openbmc.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed
From: Joseph Reynolds <jrey@linux.ibm.com>
To: Patrick Williams <patrick@stwcx.xyz>
Cc: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Security Working Group meeting - Wednesday August 4 - ibm-acf repo
Date: Mon, 9 Aug 2021 09:09:04 -0500	[thread overview]
Message-ID: <9c7dc355-1926-babc-d329-efdb7ece1a20@linux.ibm.com> (raw)
In-Reply-To: <YQoIBwTVJZcqTEMU@heinlein>

On 8/3/21 10:22 PM, Patrick Williams wrote:
> On Tue, Aug 03, 2021 at 05:57:52PM -0500, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting
>> scheduled for this Wednesday August 4 at 10:00am PDT.
>>
>> We'll discuss the following items on the agenda
>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
>> and anything else that comes up:
>>
>>   1. (Joseph): IBM ACF design (2FA authentication for the special IBM
>>      service account) is in review -
>>      https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201
>>      <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201>
> I still feel like the "Alternatives considered" are pretty weak in this
> document.  Rather than paint broad brushes ("Other were considered.  They were
> not suitable.") I think you should enumerate _which_ alternatives were
> considered and _why_ they don't fit the problem at hand.

You're right, I rushed that section.  I will fill in some details. Thanks!

> ```
> - Takes four parameters: machine serial number, expiration date, password, and
>    private key.
> - Algorithm:
>     - Hashes the password.
>     - Creates the ACF from the hashed password, serial number, and expiration date.
>     - Digitally signs the ACF using the private key.
>     - Returns the ACF to the caller.
> ```
>
> This sounds a lot like U2F.  The "4 parameters" are the challenge, IBM's key
> signing server is the U2F device, and PAM is the "Relying Party".  There are
> already PAM modules for some aspects of U2F and the token you need to exchange
> is reasonably short (my Yubikey output is 33 characters).
>
> https://developers.yubico.com/U2F/Protocol_details/Overview.html
>
> The nice aspect if you can reuse portions of the U2F protocol is that you go a
> long way towards enabling others to add more typical 2FA like Yubikeys.

We discussed this an email exchange ending 2021 March 9 "Request new 
repo for IBM-specific code - pam_2fa discussion".  Although I could use 
the U2F module, it is not a good fit because the ACF credential flow 
does not fit well under the U2F protocol.  I'll excerpt that 
conversation and add details to the design.

Joseph


  reply	other threads:[~2021-08-09 14:10 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-03 22:57 Security Working Group meeting - Wednesday August 4 Joseph Reynolds
2021-08-04  3:04 ` Patrick Williams
2021-08-04  3:22 ` Patrick Williams
2021-08-09 14:09   ` Joseph Reynolds [this message]
2021-08-04  3:28 ` Patrick Williams
2021-08-04 18:43   ` Security Working Group meeting - Wednesday August 4 - all distro owners please review Joseph Reynolds
2021-08-04 18:47 ` Security Working Group meeting - Wednesday August 4 - results Joseph Reynolds
2021-08-04 20:09   ` Patrick Williams
2021-08-04 20:39     ` Joseph Reynolds
2021-08-04 20:49       ` Patrick Williams
2021-08-04 23:23         ` Patrick Williams
2021-08-06 17:10           ` Mihm, James
2021-08-04 23:47         ` Andrew Jeffery
2021-08-04 23:57           ` Ed Tanous
2021-08-05 13:55             ` Brad Bishop
2021-08-05 13:43       ` Brad Bishop
2021-08-05 15:54   ` Brad Bishop

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9c7dc355-1926-babc-d329-efdb7ece1a20@linux.ibm.com \
    --to=jrey@linux.ibm.com \
    --cc=openbmc@lists.ozlabs.org \
    --cc=patrick@stwcx.xyz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).