* Questions about changing default username or password
@ 2019-05-31 0:26 Simon Zhu(朱英澍)
2019-06-02 18:25 ` Thomaiyar, Richard Marian
0 siblings, 1 reply; 3+ messages in thread
From: Simon Zhu(朱英澍) @ 2019-05-31 0:26 UTC (permalink / raw)
To: openbmc
[-- Attachment #1: Type: text/plain, Size: 597 bytes --]
Hello ,
I want to change default username and password in local.conf.sample.
But caused an invalid username error.
I fixed it in the following way in /openbmc/openbmc/meta/recipes-extended/shadow/shadow.inc:
I moved the patch shadow-relaxed-usernames.patch from SRC_URI_append_class-target to SRC_URI.
And If I changed the default username or password, I failed to use IPMI through lanplus interface because of authentication failure.
I need to generate my own ipmi_pass and install it to /etc/ipmi_pass。
Do these two issues need to be fixed?
Best regards,
Simon
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 2680 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Questions about changing default username or password
2019-05-31 0:26 Questions about changing default username or password Simon Zhu(朱英澍)
@ 2019-06-02 18:25 ` Thomaiyar, Richard Marian
2019-07-10 16:01 ` Joseph Reynolds
0 siblings, 1 reply; 3+ messages in thread
From: Thomaiyar, Richard Marian @ 2019-06-02 18:25 UTC (permalink / raw)
To: Simon Zhu(朱英澍), openbmc
For #1 --> you can inherit extrausers class and override the users
accordingly, and the password
For #2 --> There is no direct way to update /etc/ipmi_pass, but once
this image is flashed, login to bmc serial console, then try to execute
passwd and update the password to the desired one (during this scenario,
the new password is stored back in /etc/ipmi_pass). Now copy this
/etc/ipmi_pass from your BMC to your development environment, and
override it using bbappend.
Note: Our ultimate goal is to get rid of the default user name and
password from the system (to whichever project it is feasible for
security reason --
https://github.com/openbmc/docs/blob/master/user_management.md#deployment---out-of-factory)
Let me know if you need any further clarifications
Regards,
Richard
On 5/31/2019 5:56 AM, Simon Zhu(朱英澍) wrote:
> Hello ,
>
> I want to change default username and password in local.conf.sample.
>
> But caused an invalid username error.
>
> I fixed it in the following way in /openbmc/openbmc/meta/recipes-extended/shadow/shadow.inc:
> I moved the patch shadow-relaxed-usernames.patch from SRC_URI_append_class-target to SRC_URI.
>
>
> And If I changed the default username or password, I failed to use IPMI through lanplus interface because of authentication failure.
> I need to generate my own ipmi_pass and install it to /etc/ipmi_pass。
>
> Do these two issues need to be fixed?
>
> Best regards,
>
> Simon
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Questions about changing default username or password
2019-06-02 18:25 ` Thomaiyar, Richard Marian
@ 2019-07-10 16:01 ` Joseph Reynolds
0 siblings, 0 replies; 3+ messages in thread
From: Joseph Reynolds @ 2019-07-10 16:01 UTC (permalink / raw)
To: Thomaiyar, Richard Marian, Simon Zhu(朱英澍), openbmc
I believe we share the desire for network access to the BMC to be secure
by default, specifically to move away from the model where a well-known
userid has a default password (#1 below). I understand an [OpenBMC
Security modes
design](https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/21195)
document, currently in review, addresses host access to the BMC.
Although that design addresses a related topic, am I restricting myself
to the BMC's network operations.
Here are several models -- with my comments:
1. The userid has a default password. -- This is what we have now and it
is not secure. Note that merely changing to a different default
password in your customized firmware image is also not secure because
that password will become known to attackers
2. Each BMC device has an unique password. -- This may be difficult to
consume for large scale deployments
3. The userid has a default expired password which does not let you use
the device until you change the password.
4. The device has an initial setup which challenges you to change the
password. -- Example:
https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up/6
5. The userid has no password access, and uses only certificate-based
authentication.
These models have different security characteristics. For example, the
expired password model (#3 above) and the initial setup model (#4
above) work by reducing the time window an attacker has, with the
explicit assumption that the BMC is configured soon after powering it
on. The unique password model (#2 above) and the certificate auth (#5
above) requires a way to generate and set the credentials, and then
communicate them to the new device owner.
Which model seems best to you?
It may be that we support multiple models. Whatever happens, I would
like to eventually move away from supporting the default password model
(#1 above).
I am exploring the "expired password" model (#3 above) and plan to push
a design for review.
A challenge to make this work is to tie together BMCWeb, IPMI, and SSH
access. For example, it won't help to secure BMCWeb and network IPMI
but leave a default SSH password. Also, some installations enable a
subset of the function (example: disable network IPMI and SSH, leaving
only BMCWeb), so the function to let you change the password has to be
on the interfaces which are still enabled (example: BMCWeb).
Please let me know your thoughts.
- Joseph
On 6/2/19 1:25 PM, Thomaiyar, Richard Marian wrote:
>
> For #1 --> you can inherit extrausers class and override the users
> accordingly, and the password
>
> For #2 --> There is no direct way to update /etc/ipmi_pass, but once
> this image is flashed, login to bmc serial console, then try to
> execute passwd and update the password to the desired one (during this
> scenario, the new password is stored back in /etc/ipmi_pass). Now copy
> this /etc/ipmi_pass from your BMC to your development environment, and
> override it using bbappend.
>
> Note: Our ultimate goal is to get rid of the default user name and
> password from the system (to whichever project it is feasible for
> security reason --
> https://github.com/openbmc/docs/blob/master/user_management.md#deployment---out-of-factory)
>
>
> Let me know if you need any further clarifications
>
> Regards,
>
> Richard
>
>
> On 5/31/2019 5:56 AM, Simon Zhu(朱英澍) wrote:
>> Hello ,
>>
>> I want to change default username and password in local.conf.sample.
>>
>> But caused an invalid username error.
>>
>> I fixed it in the following way in
>> /openbmc/openbmc/meta/recipes-extended/shadow/shadow.inc:
>> I moved the patch shadow-relaxed-usernames.patch from
>> SRC_URI_append_class-target to SRC_URI.
>>
>>
>> And If I changed the default username or password, I failed to
>> use IPMI through lanplus interface because of authentication failure.
>> I need to generate my own ipmi_pass and install it to
>> /etc/ipmi_pass。
>>
>> Do these two issues need to be fixed?
>>
>> Best regards,
>>
>> Simon
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-07-10 17:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-31 0:26 Questions about changing default username or password Simon Zhu(朱英澍)
2019-06-02 18:25 ` Thomaiyar, Richard Marian
2019-07-10 16:01 ` Joseph Reynolds
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.