Expired password + disabled power button design

Joseph Reynolds jrey at linux.ibm.com
Fri Sep 6 06:19:36 AEST 2019


I am working to reduce the time window when the BMC offers a default 
password to its network users.  See the [expired password design][].  
The idea is to force users to change the BMC's password as soon as possible.

[expired password design]: 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849

Note: This design seeks to reduce the time window when the BMC is on the 
network with a default password, not to completely remove this 
vulnerability.  The time window begins when the system is plugged into 
power, and ends when the BMC's password is changed.

When complete, I believe this will offer significant protection for the 
BMC and can be used to help comply with laws such as CA Law [SB-327][], 
specifically section 1798.91.04 (b) (2) which states "The device 
contains a security feature that requires a user to generate a new means 
of authentication before access is granted to the device for the first 
time."  Where "the device" is the BMC, and "access" means access past 
the BMC's authentication mechanism to a session which can operate the 
BMC's controls.  The section cited above seems to accept the time window 
as a reasonable security exposure and to use the term "access" as I have 
done.

[SB-327]: 
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327

HOWEVER, there is a hole in this design which extends the time window 
indefinitely.  The scenario begins when the installer takes possession 
of a new system (BMC + host) and plugs it into power.  At this point, 
the BMC starts running and offering its services to network users.  The 
host remains powered off.  The installer then disregards the BMC and 
uses the power button to boot the host system, then continues to 
disregard the BMC when provisioning the host, either using physical 
access to the host (not via the BMC), or a pre-configured host.  This 
results in a fully-functional host and a BMC which still has its default 
password.

THEREFORE, I am proposing a new "disabled power button" image feature.  
Normally, pressing the power button tells the BMC to power on and boot 
the host.  With this design, if the BMC still has its default expired 
password, it will ignore a power button press, and will instead indicate 
to the operator to configure the BMC's password, and try again.  Options 
for the BMC to indicate this are machine-specific and include: messages 
to an operator panel, or LED blink codes.  The recovery procedure is for 
the installer to access the BMC, change its password, and try again to 
power on the server.

The implementation might possibly be in the [state manager][] so it can 
perform this check if the server is powered on for any reason. The test 
if the BMC still has its default expired password could be performed by 
invoking Linux PAM APIs, effectively trying to authenticate using the 
default credentials, and checking if the credentials and valid and 
expired.  An alternate approach could instead check if the BMC is in 
provisioning mode.

[state manager]: https://github.com/openbmc/phosphor-state-manager

Note: The "disabled power button" design feature would be off default.  
Platforms wanting to use it would have enable the image feature.

- Joseph



More information about the openbmc mailing list