inline update on impact & solutions for CI
This may cause problem for people, who need the default password in deployment system. (But it's better to find a different solution, due to security concern. If this is what really required then it can be overridden using local.conf.sample. At the same time, we can keep root password enabled for non-release version.
All,
In OpenBMC, default password “0penBmc” is used for “root” user. This is getting applied for all recipes irrespective of companies meta-xxx layer, as this is done through phosphor-defaults.inc (under meta-phosphor distro). The only option is to override the same using local.conf.sample (but if missed, default password for root user will get applied). Currently this is not limited to DEBUG_BUILD but applied for all builds. As root user is also exposed in phosphor-user-manager, it is shown as valid user account in all the interfaces like IPMI / REDFISH / WEBUI etc. From security point of it, following recommendations are made.
1. Avoid having common default passwords across products. (i.e. it’s ok to have unique password for each device).
2. Force end-user to configure user name & password.
This was also pointed out by Ed in our sync meeting - SB-327 Information Privacy – connected Devices
Having said that, planning to do following. Please let me know your views / concerns / any other recommendations
1. Remove default password “0penBmc” from phosphor-defaults.inc. Any company which requires password for root user can enable the same using local.conf.sample, in its respective meta-xxx layer (Recommend to avoid using root user or in worst-case keep it for DEBUG_BUILD only)
2. Can expose different user name: openBmcUser password: 0penBmc through local.conf.sample in DEBUG_BUILD / internal builds and make sure, that this doesn’t gets applied for RELEASE version
2.1 --> This provides option, so that CI infrastructure build will use "openBmcUser" as the default user (if host interface is not available for the CI system), using this methodology CI system won't be broken.
2.2 --> In worst case, we can have root user for CI builds
alone, as using that we can login to SSH and create default user
using ipmitool -I dbus interface.
3. Remove exposing user id 0 (root) in phosphor-user-manager. i.e. root user (uid:0) doesn’t need to be listed as user accounts in IPMI / REDFISH for all builds? (Reason: 1. As part of SELinux. 2. Few validation cases will not be covered which requires deleting all user accounts etc.). Note: If any-one really require this, then we can make it through configurable flag
4. Host interface (IPMI Commands) must be used to create user accounts in BMC (i.e. From BIOS Setup page user accounts for the BMC can be created).
5. For any systems which doesn’t have Host interface - logic can be applied to create a new user based on restrictions (say create user accounts based on certain stages – provisioning / physical presence check / can create unique password for each device etc.)
Regards,
Richard