Request new repo for IBM-specific code

Patrick Williams patrick at stwcx.xyz
Tue Mar 9 05:45:35 AEDT 2021


On Sat, Mar 06, 2021 at 10:09:36PM -0600, Joseph Reynolds wrote:
> On 3/5/21 1:15 PM, Patrick Williams wrote:
> > On Thu, Mar 04, 2021 at 09:14:47PM -0600, Joseph Reynolds wrote:
> > My first reading of what is there, I'm not sure why typical certificate
> > based authentication couldn't solve your needs (but I'm just guessing
> > what your needs are).  It seems like you have a root-authority (IBM), a
> > a daily expiring certificate, and some fields in the certificate you
> > want to confirm (ex. serial number).  I've seen other production-level
> > systems doing similar for SSH/HTTPS without additional PAM modules.
> 
> Our service team requires password based authentication.  Period. And 
> they don't like the idea of having to generate a certificate/password 
> pair for each service call.  But certificates offer the best technology 
> we have to solve the access problem.  And we are not yet prepared to go 
> to a certificate-only solution. ... So this is where we are at.
> 
> >> Note the [pam-ipmi modules][] are scoped to the OpenBMC project because
> >> the IPMI implementation is shared by all of OpenBMC.  By comparison, the
> >> proposed ibm-pam-acf module is intended only for IBM Enterprise
> >> systems.  The intended implementation is based on standard cryptography
> >> techniques and could be developed into a general authentication
> >> solution, but the ACF is specific to IBM in terms of its exact format
> >> and content, and I expect it will only be used by IBM and its partners.
> > Are you planning to open up the tools necessary to create these ACFs?
> 
> No, I hadn't been, but good idea!  We have prototype tools to generate 
> and read the ACF.  They should be useful to our test team.
> There should be nothing secret in the code.  ("The only secret is the 
> private key.")  I'll check with my security team.

My two concerns about hosting a repository for this are:
   1. Is it actually a secure method?
   2. Is it [potentially] useful to anyone else?

WRT, #1, I think we need more details to make an assessment.

For #2 I think there is some unsettled debate around "what do we do
about code that is only ever going to be useful to one company"?
Opening up the tools would at least make it possible that someone else
could find this useful.  I think the proposed "Repository Review Board"
might work on better guidance otherwise.

Beyond that, I just have the normal "is this the right way to be doing
this" questions.  You've answered that somewhat with the Certs.  I may
disagree with it, but you obviously know your support team better than I
do.

I recommended some SSH support for certificates before.  Based on your
ask for password-based authentiation, I would suggest looking into
pam_2fa[1] as a potential implementation as well.  I know on the surface
this doesn't sound like 2FA, but the pam_2fa module has some benefits, I
think, in this scenario:
    * We avoid writing our own [scary] PAM module.
    * You pave the way for a much more common use case that others could
      build on for other scenarios.
Using pam_2fa, we would only need to make a small localhost-only REST
daemon to answer the 2fa requests for your service users and not a full
PAM module.  Your service users would have a static password plus a 2FA
code (secondary password) populated by whatever this ACF method is.  On
other installs, we could use a proper 2FA server with slightly different
configuration to satisfy things like Yubikey-backed 2FA.

1. https://github.com/CERN-CERT/pam_2fa

-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210308/100c288a/attachment-0001.sig>


More information about the openbmc mailing list