Request new repo for IBM-specific code
edtanous at google.com
Tue May 4 02:21:48 AEST 2021
On Thu, Apr 29, 2021 at 2:10 PM Joseph Reynolds <jrey at linux.ibm.com> wrote:
> On 3/8/21 12:45 PM, Patrick Williams wrote:
> > On Sat, Mar 06, 2021 at 10:09:36PM -0600, Joseph Reynolds wrote:
> >> On 3/5/21 1:15 PM, Patrick Williams wrote:
> >>> On Thu, Mar 04, 2021 at 09:14:47PM -0600, Joseph Reynolds wrote:
> >>> My first reading of what is there, I'm not sure why typical certificate
> >>> based authentication couldn't solve your needs (but I'm just guessing
> >>> what your needs are). It seems like you have a root-authority (IBM), a
> >>> a daily expiring certificate, and some fields in the certificate you
> >>> want to confirm (ex. serial number). I've seen other production-level
> >>> systems doing similar for SSH/HTTPS without additional PAM modules.
> >> Our service team requires password based authentication. Period. And
> >> they don't like the idea of having to generate a certificate/password
> >> pair for each service call. But certificates offer the best technology
> >> we have to solve the access problem. And we are not yet prepared to go
> >> to a certificate-only solution. ... So this is where we are at.
> >>>> Note the [pam-ipmi modules] are scoped to the OpenBMC project because
> >>>> the IPMI implementation is shared by all of OpenBMC. By comparison, the
> >>>> proposed ibm-pam-acf module is intended only for IBM Enterprise
> >>>> systems. The intended implementation is based on standard cryptography
> >>>> techniques and could be developed into a general authentication
> >>>> solution, but the ACF is specific to IBM in terms of its exact format
> >>>> and content, and I expect it will only be used by IBM and its partners.
> >>> Are you planning to open up the tools necessary to create these ACFs?
> >> No, I hadn't been, but good idea! We have prototype tools to generate
> >> and read the ACF. They should be useful to our test team.
> >> There should be nothing secret in the code. ("The only secret is the
> >> private key.") I'll check with my security team.
> > My two concerns about hosting a repository for this are:
> > 1. Is it actually a secure method?
> > 2. Is it [potentially] useful to anyone else?
> > WRT, #1, I think we need more details to make an assessment.
> > For #2 I think there is some unsettled debate around "what do we do
> > about code that is only ever going to be useful to one company"?
> > Opening up the tools would at least make it possible that someone else
> > could find this useful. I think the proposed "Repository Review Board"
> > might work on better guidance otherwise.
> > Beyond that, I just have the normal "is this the right way to be doing
> > this" questions. You've answered that somewhat with the Certs. I may
> > disagree with it, but you obviously know your support team better than I
> > do.
> > I recommended some SSH support for certificates before. Based on your
> > ask for password-based authentiation, I would suggest looking into
> > pam_2fa as a potential implementation as well.
> Let's restart this thread from where we left off. I am working on an
> IBM-specific design to explain the BMC portions of the IBM ACF design to
> the OpenBMC community.
> For item 1 ("is the ACF design a secure method"), we discussed an
> abbreviated threat model in this email thread. From the service
> organizations point of view, it only allows authorized service reps into
> the service account. And from the BMC admin's point of view, they can
> either lock out or authorize the service user via how they handle the
> ACFm but they don't know the password so they cannot login to the
> service account.
> The ACF features including its digital signature, matching system serial
> number, and expiration date -- all of these limit which ACFs a BMC will
> accept. The new Linux-PAM module login is a straightforward decoding
> and validation of the ACF, and then checking the password hash. We
> discussed using pam_2fa in this email thread, and I believe it only
> trades the complexity of a PAM module (which I regard as
> straightforward) for the complexity of a REST server.
> For item 2 ("is it useful to anyone else"), the answer is no. This will
> ever only be useful to IBM and to vendors who clone OpenPOWER systems
> including IBM's approach to service account access.
> So ... does the GitHub OpenBMC organization host vendor specific repos
> (perhaps github.com/openbmc/ibm-misc), or does the source code go
> somewhere else (such as IBM's public fork in
Is there a design doc for this yet? I'm not feeling like there's
enough details on what "ACF" even is to understand whether a new repo
would be warranted, or this is something that we want to support. I'd
like to understand all the components that we'd expect to change, and
how we can ensure that the abstractions are good enough that we don't
break or cause security vulnerabilities to anyone else that's not
using this feature.
> - Joseph
More information about the openbmc