All of lore.kernel.org
 help / color / mirror / Atom feed
* Redfish security question (user enumeration)
@ 2020-02-10 17:35 Joseph Reynolds
  2020-02-10 18:21 ` Richard Hanley
       [not found] ` <a1b54026-444b-5693-a2af-bbd43b0a95d2@linux.intel.com>
  0 siblings, 2 replies; 4+ messages in thread
From: Joseph Reynolds @ 2020-02-10 17:35 UTC (permalink / raw)
  To: openbmc

The Redfish spec recently changed to allow users with the Login 
privilege to enumerate all BMC users.  Previously only the admin user 
could do this.  I disagree with this change and believe it is an 
unnecessary information exposure.  Details are in the Redfish forum post.

https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration

Are we okay with this?  Do we ask Redfish to change it back?  Please 
reply to this email or to the forum with your thoughts.

Thanks,
- Joseph

References:

The change was made to Redfish version 2019.4 > DSP2046 > 
Redfish-1.0.4-PrivilegeRegistry > ManagerAccountCollection > GET:
https://www.dmtf.org/standards/redfish

OpenBMC has the corresponding implementation change pending here:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881

This was discussed in the 2020-02-05 OpenBMC security working group 
meeting as agenda item 3.  Minutes:
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Redfish security question (user enumeration)
  2020-02-10 17:35 Redfish security question (user enumeration) Joseph Reynolds
@ 2020-02-10 18:21 ` Richard Hanley
  2020-02-11 20:07   ` Gunnar Mills
       [not found] ` <a1b54026-444b-5693-a2af-bbd43b0a95d2@linux.intel.com>
  1 sibling, 1 reply; 4+ messages in thread
From: Richard Hanley @ 2020-02-10 18:21 UTC (permalink / raw)
  To: Joseph Reynolds; +Cc: openbmc

[-- Attachment #1: Type: text/plain, Size: 1374 bytes --]

Joseph,

I agree that it is not a good idea to expose usernames in this context.

One possible compromise is to make the account collection discoverable, but
only put the users account into the response (unless it is an admin user).

-Richard

On Mon, Feb 10, 2020 at 9:36 AM Joseph Reynolds <jrey@linux.ibm.com> wrote:

> The Redfish spec recently changed to allow users with the Login
> privilege to enumerate all BMC users.  Previously only the admin user
> could do this.  I disagree with this change and believe it is an
> unnecessary information exposure.  Details are in the Redfish forum post.
>
>
> https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
>
> Are we okay with this?  Do we ask Redfish to change it back?  Please
> reply to this email or to the forum with your thoughts.
>
> Thanks,
> - Joseph
>
> References:
>
> The change was made to Redfish version 2019.4 > DSP2046 >
> Redfish-1.0.4-PrivilegeRegistry > ManagerAccountCollection > GET:
> https://www.dmtf.org/standards/redfish
>
> OpenBMC has the corresponding implementation change pending here:
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881
>
> This was discussed in the 2020-02-05 OpenBMC security working group
> meeting as agenda item 3.  Minutes:
>
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
>
>

[-- Attachment #2: Type: text/html, Size: 2294 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Redfish security question (user enumeration)
  2020-02-10 18:21 ` Richard Hanley
@ 2020-02-11 20:07   ` Gunnar Mills
  0 siblings, 0 replies; 4+ messages in thread
From: Gunnar Mills @ 2020-02-11 20:07 UTC (permalink / raw)
  To: Richard Hanley, Joseph Reynolds; +Cc: openbmc

[-- Attachment #1: Type: text/plain, Size: 1189 bytes --]


On 2/10/2020 12:21 PM, Richard Hanley wrote:
>
> One possible compromise is to make the account collection 
> discoverable, but only put the users account into the response (unless 
> it is an admin user).
>
>
> On Mon, Feb 10, 2020 at 9:36 AM Joseph Reynolds <jrey@linux.ibm.com 
> <mailto:jrey@linux.ibm.com>> wrote:
>
>     The Redfish spec recently changed to allow users with the Login
>     privilege to enumerate all BMC users.  Previously only the admin user
>     could do this.  I disagree with this change and believe it is an
>     unnecessary information exposure.  Details are in the Redfish
>     forum post.
>
>     https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
>
>
>     OpenBMC has the corresponding implementation change pending here:
>     https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881
>
>
This was discussed in the Redfish call today. Redfish will update the 
documentation and registry to make clear only the current account will 
be shown in the AccountCollection if the user lacks the ConfigureUsers 
privilege (Richard's suggestion). A response in the thread explains the 
same.

