From: Joseph Reynolds <jrey@linux.ibm.com>
To: Patrick Williams <patrick@stwcx.xyz>
Cc: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Security Working Group meeting - Wednesday August 4 - ibm-acf repo
Date: Mon, 9 Aug 2021 09:09:04 -0500 [thread overview]
Message-ID: <9c7dc355-1926-babc-d329-efdb7ece1a20@linux.ibm.com> (raw)
In-Reply-To: <YQoIBwTVJZcqTEMU@heinlein>
On 8/3/21 10:22 PM, Patrick Williams wrote:
> On Tue, Aug 03, 2021 at 05:57:52PM -0500, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting
>> scheduled for this Wednesday August 4 at 10:00am PDT.
>>
>> We'll discuss the following items on the agenda
>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
>> and anything else that comes up:
>>
>> 1. (Joseph): IBM ACF design (2FA authentication for the special IBM
>> service account) is in review -
>> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201
>> <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201>
> I still feel like the "Alternatives considered" are pretty weak in this
> document. Rather than paint broad brushes ("Other were considered. They were
> not suitable.") I think you should enumerate _which_ alternatives were
> considered and _why_ they don't fit the problem at hand.
You're right, I rushed that section. I will fill in some details. Thanks!
> ```
> - Takes four parameters: machine serial number, expiration date, password, and
> private key.
> - Algorithm:
> - Hashes the password.
> - Creates the ACF from the hashed password, serial number, and expiration date.
> - Digitally signs the ACF using the private key.
> - Returns the ACF to the caller.
> ```
>
> This sounds a lot like U2F. The "4 parameters" are the challenge, IBM's key
> signing server is the U2F device, and PAM is the "Relying Party". There are
> already PAM modules for some aspects of U2F and the token you need to exchange
> is reasonably short (my Yubikey output is 33 characters).
>
> https://developers.yubico.com/U2F/Protocol_details/Overview.html
>
> The nice aspect if you can reuse portions of the U2F protocol is that you go a
> long way towards enabling others to add more typical 2FA like Yubikeys.
We discussed this an email exchange ending 2021 March 9 "Request new
repo for IBM-specific code - pam_2fa discussion". Although I could use
the U2F module, it is not a good fit because the ACF credential flow
does not fit well under the U2F protocol. I'll excerpt that
conversation and add details to the design.
Joseph
next prev parent reply other threads:[~2021-08-09 14:10 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-03 22:57 Security Working Group meeting - Wednesday August 4 Joseph Reynolds
2021-08-04 3:04 ` Patrick Williams
2021-08-04 3:22 ` Patrick Williams
2021-08-09 14:09 ` Joseph Reynolds [this message]
2021-08-04 3:28 ` Patrick Williams
2021-08-04 18:43 ` Security Working Group meeting - Wednesday August 4 - all distro owners please review Joseph Reynolds
2021-08-04 18:47 ` Security Working Group meeting - Wednesday August 4 - results Joseph Reynolds
2021-08-04 20:09 ` Patrick Williams
2021-08-04 20:39 ` Joseph Reynolds
2021-08-04 20:49 ` Patrick Williams
2021-08-04 23:23 ` Patrick Williams
2021-08-06 17:10 ` Mihm, James
2021-08-04 23:47 ` Andrew Jeffery
2021-08-04 23:57 ` Ed Tanous
2021-08-05 13:55 ` Brad Bishop
2021-08-05 13:43 ` Brad Bishop
2021-08-05 15:54 ` Brad Bishop
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9c7dc355-1926-babc-d329-efdb7ece1a20@linux.ibm.com \
--to=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
--cc=patrick@stwcx.xyz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).