答复: 答复: Update (or generate) /etc/ipmi_pass file
Xiaochao Ma (马小超)
maxiaochao at inspur.com
Fri Jan 21 01:13:06 AEDT 2022
thank you for your reply.
I have tried this method and got the result I want, thank you very much!
Maxiaochao
_____
发件人: Joseph Reynolds <jrey at linux.ibm.com>
发送时间: 2022年1月19日 10:02
收件人: Zhao, Jiaqing; Mantey, JohnathanX; Xiaochao Ma (马小超); mine260309 at gmail.com
抄送: openbmc at lists.ozlabs.org
主题: Re: 答复: Update (or generate) /etc/ipmi_pass file
On 1/6/22 11:09 AM, Zhao, Jiaqing wrote:
> Even you set minlen=0 in /etc/pam.d/common-password, the password
> length will still be checked by pam-cracklib. Pam-cracklib will call
> FascistCheck() function of cracklib, and inside cracklib, it will call
> FascistLookUser(), which also checkes ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
>
> Even you set minlen=0 in /etc/pam.d/common-password, the password
> length will still be checked by pam-cracklib. Pam-cracklib will call
> FascistCheck() function of cracklib, and inside cracklib, it will call
> FascistLookUser(), which also checkes the password length and there is
> no way to bypass it unless you modify cracklib code. The minimum
> length forced by cracklib is 6.
>
> https://github.com/cracklib/cracklib/blob/c66d74fc38e1632726da8230714bf62f6128e212/src/lib/fascist.c#L721
>
> FascistLookUser() also contain other implicit conditions your password
> must met. Please also be careful about them.
>
> Of course, you can comment out the pam_cracklib.so to bypass all these
> checks.
>
If your /etc/pam.d/common-password file look like this
(meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password):
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password
then you should be able to comment out the pam_cracklib.so and
pam_ipmicheck.so and pam_pwhistory.so lines
but then you have to remove the "use_authtok" parameter from the
pam_unix.so line (or whichever is your first module).
Be sure to:
- keep the pam_unix.so line (it writes the password into /etc/shadow file).
- keep the pam_ipmisave.so line (it writes the password to the
etc/ipmi_pass file)
- keep the deny and permit lines as they are.
Good luck,
- Joseph
> *From:* openbmc
> <openbmc-bounces+jiaqing.zhao=intel.com at lists.ozlabs.org> *On Behalf
> Of *Johnathan Mantey
> *Sent:* Friday, January 7, 2022 00:55
> *To:* Xiaochao Ma (马小超) <maxiaochao at inspur.com>; mine260309 at gmail.com
> *Cc:* openbmc at lists.ozlabs.org
> *Subject:* Re: 答复: Update (or generate) /etc/ipmi_pass file
>
> The OBMC PAM requires the password to be 8 characters in length, and
> probably requires a numeral as well.
> I realize you want to get to a 5 character password.
> I recommend you try adding a user with a password that works with the
> existing rules to see if your automated creation method works. After
> that you can try creating shorter passwords.
>
> On 1/5/22 23:02, Xiaochao Ma (马小超) wrote:
>
> Sorry I didn't explain some of the methods I tried : (
>
> 1. I tried the method you mentioned, but failed.
>
> The length of the password I want to set is 5 digits.
>
> I modified the complexity setting via /etc/pam.d/common-password, but still cannot set a 5-digit password. (The setting for reducing the length requirement failed to take effect)
>
> 2. I also tried to temporarily remove pam_cracklib.so in /etc/pam.d/common-pasword so that it does not perform complexity detection. Failed very directly......
>
> -----邮件原件-----
>
> 发件人: Lei YU [mailto:mine260309 at gmail.com <mailto:mine260309 at gmail.com>]
>
> 发送时间: 2022年1月6日 14:41
>
> 收件人: Xiaochao Ma (马小超)<maxiaochao at inspur.com> <mailto:maxiaochao at inspur.com>
>
> 抄送:openbmc at lists.ozlabs.org
>
> 主题: Re: Update (or generate) /etc/ipmi_pass file
>
> On Thu, Jan 6, 2022 at 11:39 AM Xiaochao Ma (马小超)<maxiaochao at inspur.com> <mailto:maxiaochao at inspur.com> wrote:
>
> Hello everyone
>
> I now want to add a default user to my own machine (I modified
>
> obmc-phosphor-image.bbappend, use the useradd… ),
>
> but the new default user cannot use Ipmi. It is because the ipmi_pass file is not updated.
>
> I couldn't find a method/tool to generate ipmi_pass file. So how can I generate a new ipmi_pass file?
>
> What I do is to use qemu or a real BMC, adjust the ipmi username/passwords, and then copy the ipmi_pass out.
>
> --
> Johnathan Mantey
> Senior Software Engineer
> *azad technology partners*
> Contributing to Technology Innovation since 1992
> Phone: (503) 712-6764
> Email: johnathanx.mantey at intel.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20220120/a23831c7/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3606 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20220120/a23831c7/attachment-0001.p7s>
More information about the openbmc
mailing list