Initial expired passwords - initial commit

Joseph Reynolds jrey at linux.ibm.com
Mon Sep 16 16:12:26 AEST 2019 


On 8/22/19 5:49 PM, Joseph Reynolds wrote:
>
> On 8/21/19 10:19 PM, Ratan Gupta wrote:
>> Hi Joseph,
>>
>> On 19/08/19 10:32 PM, Joseph Reynolds wrote:
>>> This is an attempt to over-communicate progress on the [Initial 
>>> expired passwords design][], currently in review.  This email has 
>>> the significant and tricky work items needed to implement the 
>>> design. Emails about the BMCWeb pieces that need to be changed are 
>>> [here][]; in contrast, this email attempts to decompose the overall 
>>> design.
>>>
>>> [Initial expired passwords design]: 
>>> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849
>>> [here][]: 
>>> https://lists.ozlabs.org/pipermail/openbmc/2019-August/017625.html
>>>
>>> The "initial expired passwords design" includes the following work. 
>>> An understanding of that design is a pre-requisite to understand the 
>>> items here.
>>>
>>> 1. Implement the new EXPIRED_PASSWORD image feature (initially 
>>> off).  This ensures the password is expired for all local users. The 
>>> right place to do this piece is in Yocto/OpenEmbedded; see 
>>> https://lists.yoctoproject.org/pipermail/yocto-security/2019-July/000114.html
>>>
>>> 2. Enhance BMCWeb to handle Redfish PasswordChangeRequired 
>>> (reference: 
>>> https://www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.7.0.pdf 
>>> ("Redfish Specification" version 1.7.0 or later) section 13.2.6.1).
>>> This further breaks down into:
>>>
>>> 2a. Add the PasswordChangeRequired field to 
>>> /redfish/v1/SessionManager/Sessions/<session>.  This new field comes 
>>> from PAM_NEW_AUTHTOK_REQD.

The first commit for this is available in gerrit review.  It implements 
most of parts 2 and 2a above.  The BMCWeb issue for discussion is here: 
https://github.com/openbmc/bmcweb/issues/103#issuecomment-530969632

Please review the design and the first commit.

- Joseph

The related GUI work for this is here: 
https://lists.ozlabs.org/pipermail/openbmc/2019-September/018184.html

A question about a potential hole in the security provided by the 
"expired password" design is here: 
https://lists.ozlabs.org/pipermail/openbmc/2019-September/018080.html

More information about the openbmc mailing list