Security Working Group - Wednesday March 4 - PasswordChangeRequired ready for function test

Joseph Reynolds jrey at linux.ibm.com
Sat Apr 25 05:09:06 AEST 2020 

On 3/4/20 6:08 PM, Joseph Reynolds wrote:
> On 3/2/20 6:05 PM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting 
>> scheduled for this Wednesday March 4 at 10:00am PDT.
>>
>> We'll discuss current development items, and anything else that comes 
>> up.
>>
>> The current topics:
>>
>> 1. Proposal to add new Redfish roles for ServiceRep & OemRep. 2. 
>> Implement the Redfish PasswordChangeRequired property. 3. Proposal to 
>> delete BMCWeb sessions after some kinds of account changes.
>>
>> ...snip...
>
> Here is a summary of the discussion.  More details are in the minutes 
> linked below.
>
> 1. Weagreed that ServiceRep and ManufacturingRep Privileges are useful 
> to articulate. We found two use cases: Admin same as service agent and 
> manufacturer, and Admin/Service/manufacturer are different roles. 
> Joseph will pursue getting these roles and privileges defined in 
> Redfish. We also discussed the problem of how to prevent the admin 
> from escalating to the Service role given they control User 
> management. (With possible solutions discussed), and some alternate 
> designs.
> The next step is: Joseph will send an email to the openbmc list with 
> updated details and proposal.
>
> 2. Joseph is working on a new D-Bus property for UserPasswordExpired 
> that is needed for BMCWeb.
>
> 3. Terminating BMCWeb sessions when there are severe account changes 
> sounds like a good idea.
> Nobody signed up to work on it. :)
...snip...

My PasswordChangeRequired code is ready for review.
- This completes all of the planned changes in this area.
- This implements the Redfish ManagerAccount PasswordChangeRequired 
property.
- This implements dynamic Redfish PasswordChangeRequired handling.

There are three parts:
- BMCWeb: Dynamic PasswordChangeRequired handling:
    https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/29136
- phosphor-user-manager: New User.Attributes UserPasswordExpired property
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/31449
- phosphor-dbus-interfaces: New User.Attributes UserPasswordExpired property
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/31450

The BMCWeb commit requires (pre-reqs) the User manager commit which then 
pre-reqs the D-Bus interface commit.

The reason I made this change:
This change makes it possible to default the admin account password to 
the expired state (so the password must be changed before access to the 
BMC is granted).  Specifically, this change enables the admin to update 
their own expired password.  I believe the webui team has plans to 
implement an "expired password dialog" to do that.  Note that the 
dynamic Redfish PasswordChangeRequired handling means the user will not 
need to reestablish a new session after changing their expired password.

- Joseph

More information about the openbmc mailing list