TOTP based 2-factor authentication to OpenBMC

raviteja bailapudi raviteja28031990 at gmail.com
Wed Jun 26 17:42:25 AEST 2024


Hi All,

This proposal is to add 2-factor authentication to OpenBMC via
time-based-one-time-password (TOTP) mechanism

Here is proposed model:

1. There will be a user level setting disabled by default for all users.
Redfish interfaces will be implemented to enable/disable the 2nd factor for
each user on BMC.
2. Secret key will be generated at BMC per user, and is shared to only that
user
3. Each user whose TOTP authentication enabled, should register the TOTP
generator app using the secret key shared by BMC.
4. Once TOTP authentication enabled, the user can create sessions by
passing both password and the TOTP together

Here is open source google-authenticator pam library which supports TOTP
based authentication
https://github.com/google/google-authenticator-libpam
Here is recipe for google-authenticator
https://github.com/openbmc/openbmc/blob/master/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
Here is redfish schemas for "GoogleAuthenticator" or
"MicrosoftAuthenticator"
https://redfish.dmtf.org/schemas/v1/AccountService.v1_15_1.json

Here is redfish forum discussions, working with DMTF community for
user-level TOTP based authenticator configuration
https://redfishforum.com/thread/1061/multi-factor-authentication-on-accountservice

Please share your views

Thanks & Regards
Raviteja
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20240626/9e167d21/attachment.htm>


More information about the openbmc mailing list