BMCWeb changes login password
Joseph Reynolds
jrey at linux.ibm.com
Wed Sep 4 12:06:14 AEST 2019
On 8/30/19 2:18 AM, Wang, Kuiying wrote:
>
> Currently only administrator is allowed to add user/modify user/change
> password.
>
> Administrator has the permission to change other users password or
> delete it directly.
>
> Administrator no need to know the old password of other users.
>
> For administrator to change itself password thing, still no need the
> old password, because administrator is already login a session.
>
> So we don’t need to add “input field to enter the old password”.
>
I don't think we are talking about the same things here.
1. I agree that the BMC admin user should not have to enter the old
password when changing a user's password. => However, we may want to
force the admin to re-enter their password when accessing a sensitive
feature such as changing someone's account. Reference the link below -
/https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features/
2. The scenario where we may want to ask for the old password is the
"password change dialog". This dialog is accessed when the user signs
into the Web App login page and the web app informs the user that their
password is expired and must be changed before they can access the BMC
The dialog asks for their new password (twice) ... and does it also ask
for the old password? <== That's the question.
> But there is an open for multiple administrator user supporting,
> currently administrator user could add more administrator level users.
>
> And anyone of the administrators login, he could modify other
> administrator users like change password or delete it directly.
>
> I think it is *a bit security issue*. Have to restrict multiple
> administrator user or do not allow administrator to modify other
> administrator users.
>
According to Redfish spec
https://www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.7.0.pdf
section 13.2.9 ("Privilege model/Authorization"), the predefined
"Administrator" role has the "ConfigureUsers" privilege. It is my
understanding that the ConfigureUsers privilege is sufficient
(reference: section 13.2.6) to create, delete, and manage other user
accounts.
Given this privilege model, I think you want to be able to trust your
Admin users, and give less-trusted users the Operator role (section
13.2.9). If you were thinking of something more complicated, Redfish
allows you to define Custom roles and OEM privileges.
- Joseph
> Thanks,
>
> Kwin.
>
> >//
> >/On 8/28/19 3:20 AM, George Liu (//刘锡伟) wrote:/
> >/>/
> >/> I want to discuss with everyone about the solution to change the login/
> >/> password./
> >/>/
> >/> In the WEB, When the user needs to change the login password, the/
> >/> current solution is to directly enter the new password twice to change/
> >/> successfully, but the old password is not verified. the advantage is/
> >/> that we can use the new password through this solution if we forget/
> >/> the old password. but for the security reasons, I think should/
> >/> verifying the old password instead of directly entering the new/
> >/> password before change login password./
> >/>/
> >/> if everyone have any ideas or experience, please share, thanks!/
> >/>/
> >/Are you referring to the phosphor-webui design mentioned here?:/
> >/https://github.com/ibm-openbmc/dev/issues/1048/
> >//
> >/OWASP has some recommendations:/
> >//
> >/https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features/
> >//
> >/https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session/
> Thanks, the password change was mentioned in step 4.
> I think should add an input field to enter the old password and verify it
> when the form is submitted(phosphor-webui).
> >//
> >//
> >/- Joseph/
> >//
> >
>
More information about the openbmc
mailing list