Proposal: delete BMCWeb sessions after some kinds of account changes
aleksandr.v.tereschenko at linux.intel.com
Fri Feb 21 23:45:52 AEDT 2020
On 17-Feb-20 23:10, Joseph Reynolds wrote:
> This proposal is to enhance BMCWeb to terminate login session that are
> associated with accounts that have incompatible changes. I understand
> this practice is allowed Redfish and recommended by OWASP.
This makes sense to me, with one specific note - see below
> - The [proposed] ExpiredPassword D-Bus property and the
> PasswordChangeRequired Redfish properties set to True. Sessions where
> this property is True are needed for a user to change their own password.
While not terminating these sessions (which certainly makes sense),
should we restrict them to only allow for password change action
starting immediately after that flag is set? I'm not sure how it works now.
More information about the openbmc