Security Working Group meeting Wednesday December 11

Security Working Group meeting Wednesday December 11

[Joseph Reynolds]

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday December 11 at 10:00am PDT.

We'll discuss current development items, and anything else that comes 
up.  The current topics:

 1.

    BMCWeb patch to allow BMC admin to disable authentication
    methods<https://github.com/openbmc/bmcweb/commit/78158631aeab5b77ea9a5f566508285cb839fadf>

 2.

    Gerrit code review to “Provide feedback from Linux PAM about why the
    new password is not accepted”
    <https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27503>

 3.

    Gerrit code review to “lockout a user account for 5 minutes after 5
    login failures”

 4.

    Gerrit code review to implement the Refish ConfigureSelf privilege
    correctly, which lets non-admin users change their own password and
    log out of their own sessions.

 5.

    Email about TFTP vulnerabilities and SCP or SFTP
    replacement<https://lists.ozlabs.org/pipermail/openbmc/2019-December/019725.html>

 6.

    Trivial PAM bmcweb config file change


Access, agenda, and notes are in the wiki:

https://github.com/openbmc/openbmc/wiki/Security-working-group

- Joseph

Re: Security Working Group meeting Wednesday December 11

[Joseph Reynolds]

On 12/9/19 7:29 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday December 11 at 10:00am PDT.
The scheduled meeting in two weeks (2019-12-25) is cancelled due to US 
holidays.
The next meeting is on for 2020-01-08.

See my notes from the meeting in the google doc.

The main discussion was about secure firmware provisioning and update 
scenarios.

- Joseph

>
> Access, agenda, and notes are in the wiki:
>
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> - Joseph