OpenBMC expired password feature

Joseph Reynolds jrey at linux.ibm.com
Wed Apr 14 01:39:55 AEST 2021 

 > Hi Joseph,
 >
 > I am working on OpenBMC and would like to test the 'initial expired 
password' feature that you worked on.  I am not sure how to enable this 
in an OpenBMC image though.
 >
 > I couldn't find another document which described that process, other 
than the design documentation listed here: 
https://github.com/openbmc/docs/blob/master/designs/expired-password.md 
<https://github.com/openbmc/docs/blob/master/designs/expired-password.md>
 >
 > Is there another document which describes the enablement process, or 
can you provide some more information on this?

Mario,

The support to have initial expired passwords is not fully available in 
the OpenBMC project.  Here are the pieces you need:

(1)
The EXPIRED_PASSWORD image feature is not implemented.  There are two 
alternate ways to expire the password:
1. Directly expire the root account password via a bitbake recipe.  See 
https://github.com/openembedded/openembedded-core/pull/63/commits/7ace37a67c56fb4b9e0e98f8eff4ed067eb89f1e
2. Add a BMC systemd service to expire the password on BMC first boot.  
See 
https://github.com/ibm-openbmc/openbmc/blob/5434eaa5e4f53d9972c7bf3c4a90fd189f529547/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb

The reason for the first-boot-expire-password.service has to do with how 
the factory reset function works.
Neither of these are merged into the OpenBMC project or OE core.

(2)
Both BMCWeb and the WebUI have the functions to handle expired 
passwords.  Specifically:
- BMCWeb follows the Redfish "password change required handling" spec.
- The WebUI has a special dialog which allows a user to change their own 
expired password during login.

Note a proposed BMCWeb change breaks the "password change required 
handling" function:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39756
Work on that is pending.

(3)
The dropbear SSH server does not allow you to login or to change your 
password when your password is expired.  My attempt to patch dropbear 
has failed, and I carry a local patch here: 
https://github.com/ibm-openbmc/openbmc/blob/86f9791c2a2d991c3509f5e785322b1011c71d26/meta-phosphor/recipes-core/dropbear/dropbear_%25.bbappend

You can avoid this issue by using the OpenSSH server in place of dropbear.


- Joseph

 >
 > Thanks,
 > --Mario.

More information about the openbmc mailing list