All of lore.kernel.org
 help / color / mirror / Atom feed
From: Vernon Mauery <vernon.mauery@linux.intel.com>
To: Milton Miller II <miltonm@us.ibm.com>
Cc: OpenBMC Development <openbmc@lists.ozlabs.org>
Subject: Re: ipmi password storage
Date: Tue, 14 Apr 2020 12:14:44 -0700	[thread overview]
Message-ID: <20200414191444.GE9295@mauery.jf.intel.com> (raw)
In-Reply-To: <OFED1A87B9.D16D66BD-ON0025854A.004EDFC4-0025854A.00634C8E@notes.na.collabserv.com>

On 14-Apr-2020 06:04 PM, Milton Miller II wrote:
>On Apr 13, 2020 around 6:01PM in some time zone, Vernon Mauery wrote:
>>
>>Internally, an issue was raised that basically says that the
>>mechanism
>>by which we are storing the IPMI passwords on the BMC is
>>insufficiently
>>obfuscated. I have come up with a patch set that resolves this at the
>>
>>expense of no downgrading the BMC without the side-effect of losing
>>all
>>IPMI passwords. I would like to know what the community thinks about
>>usability vs. security in this scenario.
>
>...
>
>>The migration from the old mechanism to the new could be done simply>by
>>using the new key on the next write to the /etc/ipmi_pass file. After
>>a
>>firmware update to this new code, a password change would trigger a
>>decrypt of the /etc/ipmi_pass file, a modification of the plain text,
>>
>>and a re-encryption of the data. If it reads the 'legacy' key in and
>>writes out the data using the new key mechanism and deletes the
>>legacy
>>key, it would use the new key mechanism from that point onward.
>>However,
>>this would cause any downgrades to prior versions to fail to decrypt
>>the
>>/etc/ipmi_pass file, thereby losing all the ipmi passwords. This is
>>not
>>ideal, but could possibly be mitigating by truncating the new
>>machine-id
>>derivative password to 8 bytes and storing it in the /etc/key_file
>>instead of just deleting it. This might improve security only
>>slightly
>>at for the price of a better user experience.
>>
>
>I'll point out the code to handle the new password could be added
>before the cdoe to use the new method, allowing test and revert
>until the users are upgraded to the new method.  It does require
>both methods to be supported.

Yes, it looks like any sort of change here would need to be a staged 
change to reduce the disruption.

>I didn't follow why currently all openbmc systems end up with
>the same encryption^Wobsfucation for what that is worth.

Unless the build has a bbappend that changes the contents of the 
key_file that is a part of the pam-ipmi package, all of the builds will 
contain that same key_file. I can't say for sure how many builds have 
this already, but I did not see much documentation around that fact that 
would have spurred people to take action, so it is my assumption that 
most builds would use the default.

--Vernon

  reply	other threads:[~2020-04-14 19:14 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-13 23:00 ipmi password storage Vernon Mauery
2020-04-14 15:50 ` Patrick Williams
2020-04-14 16:46   ` Vernon Mauery
2020-04-14 22:03     ` Joseph Reynolds
2020-04-14 22:42       ` Vernon Mauery
2020-04-16  6:04         ` Joel Stanley
2020-04-20 14:29           ` Vernon Mauery
2020-04-22 11:38     ` Patrick Williams
2020-04-22 22:19       ` Vernon Mauery
2020-04-24 15:15         ` Patrick Williams
2020-04-29 16:02           ` Alexander Tereschenko
2020-04-14 16:27 ` Alexander Tereschenko
2020-04-14 19:11   ` Vernon Mauery
2020-04-14 22:18     ` Joseph Reynolds
2020-04-14 22:44       ` Vernon Mauery
2020-04-14 22:48         ` Joseph Reynolds
2020-04-15 20:32           ` Joseph Reynolds
2020-04-14 18:04 ` Milton Miller II
2020-04-14 19:14   ` Vernon Mauery [this message]
2020-04-14 22:30     ` Joseph Reynolds
2020-04-14 22:47       ` Vernon Mauery

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200414191444.GE9295@mauery.jf.intel.com \
    --to=vernon.mauery@linux.intel.com \
    --cc=miltonm@us.ibm.com \
    --cc=openbmc@lists.ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.