* Reg default user account in OpenBMC
@ 2019-03-18 14:19 Thomaiyar, Richard Marian
2019-03-18 18:06 ` Thomaiyar, Richard Marian
0 siblings, 1 reply; 2+ messages in thread
From: Thomaiyar, Richard Marian @ 2019-03-18 14:19 UTC (permalink / raw)
To: OpenBMC Maillist
[-- Attachment #1: Type: text/plain, Size: 2443 bytes --]
All,
In OpenBMC, default password /“0penBmc” /is used for/“root” /user.
This is getting applied for all recipes irrespective of companies
meta-xxx layer, as this is done through phosphor-defaults.inc (under
meta-phosphor distro). The only option is to override the same using
local.conf.sample (but if missed, default password for root user will
get applied). Currently this is not limited to DEBUG_BUILD but applied
for all builds. As root user is also exposed in phosphor-user-manager,
it is shown as valid user account in all the interfaces like IPMI /
REDFISH / WEBUI etc. From security point of it, following
recommendations are made.
1. Avoid having common default passwords across products. (i.e. it’s ok
to have unique password for each device).
2. Force end-user to configure user name & password.
This was also pointed out by Ed in our sync meeting - SB-327 Information
Privacy – connected Devices
<https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327>
Having said that, planning to do following. Please let me know your
views / concerns / any other recommendations
1. Remove default password “0penBmc” from phosphor-defaults.inc. Any
company which requires password for root user can enable the same using
local.conf.sample, in its respective meta-xxx layer (Recommend to avoid
using root user or in worst-case keep it for DEBUG_BUILD only)
2. Can expose different user name: openBmcUser password: 0penBmc through
local.conf.sample in DEBUG_BUILD / internal builds and make sure, that
this doesn’t gets applied for RELEASE version
3. Remove exposing user id 0 (root) in phosphor-user-manager. i.e. root
user (uid:0) doesn’t need to be listed as user accounts in IPMI /
REDFISH for all builds? (Reason: 1. As part of SELinux. 2. Few
validation cases will not be covered which requires deleting all user
accounts etc.). Note: If any-one really require this, then we can make
it through configurable flag
4. Host interface (IPMI Commands) must be used to create user accounts
in BMC (i.e. From BIOS Setup page user accounts for the BMC can be
created).
5. For any systems which doesn’t have Host interface - logic can be
applied to create a new user based on restrictions (say create user
accounts based on certain stages – provisioning / physical presence
check / can create unique password for each device etc.)
Regards,
Richard
[-- Attachment #2: Type: text/html, Size: 39016 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Reg default user account in OpenBMC
2019-03-18 14:19 Reg default user account in OpenBMC Thomaiyar, Richard Marian
@ 2019-03-18 18:06 ` Thomaiyar, Richard Marian
0 siblings, 0 replies; 2+ messages in thread
From: Thomaiyar, Richard Marian @ 2019-03-18 18:06 UTC (permalink / raw)
To: OpenBMC Maillist
[-- Attachment #1: Type: text/plain, Size: 3343 bytes --]
inline update on impact & solutions for CI
On 3/18/2019 7:49 PM, Thomaiyar, Richard Marian wrote:
>
> All,
>
> In OpenBMC, default password /“0penBmc” /is used for/“root” /user.
> This is getting applied for all recipes irrespective of companies
> meta-xxx layer, as this is done through phosphor-defaults.inc (under
> meta-phosphor distro). The only option is to override the same using
> local.conf.sample (but if missed, default password for root user will
> get applied). Currently this is not limited to DEBUG_BUILD but applied
> for all builds. As root user is also exposed in phosphor-user-manager,
> it is shown as valid user account in all the interfaces like IPMI /
> REDFISH / WEBUI etc. From security point of it, following
> recommendations are made.
>
> 1. Avoid having common default passwords across products. (i.e. it’s
> ok to have unique password for each device).
>
> 2. Force end-user to configure user name & password.
>
> This was also pointed out by Ed in our sync meeting - SB-327
> Information Privacy – connected Devices
> <https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327>
>
>
>
> Having said that, planning to do following. Please let me know your
> views / concerns / any other recommendations
>
> 1. Remove default password “0penBmc” from phosphor-defaults.inc. Any
> company which requires password for root user can enable the same
> using local.conf.sample, in its respective meta-xxx layer (Recommend
> to avoid using root user or in worst-case keep it for DEBUG_BUILD only)
>
This may cause problem for people, who need the default password in
deployment system. (But it's better to find a different solution, due to
security concern. If this is what really required then it can be
overridden using local.conf.sample. At the same time, we can keep root
password enabled for non-release version.
>
> 2. Can expose different user name: openBmcUser password: 0penBmc
> through local.conf.sample in DEBUG_BUILD / internal builds and make
> sure, that this doesn’t gets applied for RELEASE version
>
2.1 --> This provides option, so that CI infrastructure build will use
"/openBmcUser" /as the default user (if host interface is not available
for the CI system), using this methodology CI system won't be broken.
2.2 --> In worst case, we can have root user for CI builds alone, as
using that we can login to SSH and create default user using ipmitool -I
dbus interface.
> 3. Remove exposing user id 0 (root) in phosphor-user-manager. i.e.
> root user (uid:0) doesn’t need to be listed as user accounts in IPMI /
> REDFISH for all builds? (Reason: 1. As part of SELinux. 2. Few
> validation cases will not be covered which requires deleting all user
> accounts etc.). Note: If any-one really require this, then we can make
> it through configurable flag
>
> 4. Host interface (IPMI Commands) must be used to create user accounts
> in BMC (i.e. From BIOS Setup page user accounts for the BMC can be
> created).
>
> 5. For any systems which doesn’t have Host interface - logic can be
> applied to create a new user based on restrictions (say create user
> accounts based on certain stages – provisioning / physical presence
> check / can create unique password for each device etc.)
>
>
> Regards,
>
> Richard
>
[-- Attachment #2: Type: text/html, Size: 40295 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-03-18 18:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-18 14:19 Reg default user account in OpenBMC Thomaiyar, Richard Marian
2019-03-18 18:06 ` Thomaiyar, Richard Marian
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.