Re: 答复: Update (or generate) /etc/ipmi_pass file

Joseph Reynolds jrey at linux.ibm.com
Wed Jan 19 13:02:31 AEDT 2022 

On 1/6/22 11:09 AM, Zhao, Jiaqing wrote:
> Even you set minlen=0 in /etc/pam.d/common-password, the password 
> length will still be checked by pam-cracklib. Pam-cracklib will call 
> FascistCheck() function of cracklib, and inside cracklib, it will call 
> FascistLookUser(), which also checkes ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
>
> Even you set minlen=0 in /etc/pam.d/common-password, the password 
> length will still be checked by pam-cracklib. Pam-cracklib will call 
> FascistCheck() function of cracklib, and inside cracklib, it will call 
> FascistLookUser(), which also checkes the password length and there is 
> no way to bypass it unless you modify cracklib code. The minimum 
> length forced by cracklib is 6.
>
> https://github.com/cracklib/cracklib/blob/c66d74fc38e1632726da8230714bf62f6128e212/src/lib/fascist.c#L721
>
> FascistLookUser() also contain other implicit conditions your password 
> must met. Please also be careful about them.
>
> Of course, you can comment out the pam_cracklib.so to bypass all these 
> checks.
>

If your /etc/pam.d/common-password file look like this 
(meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password): 
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password
then you should be able to comment out the pam_cracklib.so and 
pam_ipmicheck.so and pam_pwhistory.so lines
but then you have to remove the "use_authtok" parameter from the 
pam_unix.so line (or whichever is your first module).

Be sure to:
- keep the pam_unix.so line (it writes the password into /etc/shadow file).
- keep the pam_ipmisave.so line (it writes the password to the 
etc/ipmi_pass file)
- keep the deny and permit lines as they are.

Good luck,
- Joseph

> *From:* openbmc 
> <openbmc-bounces+jiaqing.zhao=intel.com at lists.ozlabs.org> *On Behalf 
> Of *Johnathan Mantey
> *Sent:* Friday, January 7, 2022 00:55
> *To:* Xiaochao Ma (马小超) <maxiaochao at inspur.com>; mine260309 at gmail.com
> *Cc:* openbmc at lists.ozlabs.org
> *Subject:* Re: 答复: Update (or generate) /etc/ipmi_pass file
>
> The OBMC PAM requires the password to be 8 characters in length, and 
> probably requires a numeral as well.
> I realize you want to get to a 5 character password.
> I recommend you try adding a user with a password that works with the 
> existing rules to see if your automated creation method works. After 
> that you can try creating shorter passwords.
>
> On 1/5/22 23:02, Xiaochao Ma (马小超) wrote:
>
>     Sorry I didn't explain some of the methods I tried  : (
>
>     1. I tried the method you mentioned, but failed.
>
>     The length of the password I want to set is 5 digits.
>
>     I modified the complexity setting via /etc/pam.d/common-password, but still cannot set a 5-digit password. (The setting for reducing the length requirement failed to take effect)
>
>     2. I also tried to temporarily remove pam_cracklib.so in /etc/pam.d/common-pasword so that it does not perform complexity detection. Failed very directly......
>
>     -----邮件原件-----
>
>     发件人: Lei YU [mailto:mine260309 at gmail.com  <mailto:mine260309 at gmail.com>]
>
>     发送时间: 2022年1月6日  14:41
>
>     收件人: Xiaochao Ma (马小超)<maxiaochao at inspur.com>  <mailto:maxiaochao at inspur.com>
>
>     抄送:openbmc at lists.ozlabs.org
>
>     主题: Re: Update (or generate) /etc/ipmi_pass file
>
>     On Thu, Jan 6, 2022 at 11:39 AM Xiaochao Ma (马小超)<maxiaochao at inspur.com>  <mailto:maxiaochao at inspur.com>  wrote:
>
>         Hello everyone
>
>         I now want to add a default user to my own machine (I modified
>
>         obmc-phosphor-image.bbappend, use the useradd… ),
>
>         but the new default user cannot use Ipmi. It is because the ipmi_pass file is not updated.
>
>            I couldn't find a method/tool to generate ipmi_pass file. So how can I generate a new ipmi_pass file?
>
>     What I do is to use qemu or a real BMC, adjust the ipmi username/passwords, and then copy the ipmi_pass out.
>
> -- 
> Johnathan Mantey
> Senior Software Engineer
> *azad technology partners*
> Contributing to Technology Innovation since 1992
> Phone: (503) 712-6764
> Email: johnathanx.mantey at intel.com
>

More information about the openbmc mailing list