Expired password + disabled power button design
Joseph Reynolds
jrey at linux.ibm.com
Fri Sep 6 06:19:36 AEST 2019
I am working to reduce the time window when the BMC offers a default
password to its network users. See the [expired password design][].
The idea is to force users to change the BMC's password as soon as possible.
[expired password design]:
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849
Note: This design seeks to reduce the time window when the BMC is on the
network with a default password, not to completely remove this
vulnerability. The time window begins when the system is plugged into
power, and ends when the BMC's password is changed.
When complete, I believe this will offer significant protection for the
BMC and can be used to help comply with laws such as CA Law [SB-327][],
specifically section 1798.91.04 (b) (2) which states "The device
contains a security feature that requires a user to generate a new means
of authentication before access is granted to the device for the first
time." Where "the device" is the BMC, and "access" means access past
the BMC's authentication mechanism to a session which can operate the
BMC's controls. The section cited above seems to accept the time window
as a reasonable security exposure and to use the term "access" as I have
done.
[SB-327]:
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
HOWEVER, there is a hole in this design which extends the time window
indefinitely. The scenario begins when the installer takes possession
of a new system (BMC + host) and plugs it into power. At this point,
the BMC starts running and offering its services to network users. The
host remains powered off. The installer then disregards the BMC and
uses the power button to boot the host system, then continues to
disregard the BMC when provisioning the host, either using physical
access to the host (not via the BMC), or a pre-configured host. This
results in a fully-functional host and a BMC which still has its default
password.
THEREFORE, I am proposing a new "disabled power button" image feature.
Normally, pressing the power button tells the BMC to power on and boot
the host. With this design, if the BMC still has its default expired
password, it will ignore a power button press, and will instead indicate
to the operator to configure the BMC's password, and try again. Options
for the BMC to indicate this are machine-specific and include: messages
to an operator panel, or LED blink codes. The recovery procedure is for
the installer to access the BMC, change its password, and try again to
power on the server.
The implementation might possibly be in the [state manager][] so it can
perform this check if the server is powered on for any reason. The test
if the BMC still has its default expired password could be performed by
invoking Linux PAM APIs, effectively trying to authenticate using the
default credentials, and checking if the credentials and valid and
expired. An alternate approach could instead check if the BMC is in
provisioning mode.
[state manager]: https://github.com/openbmc/phosphor-state-manager
Note: The "disabled power button" design feature would be off default.
Platforms wanting to use it would have enable the image feature.
- Joseph
More information about the openbmc
mailing list