meta-phosphor: enable `allow-root-login`?

Patrick Williams patrick at stwcx.xyz
Wed Jan 5 05:26:17 AEDT 2022


On Tue, Jan 04, 2022 at 07:32:06AM -0800, Johnathan Mantey wrote:
> Patrick....
> 
> On 12/30/21 05:52, Patrick Williams wrote:

> > I am currently enabling this IMAGE_FEATURE in meta-facebook to avoid having this
> > happen again.  Is there any reason why we wouldn't want to enable it by default
> > in meta-phosphor?  There isn't really full support for non-root users in the
> > base systems anyhow, so is there anyone that wouldn't want "allow-root-login"
> > enabled by default?
> 
> Intel explicitly requires root login to be disabled for production 
> releases. Especially since the default password is a known quantity.
> 
> The Intel security audit group enforced blocking a default user for the 
> S2600 WF/BNP/STP series of servers. All user accounts are created using 
> local IPMI commands.

Is this currently able to be done with all upstream functionality or something
that only works in your own forks?

> Intel will prefer the existing behavior remain.

It seems to me that the current behavior is broken for typical cases using
currently upstreamed functionality and so that's why I'm suggesting that
meta-phosphor be "fixed".  It'd be pretty easy to IMAGE_FEATURE:remove this
for meta-intel-bmc, right?

-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20220104/0a0fd30a/attachment.sig>


More information about the openbmc mailing list