Proposal: delete BMCWeb sessions after some kinds of account changes
Joseph Reynolds
jrey at linux.ibm.com
Tue Feb 18 09:10:01 AEDT 2020
This proposal is to enhance BMCWeb to terminate login session that are
associated with accounts that have incompatible changes. I understand
this practice is allowed Redfish and recommended by OWASP.
Login sessions should be deleted when associated with the following
account changes:
- Account is deleted, renamed, or expired.
- Account [group role][] changes to not include "web".
Login sessions can remain after the following account changes:
- Account Role changes. The new role will be used for the next
operation, next use of that session.
- The [proposed][] ExpiredPassword D-Bus property and the
PasswordChangeRequired Redfish properties set to True. Sessions where
this property is True are needed for a user to change their own password.
- The UserLockedForFailedAttempt D-Bus property. This property may
become true during a brute force attack, and it should not cause denial
of service to existing logged in users.
- Joseph
[group role]:
https://github.com/openbmc/docs/blob/master/architecture/user_management.md#supported-group-roles
[proposed]:
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020554.html
[Redfish spec]:
https://www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.9.0.pdf
More information about the openbmc
mailing list