OpenBMC expired password feature
Joseph Reynolds
jrey at linux.ibm.com
Wed Apr 14 01:39:55 AEST 2021
> Hi Joseph,
>
> I am working on OpenBMC and would like to test the 'initial expired
password' feature that you worked on. I am not sure how to enable this
in an OpenBMC image though.
>
> I couldn't find another document which described that process, other
than the design documentation listed here:
https://github.com/openbmc/docs/blob/master/designs/expired-password.md
<https://github.com/openbmc/docs/blob/master/designs/expired-password.md>
>
> Is there another document which describes the enablement process, or
can you provide some more information on this?
Mario,
The support to have initial expired passwords is not fully available in
the OpenBMC project. Here are the pieces you need:
(1)
The EXPIRED_PASSWORD image feature is not implemented. There are two
alternate ways to expire the password:
1. Directly expire the root account password via a bitbake recipe. See
https://github.com/openembedded/openembedded-core/pull/63/commits/7ace37a67c56fb4b9e0e98f8eff4ed067eb89f1e
2. Add a BMC systemd service to expire the password on BMC first boot.
See
https://github.com/ibm-openbmc/openbmc/blob/5434eaa5e4f53d9972c7bf3c4a90fd189f529547/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb
The reason for the first-boot-expire-password.service has to do with how
the factory reset function works.
Neither of these are merged into the OpenBMC project or OE core.
(2)
Both BMCWeb and the WebUI have the functions to handle expired
passwords. Specifically:
- BMCWeb follows the Redfish "password change required handling" spec.
- The WebUI has a special dialog which allows a user to change their own
expired password during login.
Note a proposed BMCWeb change breaks the "password change required
handling" function:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39756
Work on that is pending.
(3)
The dropbear SSH server does not allow you to login or to change your
password when your password is expired. My attempt to patch dropbear
has failed, and I carry a local patch here:
https://github.com/ibm-openbmc/openbmc/blob/86f9791c2a2d991c3509f5e785322b1011c71d26/meta-phosphor/recipes-core/dropbear/dropbear_%25.bbappend
You can avoid this issue by using the OpenSSH server in place of dropbear.
- Joseph
>
> Thanks,
> --Mario.
More information about the openbmc
mailing list