OpenBMC expired password feature

Joseph Reynolds jrey at linux.ibm.com
Wed Apr 14 08:07:00 AEST 2021


On 4/13/21 12:11 PM, Mario Sanchez wrote:
> Joseph, Thank you very much for the info. By the way, are you aware of 
> any issues or concerns with enabling this feature via one method vs 
> the other (bitbake recipe vs systemd service) ? Any behavior 
> differences that may cause some problems ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
> Joseph,
>
> Thank you very much for the info.

You're welcome.

In future emails, please address them to both me and to the OpeBMC 
community email list.  See https://github.com/openbmc/openbmc#contact
This way, everyone benefits from our conversation and we can share our 
knowledge.

And when you reply to openbmc emails, please answer inline (like I have) 
and not at the top of the email.  It's the custome for open source 
projects.

>
> By the way, are you aware of any issues or concerns with enabling this 
> feature via one method vs the other (bitbake recipe vs systemd 
> service) ?  Any behavior differences that may cause some problems down 
> the road ?

No, not really.  The easiest and most obvious solution is the recipe 
change, which results in the readonly image having an expired password.  
There was some esoteric issue with the factory reset function which led 
to creating the service to expire the password. I don't remember exactly 
why.  The key is to test all of your scenarios.

Good luck,
Joseph

>
> Thanks,
> --Mario.
>
> On Tue, 13 Apr 2021 at 10:40, Joseph Reynolds <jrey at linux.ibm.com 
> <mailto:jrey at linux.ibm.com>> wrote:
>
>      > Hi Joseph,
>      >
>      > I am working on OpenBMC and would like to test the 'initial
>     expired
>     password' feature that you worked on.  I am not sure how to enable
>     this
>     in an OpenBMC image though.
>      >
>      > I couldn't find another document which described that process,
>     other
>     than the design documentation listed here:
>     https://github.com/openbmc/docs/blob/master/designs/expired-password.md
>     <https://github.com/openbmc/docs/blob/master/designs/expired-password.md>
>
>     <https://github.com/openbmc/docs/blob/master/designs/expired-password.md
>     <https://github.com/openbmc/docs/blob/master/designs/expired-password.md>>
>      >
>      > Is there another document which describes the enablement
>     process, or
>     can you provide some more information on this?
>
>     Mario,
>
>     The support to have initial expired passwords is not fully
>     available in
>     the OpenBMC project.  Here are the pieces you need:
>
>     (1)
>     The EXPIRED_PASSWORD image feature is not implemented.  There are two
>     alternate ways to expire the password:
>     1. Directly expire the root account password via a bitbake
>     recipe.  See
>     https://github.com/openembedded/openembedded-core/pull/63/commits/7ace37a67c56fb4b9e0e98f8eff4ed067eb89f1e
>     <https://github.com/openembedded/openembedded-core/pull/63/commits/7ace37a67c56fb4b9e0e98f8eff4ed067eb89f1e>
>     2. Add a BMC systemd service to expire the password on BMC first
>     boot.
>     See
>     https://github.com/ibm-openbmc/openbmc/blob/5434eaa5e4f53d9972c7bf3c4a90fd189f529547/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb
>     <https://github.com/ibm-openbmc/openbmc/blob/5434eaa5e4f53d9972c7bf3c4a90fd189f529547/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb>
>
>     The reason for the first-boot-expire-password.service has to do
>     with how
>     the factory reset function works.
>     Neither of these are merged into the OpenBMC project or OE core.
>
>     (2)
>     Both BMCWeb and the WebUI have the functions to handle expired
>     passwords.  Specifically:
>     - BMCWeb follows the Redfish "password change required handling" spec.
>     - The WebUI has a special dialog which allows a user to change
>     their own
>     expired password during login.
>
>     Note a proposed BMCWeb change breaks the "password change required
>     handling" function:
>     https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39756
>     <https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39756>
>     Work on that is pending.
>
>     (3)
>     The dropbear SSH server does not allow you to login or to change your
>     password when your password is expired.  My attempt to patch dropbear
>     has failed, and I carry a local patch here:
>     https://github.com/ibm-openbmc/openbmc/blob/86f9791c2a2d991c3509f5e785322b1011c71d26/meta-phosphor/recipes-core/dropbear/dropbear_%25.bbappend
>     <https://github.com/ibm-openbmc/openbmc/blob/86f9791c2a2d991c3509f5e785322b1011c71d26/meta-phosphor/recipes-core/dropbear/dropbear_%25.bbappend>
>
>     You can avoid this issue by using the OpenSSH server in place of
>     dropbear.
>
>
>     - Joseph
>
>      >
>      > Thanks,
>      > --Mario.
>



More information about the openbmc mailing list