Thanks,
Gunnar



[-- Attachment #2: Type: text/html, Size: 2619 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Redfish security questions
       [not found]     ` <6c396e46-6942-15e2-ec71-f8387037783e@linux.intel.com>
@ 2020-02-12 21:09       ` Joseph Reynolds
  0 siblings, 0 replies; 4+ messages in thread
From: Joseph Reynolds @ 2020-02-12 21:09 UTC (permalink / raw)
  To: Thomaiyar, Richard Marian, openbmc

On 2/12/20 12:18 AM, Thomaiyar, Richard Marian wrote:
> This is on next week right? I will attend (it will be late, but i will 
> try to manage). We can discuss about this and also about pam_abl 
> related to blocking users based on IP address issue.

Yes, both topics mentioned in this email are on the Wednesday 2020-02-19 
security work group agenda.  We can discuss them early in the meeting if 
you wish.

I am trying to push the conversation back out onto the email list (as a 
general principle).  I'll cut/paste the forum topic into a separate 
email thread to get it going.

I briefly looked at using pam_abl (Linux-PAM module(8) and its 
corresponding command(1)).  I am interested in using its "automatic 
black listing IP addresses" function.  It is GPL3 license which I think 
OpenBMC can use.  I am also interested in rate-limiting authentication 
attempts as a complementary solution.  I'll continue that email thread 
as I have time to do so.

Thank you!

- Joseph

>
>
> regards,
>
> Richard
>
> On 2/11/2020 11:01 PM, Joseph Reynolds wrote:
>>
>> On 2/10/20 10:37 PM, Thomaiyar, Richard Marian wrote:
>>> On a different note,
>>>
>>> Let me know your  thoughts on this too 
>>> https://redfishforum.com/thread/279/channel-privilege-support-direction-redfish
>>>
>>> I am trying to get the direction of the redfish  spec, whether they 
>>> want to consider channel based privilege restriction or just single 
>>> privilege.
>>
>> Richard,
>>
>> Thanks.  I've replied to your thread with questions of my own. Please 
>> reply to my questions on the Redfish forum.  I think we (OpenBMC) 
>> need to have clear requirements.  I've added your topic to the 
>> OpenBMC security working group and plan to stir up any interest.  
>> You're welcome to attend, but it is not necessary.
>>
>> OpenBMC security working group:
>> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI 
>>
>>
>> - Joseph
>>
>>>
>>> regards,
>>>
>>> Richard
>>>
>>> On 2/10/2020 11:05 PM, Joseph Reynolds wrote:
>>>> The Redfish spec recently changed to allow users with the Login 
>>>> privilege to enumerate all BMC users. Previously only the admin 
>>>> user could do this.  I disagree with this change and believe it is 
>>>> an unnecessary information exposure.  Details are in the Redfish 
>>>> forum post.
>>>>
>>>> https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 
>>>>
>>>>
>>>> Are we okay with this?  Do we ask Redfish to change it back? Please 
>>>> reply to this email or to the forum with your thoughts.
>>>>
>>>> Thanks,
>>>> - Joseph
>>>>
>>>> References:
>>>>
>>>> The change was made to Redfish version 2019.4 > DSP2046 > 
>>>> Redfish-1.0.4-PrivilegeRegistry > ManagerAccountCollection > GET:
>>>> https://www.dmtf.org/standards/redfish
>>>>
>>>> OpenBMC has the corresponding implementation change pending here:
>>>> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881
>>>>
>>>> This was discussed in the 2020-02-05 OpenBMC security working group 
>>>> meeting as agenda item 3.  Minutes:
>>>> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI 
>>>>
>>>>
>>

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-02-12 21:11 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-10 17:35 Redfish security question (user enumeration) Joseph Reynolds
2020-02-10 18:21 ` Richard Hanley
2020-02-11 20:07   ` Gunnar Mills
     [not found] ` <a1b54026-444b-5693-a2af-bbd43b0a95d2@linux.intel.com>
     [not found]   ` <084d6c01-092a-c026-d504-34cfe89f5ebf@linux.ibm.com>
     [not found]     ` <6c396e46-6942-15e2-ec71-f8387037783e@linux.intel.com>
2020-02-12 21:09       ` Redfish security questions Joseph Reynolds

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.