Security Working Group - Wednesday March 4 - PasswordChangeRequired ready for function test
Joseph Reynolds
jrey at linux.ibm.com
Sat Apr 25 05:09:06 AEST 2020
On 3/4/20 6:08 PM, Joseph Reynolds wrote:
> On 3/2/20 6:05 PM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting
>> scheduled for this Wednesday March 4 at 10:00am PDT.
>>
>> We'll discuss current development items, and anything else that comes
>> up.
>>
>> The current topics:
>>
>> 1. Proposal to add new Redfish roles for ServiceRep & OemRep. 2.
>> Implement the Redfish PasswordChangeRequired property. 3. Proposal to
>> delete BMCWeb sessions after some kinds of account changes.
>>
>> ...snip...
>
> Here is a summary of the discussion. More details are in the minutes
> linked below.
>
> 1. Weagreed that ServiceRep and ManufacturingRep Privileges are useful
> to articulate. We found two use cases: Admin same as service agent and
> manufacturer, and Admin/Service/manufacturer are different roles.
> Joseph will pursue getting these roles and privileges defined in
> Redfish. We also discussed the problem of how to prevent the admin
> from escalating to the Service role given they control User
> management. (With possible solutions discussed), and some alternate
> designs.
> The next step is: Joseph will send an email to the openbmc list with
> updated details and proposal.
>
> 2. Joseph is working on a new D-Bus property for UserPasswordExpired
> that is needed for BMCWeb.
>
> 3. Terminating BMCWeb sessions when there are severe account changes
> sounds like a good idea.
> Nobody signed up to work on it. :)
...snip...
My PasswordChangeRequired code is ready for review.
- This completes all of the planned changes in this area.
- This implements the Redfish ManagerAccount PasswordChangeRequired
property.
- This implements dynamic Redfish PasswordChangeRequired handling.
There are three parts:
- BMCWeb: Dynamic PasswordChangeRequired handling:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/29136
- phosphor-user-manager: New User.Attributes UserPasswordExpired property
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/31449
- phosphor-dbus-interfaces: New User.Attributes UserPasswordExpired property
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/31450
The BMCWeb commit requires (pre-reqs) the User manager commit which then
pre-reqs the D-Bus interface commit.
The reason I made this change:
This change makes it possible to default the admin account password to
the expired state (so the password must be changed before access to the
BMC is granted). Specifically, this change enables the admin to update
their own expired password. I believe the webui team has plans to
implement an "expired password dialog" to do that. Note that the
dynamic Redfish PasswordChangeRequired handling means the user will not
need to reestablish a new session after changing their expired password.
- Joseph
More information about the openbmc
mailing list