Reg default user account in OpenBMC

Reg default user account in OpenBMC

[Thomaiyar, Richard Marian]

[-- Attachment #1: Type: text/plain, Size: 2443 bytes --]

All,

  In OpenBMC, default password /“0penBmc” /is used for/“root” /user. 
This is getting applied for all recipes irrespective of companies 
meta-xxx layer, as this is done through phosphor-defaults.inc (under 
meta-phosphor distro). The only option is to override the same using 
local.conf.sample (but if missed, default password for root user will 
get applied). Currently this is not limited to DEBUG_BUILD but applied 
for all builds. As root user is also exposed in phosphor-user-manager, 
it is shown as valid user account in all the interfaces like IPMI / 
REDFISH / WEBUI etc. From security point of it, following 
recommendations are made.

1. Avoid having common default passwords across products. (i.e. it’s ok 
to have unique password for each device).

2. Force end-user to configure user name & password.

This was also pointed out by Ed in our sync meeting - SB-327 Information 
Privacy – connected Devices 
<https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327> 



Having said that, planning to do following. Please let me know your 
views / concerns / any other recommendations

1. Remove default password “0penBmc” from phosphor-defaults.inc. Any 
company which requires password for root user can enable the same using 
local.conf.sample, in its respective meta-xxx layer (Recommend to avoid 
using root user or in worst-case keep it for DEBUG_BUILD only)

2. Can expose different user name: openBmcUser password: 0penBmc through 
local.conf.sample in DEBUG_BUILD / internal builds and make sure, that 
this doesn’t gets applied for RELEASE version

3. Remove exposing user id 0 (root) in phosphor-user-manager. i.e. root 
user (uid:0) doesn’t need to be listed as user accounts in IPMI / 
REDFISH for all builds? (Reason: 1. As part of SELinux. 2. Few 
validation cases will not be covered which requires deleting all user 
accounts etc.). Note: If any-one really require this, then we can make 
it through configurable flag

4. Host interface (IPMI Commands) must be used to create user accounts 
in BMC (i.e. From BIOS Setup page user accounts for the BMC can be 
created).

5. For any systems which doesn’t have Host interface - logic can be 
applied to create a new user based on restrictions (say create user 
accounts based on certain stages – provisioning / physical presence 
check / can create unique password for each device etc.)


Regards,

Richard


[-- Attachment #2: Type: text/html, Size: 39016 bytes --]

Re: Reg default user account in OpenBMC

[Thomaiyar, Richard Marian]

[-- Attachment #1: Type: text/plain, Size: 3343 bytes --]

inline update on impact & solutions for CI

On 3/18/2019 7:49 PM, Thomaiyar, Richard Marian wrote:
>
> All,
>
>  In OpenBMC, default password /“0penBmc” /is used for/“root” /user. 
> This is getting applied for all recipes irrespective of companies 
> meta-xxx layer, as this is done through phosphor-defaults.inc (under 
> meta-phosphor distro). The only option is to override the same using 
> local.conf.sample (but if missed, default password for root user will 
> get applied). Currently this is not limited to DEBUG_BUILD but applied 
> for all builds. As root user is also exposed in phosphor-user-manager, 
> it is shown as valid user account in all the interfaces like IPMI / 
> REDFISH / WEBUI etc. From security point of it, following 
> recommendations are made.
>
> 1. Avoid having common default passwords across products. (i.e. it’s 
> ok to have unique password for each device).
>
> 2. Force end-user to configure user name & password.
>
> This was also pointed out by Ed in our sync meeting - SB-327 
> Information Privacy – connected Devices 
> <https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327> 
>
>
>
> Having said that, planning to do following. Please let me know your 
> views / concerns / any other recommendations
>
> 1. Remove default password “0penBmc” from phosphor-defaults.inc. Any 
> company which requires password for root user can enable the same 
> using local.conf.sample, in its respective meta-xxx layer (Recommend 
> to avoid using root user or in worst-case keep it for DEBUG_BUILD only)
>
This may cause problem for people, who need the default password in 
deployment system. (But it's better to find a different solution, due to 
security concern. If this is what really required then it can be 
overridden using local.conf.sample. At the same time, we can keep root 
password enabled for non-release version.
>
> 2. Can expose different user name: openBmcUser password: 0penBmc 
> through local.conf.sample in DEBUG_BUILD / internal builds and make 
> sure, that this doesn’t gets applied for RELEASE version
>
2.1 --> This provides option, so that CI infrastructure build will use 
"/openBmcUser" /as the default user (if host interface is not available 
for the CI system), using this methodology CI system won't be broken.

2.2 --> In worst case, we can have root user for CI builds alone, as 
using that we can login to SSH and create default user using ipmitool -I 
dbus interface.

> 3. Remove exposing user id 0 (root) in phosphor-user-manager. i.e. 
> root user (uid:0) doesn’t need to be listed as user accounts in IPMI / 
> REDFISH for all builds? (Reason: 1. As part of SELinux. 2. Few 
> validation cases will not be covered which requires deleting all user 
> accounts etc.). Note: If any-one really require this, then we can make 
> it through configurable flag
>
> 4. Host interface (IPMI Commands) must be used to create user accounts 
> in BMC (i.e. From BIOS Setup page user accounts for the BMC can be 
> created).
>
> 5. For any systems which doesn’t have Host interface - logic can be 
> applied to create a new user based on restrictions (say create user 
> accounts based on certain stages – provisioning / physical presence 
> check / can create unique password for each device etc.)
>
>
> Regards,
>
> Richard
>

[-- Attachment #2: Type: text/html, Size: 40295 bytes --]