meta-phosphor: enable `allow-root-login`?

Johnathan Mantey johnathanx.mantey at intel.com
Wed Jan 5 06:24:28 AEDT 2022



On 1/4/22 10:26, Patrick Williams wrote:
> On Tue, Jan 04, 2022 at 07:32:06AM -0800, Johnathan Mantey wrote:
>> Patrick....
>>
>> On 12/30/21 05:52, Patrick Williams wrote:
>>> I am currently enabling this IMAGE_FEATURE in meta-facebook to avoid having this
>>> happen again.  Is there any reason why we wouldn't want to enable it by default
>>> in meta-phosphor?  There isn't really full support for non-root users in the
>>> base systems anyhow, so is there anyone that wouldn't want "allow-root-login"
>>> enabled by default?
>> Intel explicitly requires root login to be disabled for production
>> releases. Especially since the default password is a known quantity.
>>
>> The Intel security audit group enforced blocking a default user for the
>> S2600 WF/BNP/STP series of servers. All user accounts are created using
>> local IPMI commands.
> Is this currently able to be done with all upstream functionality or something
> that only works in your own forks?

As a developer for Intel I have to explicitly add 'debug-tweaks' back 
into our bitbake config. I've not dug into who made the decision, and 
which layer of the build process enforced it.

>
>> Intel will prefer the existing behavior remain.
> It seems to me that the current behavior is broken for typical cases using
> currently upstreamed functionality and so that's why I'm suggesting that
> meta-phosphor be "fixed".  It'd be pretty easy to IMAGE_FEATURE:remove this
> for meta-intel-bmc, right?
>

-- 
Johnathan Mantey
Senior Software Engineer
*azad te**chnology partners*
Contributing to Technology Innovation since 1992
Phone: (503) 712-6764
Email: johnathanx.mantey at intel.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20220104/a33b9e9c/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20220104/a33b9e9c/attachment-0001.sig>


More information about the openbmc mailing list