Request new repo for IBM-specific code
Ed Tanous
ed at tanous.net
Tue Mar 9 03:03:40 AEDT 2021
On Thu, Mar 4, 2021 at 7:15 PM Joseph Reynolds <jrey at linux.ibm.com> wrote:
>
> What is the right repository for a new Linux-PAM module to implement an
> IBM-specific ACF authentication?
>
> The access control file (ACF) design was introduced to the OpenBMC
> security working group and is described in [IBM issue 1737][] and
> further explained in [IBM issue 2562][].
Could you describe it in a design doc? Implementing ACL seems like
something that's going to affect a lot of the system (at a minimum
every outward facing client). Unless you really think that you can do
this with no changes to the client repos or phosphor-user-manager, it
seems like it's worth discussion. For what it's worth, I really don't
want to branch the authorization code in bmcweb depending on what
company compiled the code. They were hard enough to get right in the
general case, and matter a lot for security. The likelihood we get
them right for every flavor of auth that a company might want to do
seems unlikely. If we as a project need an "ultra user" that seems
like it shouldn't be specific to IBM, or should be a generic
configuration that IBM systems apply on top, using common routines.
I've already detailed a path toward this in a previous email on this
topic.
>
> Note the [pam-ipmi modules][] are scoped to the OpenBMC project because
> the IPMI implementation is shared by all of OpenBMC. By comparison, the
> proposed ibm-pam-acf module is intended only for IBM Enterprise
> systems. The intended implementation is based on standard cryptography
> techniques and could be developed into a general authentication
> solution, but the ACF is specific to IBM in terms of its exact format
> and content, and I expect it will only be used by IBM and its partners.
Have you released the specifications for this file format with an
appropriate license? That seems like a good first step to figuring
out if these could find a home in OpenBMC. If you've already done
that, could you link them?
>
> Can we create a new OpenBMC repo for this? Perhaps ibm-pam-acf? Or
> should this go into some other repo?
Could you please post the code you're planning on putting there
somewhere that we can see it in gerrit? I suspect that would help
review whether or not a new repo is warranted, and probably give hints
as to what design you're planning on implementing.
>
> - Joseph
>
> [IBM issue 1737]: https://github.com/ibm-openbmc/dev/issues/1737
> [IBM issue 2562]: https://github.com/ibm-openbmc/dev/issues/2562
> [pam-ipmi modules]: https://github.com/openbmc/pam-ipmi
More information about the openbmc
mailing list