From: Joseph Reynolds <jrey@linux.ibm.com>
To: Neil Bradley <Neil_Bradley@phoenix.com>,
OpenBMC Maillist <openbmc@lists.ozlabs.org>
Subject: Re: bmcweb 30 second lockout
Date: Wed, 9 Sep 2020 18:20:58 -0500 [thread overview]
Message-ID: <063c4d06-8e54-4682-8d41-573ce08839b5@linux.ibm.com> (raw)
In-Reply-To: <1f5b34f7029a48f39a5dfdbf9aad9e93@SCL-EXCHMB-13.phoenix.com>
On 9/9/20 5:13 PM, Neil Bradley wrote:
>
> I had recently read somewhere on the OpenBMC mailing list (forgive me,
> as I can’t find it anywhere now) recently indicating that there’d be a
> 30 second lockout for a given user if there were 3 consecutive failed
> login attempts. My question is firstly, is this the case, and
> secondly, is it tied to the user globally regardless of connection or
> is it per user and connection? The reason I ask is that the former
> would still allow for a denial of service attack and want to make sure
> that’s not actually the case.
>
I can think of two items:
1. I had pushed an experimental gerrit code review to do what you described.
Here: https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/31841
My idea has not gained much traction and is recorded here:
https://github.com/ibm-openbmc/dev/issues/2434
and here: https://github.com/linux-pam/linux-pam/issues/216
and here: https://github.com/deksai/pam_abl/issues/4
and other places.
If this ever gets merged, it would NOT the be default behavior.
2. The user lockouts for failed authentication attempts is handled by
pam_tally2 and controlled by Redfish APIs.
See
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
In pam.d/common-auth, the default pam_tally2 deny=0 means "accounts are
never locked because of failed authentication attempts".
The Redfish APIs are implemented here:
https://github.com/openbmc/bmcweb/blob/master/redfish-core/lib/account_service.hpp
Specifically, PATCHing /redfish/v1/AccountService/ property
AccountLockoutDurationor AccountLockoutThreshold invokes a D-Bus method
which ultimately modifies the pam.d/common-auth config file above.
Note that downstream projects may typically want to modify these default
settings.
3. I don't think you mean this: There is a current code review for a
BMCWeb enhancement to allow the BMC admin to control the idle session
SessionTimeout property. The minimum is 30 seconds. See
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/36016
- Joseph
> Thanks!
>
> àNeil
>
next prev parent reply other threads:[~2020-09-09 23:21 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-09 22:13 bmcweb 30 second lockout Neil Bradley
2020-09-09 23:20 ` Joseph Reynolds [this message]
2020-09-09 23:26 ` Neil Bradley
2020-09-11 21:10 ` Joseph Reynolds
2020-09-11 21:42 ` Neil Bradley
2020-09-14 14:31 ` Joseph Reynolds
2020-09-14 14:55 ` Ed Tanous
2020-09-15 16:14 ` Joseph Reynolds
2020-09-15 16:20 ` Ed Tanous
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=063c4d06-8e54-4682-8d41-573ce08839b5@linux.ibm.com \
--to=jrey@linux.ibm.com \
--cc=Neil_Bradley@phoenix.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.