Initial expired passwords - initial commit
Joseph Reynolds
jrey at linux.ibm.com
Mon Sep 16 16:12:26 AEST 2019
On 8/22/19 5:49 PM, Joseph Reynolds wrote:
>
> On 8/21/19 10:19 PM, Ratan Gupta wrote:
>> Hi Joseph,
>>
>> On 19/08/19 10:32 PM, Joseph Reynolds wrote:
>>> This is an attempt to over-communicate progress on the [Initial
>>> expired passwords design][], currently in review. This email has
>>> the significant and tricky work items needed to implement the
>>> design. Emails about the BMCWeb pieces that need to be changed are
>>> [here][]; in contrast, this email attempts to decompose the overall
>>> design.
>>>
>>> [Initial expired passwords design]:
>>> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849
>>> [here][]:
>>> https://lists.ozlabs.org/pipermail/openbmc/2019-August/017625.html
>>>
>>> The "initial expired passwords design" includes the following work.
>>> An understanding of that design is a pre-requisite to understand the
>>> items here.
>>>
>>> 1. Implement the new EXPIRED_PASSWORD image feature (initially
>>> off). This ensures the password is expired for all local users. The
>>> right place to do this piece is in Yocto/OpenEmbedded; see
>>> https://lists.yoctoproject.org/pipermail/yocto-security/2019-July/000114.html
>>>
>>> 2. Enhance BMCWeb to handle Redfish PasswordChangeRequired
>>> (reference:
>>> https://www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.7.0.pdf
>>> ("Redfish Specification" version 1.7.0 or later) section 13.2.6.1).
>>> This further breaks down into:
>>>
>>> 2a. Add the PasswordChangeRequired field to
>>> /redfish/v1/SessionManager/Sessions/<session>. This new field comes
>>> from PAM_NEW_AUTHTOK_REQD.
The first commit for this is available in gerrit review. It implements
most of parts 2 and 2a above. The BMCWeb issue for discussion is here:
https://github.com/openbmc/bmcweb/issues/103#issuecomment-530969632
Please review the design and the first commit.
- Joseph
The related GUI work for this is here:
https://lists.ozlabs.org/pipermail/openbmc/2019-September/018184.html
A question about a potential hole in the security provided by the
"expired password" design is here:
https://lists.ozlabs.org/pipermail/openbmc/2019-September/018080.html
More information about the openbmc
mailing list