is to dediprog the BMC flash chip.
Access to the flash would be protected from attack by network agents via
password access to the BMC at two critical points.
In this scenario:
1. The factory assembles and tests the BMC, then changes its password to
a new value. The password hash is stored on the flash "factory
settings" partition. The BMC is then shipped to its new owner with the
new password.
At this point, only the owner has password access to the BMC (unless the
factory keeps a record of the new password).
2. The owner installs the BMC and configures it, including its network.
For example, change the password, creates new accounts, and set up IP.
At this point, only the owner and owner's agents have password access to
the BMC.
At this point, one of the owner's agents could use ssh to access the
flash partition. (But why would they need to?)
More information about the openbmc
mailing list