Re: Request new repo for IBM-specific code

[Joseph Reynolds <jrey@linux.ibm.com>]

On 3/8/21 12:45 PM, Patrick Williams wrote:
> On Sat, Mar 06, 2021 at 10:09:36PM -0600, Joseph Reynolds wrote:
>> On 3/5/21 1:15 PM, Patrick Williams wrote:
>>> On Thu, Mar 04, 2021 at 09:14:47PM -0600, Joseph Reynolds wrote:
>>> My first reading of what is there, I'm not sure why typical certificate
>>> based authentication couldn't solve your needs (but I'm just guessing
>>> what your needs are).  It seems like you have a root-authority (IBM), a
>>> a daily expiring certificate, and some fields in the certificate you
>>> want to confirm (ex. serial number).  I've seen other production-level
>>> systems doing similar for SSH/HTTPS without additional PAM modules.
>> Our service team requires password based authentication.  Period. And
>> they don't like the idea of having to generate a certificate/password
>> pair for each service call.  But certificates offer the best technology
>> we have to solve the access problem.  And we are not yet prepared to go
>> to a certificate-only solution. ... So this is where we are at.
>>
>>>> Note the [pam-ipmi modules][] are scoped to the OpenBMC project because
>>>> the IPMI implementation is shared by all of OpenBMC.  By comparison, the
>>>> proposed ibm-pam-acf module is intended only for IBM Enterprise
>>>> systems.  The intended implementation is based on standard cryptography
>>>> techniques and could be developed into a general authentication
>>>> solution, but the ACF is specific to IBM in terms of its exact format
>>>> and content, and I expect it will only be used by IBM and its partners.
>>> Are you planning to open up the tools necessary to create these ACFs?
>> No, I hadn't been, but good idea!  We have prototype tools to generate
>> and read the ACF.  They should be useful to our test team.
>> There should be nothing secret in the code.  ("The only secret is the
>> private key.")  I'll check with my security team.
> My two concerns about hosting a repository for this are:
>     1. Is it actually a secure method?
>     2. Is it [potentially] useful to anyone else?
>
> WRT, #1, I think we need more details to make an assessment.
>
> For #2 I think there is some unsettled debate around "what do we do
> about code that is only ever going to be useful to one company"?
> Opening up the tools would at least make it possible that someone else
> could find this useful.  I think the proposed "Repository Review Board"
> might work on better guidance otherwise.
>
> Beyond that, I just have the normal "is this the right way to be doing
> this" questions.  You've answered that somewhat with the Certs.  I may
> disagree with it, but you obviously know your support team better than I
> do.
>
> I recommended some SSH support for certificates before.  Based on your
> ask for password-based authentiation, I would suggest looking into
> pam_2fa[1] as a potential implementation as well.
...snip...

Let's restart this thread from where we left off.  I am working on an 
IBM-specific design to explain the BMC portions of the IBM ACF design to 
the OpenBMC community.

For item 1 ("is the ACF design a secure method"), we discussed an 
abbreviated threat model in this email thread.  From the service 
organizations point of view, it only allows authorized service reps into 
the service account.  And from the BMC admin's point of view, they can 
either lock out or authorize the service user via how they handle the 
ACFm but they don't know the password so they cannot login to the 
service account.
The ACF features including its digital signature, matching system serial 
number, and expiration date -- all of these limit which ACFs a BMC will 
accept.  The new Linux-PAM module login is a straightforward decoding 
and validation of the ACF, and then checking the password hash.  We 
discussed using pam_2fa in this email thread, and I believe it only 
trades the complexity of a PAM module (which I regard as 
straightforward) for the complexity of a REST server.

For item 2 ("is it useful to anyone else"), the answer is no.  This will 
ever only be useful to IBM and to vendors who clone OpenPOWER systems 
including IBM's approach to service account access.

So ... does the GitHub OpenBMC organization host vendor specific repos 
(perhaps github.com/openbmc/ibm-misc), or does the source code go 
somewhere else (such as IBM's public fork in 
github.com/ibm-openbmc/pam-ibm-acf)?

- Joseph