* OpenBMC expired password feature
@ 2021-04-13 15:39 Joseph Reynolds
[not found] ` <CAK_FChHSGO0z5qGknmzBfuvD4A7bp4DTBmusDshZOHVZCU-4Gw@mail.gmail.com>
0 siblings, 1 reply; 2+ messages in thread
From: Joseph Reynolds @ 2021-04-13 15:39 UTC (permalink / raw)
To: openbmc, Mario Sanchez
> Hi Joseph,
>
> I am working on OpenBMC and would like to test the 'initial expired
password' feature that you worked on. I am not sure how to enable this
in an OpenBMC image though.
>
> I couldn't find another document which described that process, other
than the design documentation listed here:
https://github.com/openbmc/docs/blob/master/designs/expired-password.md
<https://github.com/openbmc/docs/blob/master/designs/expired-password.md>
>
> Is there another document which describes the enablement process, or
can you provide some more information on this?
Mario,
The support to have initial expired passwords is not fully available in
the OpenBMC project. Here are the pieces you need:
(1)
The EXPIRED_PASSWORD image feature is not implemented. There are two
alternate ways to expire the password:
1. Directly expire the root account password via a bitbake recipe. See
https://github.com/openembedded/openembedded-core/pull/63/commits/7ace37a67c56fb4b9e0e98f8eff4ed067eb89f1e
2. Add a BMC systemd service to expire the password on BMC first boot.
See
https://github.com/ibm-openbmc/openbmc/blob/5434eaa5e4f53d9972c7bf3c4a90fd189f529547/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb
The reason for the first-boot-expire-password.service has to do with how
the factory reset function works.
Neither of these are merged into the OpenBMC project or OE core.
(2)
Both BMCWeb and the WebUI have the functions to handle expired
passwords. Specifically:
- BMCWeb follows the Redfish "password change required handling" spec.
- The WebUI has a special dialog which allows a user to change their own
expired password during login.
Note a proposed BMCWeb change breaks the "password change required
handling" function:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39756
Work on that is pending.
(3)
The dropbear SSH server does not allow you to login or to change your
password when your password is expired. My attempt to patch dropbear
has failed, and I carry a local patch here:
https://github.com/ibm-openbmc/openbmc/blob/86f9791c2a2d991c3509f5e785322b1011c71d26/meta-phosphor/recipes-core/dropbear/dropbear_%25.bbappend
You can avoid this issue by using the OpenSSH server in place of dropbear.
- Joseph
>
> Thanks,
> --Mario.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: OpenBMC expired password feature
[not found] ` <CAK_FChHSGO0z5qGknmzBfuvD4A7bp4DTBmusDshZOHVZCU-4Gw@mail.gmail.com>
@ 2021-04-13 22:07 ` Joseph Reynolds
0 siblings, 0 replies; 2+ messages in thread
From: Joseph Reynolds @ 2021-04-13 22:07 UTC (permalink / raw)
To: Mario Sanchez, openbmc
On 4/13/21 12:11 PM, Mario Sanchez wrote:
> Joseph, Thank you very much for the info. By the way, are you aware of
> any issues or concerns with enabling this feature via one method vs
> the other (bitbake recipe vs systemd service) ? Any behavior
> differences that may cause some problems ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
> Joseph,
>
> Thank you very much for the info.
You're welcome.
In future emails, please address them to both me and to the OpeBMC
community email list. See https://github.com/openbmc/openbmc#contact
This way, everyone benefits from our conversation and we can share our
knowledge.
And when you reply to openbmc emails, please answer inline (like I have)
and not at the top of the email. It's the custome for open source
projects.
>
> By the way, are you aware of any issues or concerns with enabling this
> feature via one method vs the other (bitbake recipe vs systemd
> service) ? Any behavior differences that may cause some problems down
> the road ?
No, not really. The easiest and most obvious solution is the recipe
change, which results in the readonly image having an expired password.
There was some esoteric issue with the factory reset function which led
to creating the service to expire the password. I don't remember exactly
why. The key is to test all of your scenarios.
Good luck,
Joseph
>
> Thanks,
> --Mario.
>
> On Tue, 13 Apr 2021 at 10:40, Joseph Reynolds <jrey@linux.ibm.com
> <mailto:jrey@linux.ibm.com>> wrote:
>
> > Hi Joseph,
> >
> > I am working on OpenBMC and would like to test the 'initial
> expired
> password' feature that you worked on. I am not sure how to enable
> this
> in an OpenBMC image though.
> >
> > I couldn't find another document which described that process,
> other
> than the design documentation listed here:
> https://github.com/openbmc/docs/blob/master/designs/expired-password.md
> <https://github.com/openbmc/docs/blob/master/designs/expired-password.md>
>
> <https://github.com/openbmc/docs/blob/master/designs/expired-password.md
> <https://github.com/openbmc/docs/blob/master/designs/expired-password.md>>
> >
> > Is there another document which describes the enablement
> process, or
> can you provide some more information on this?
>
> Mario,
>
> The support to have initial expired passwords is not fully
> available in
> the OpenBMC project. Here are the pieces you need:
>
> (1)
> The EXPIRED_PASSWORD image feature is not implemented. There are two
> alternate ways to expire the password:
> 1. Directly expire the root account password via a bitbake
> recipe. See
> https://github.com/openembedded/openembedded-core/pull/63/commits/7ace37a67c56fb4b9e0e98f8eff4ed067eb89f1e
> <https://github.com/openembedded/openembedded-core/pull/63/commits/7ace37a67c56fb4b9e0e98f8eff4ed067eb89f1e>
> 2. Add a BMC systemd service to expire the password on BMC first
> boot.
> See
> https://github.com/ibm-openbmc/openbmc/blob/5434eaa5e4f53d9972c7bf3c4a90fd189f529547/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb
> <https://github.com/ibm-openbmc/openbmc/blob/5434eaa5e4f53d9972c7bf3c4a90fd189f529547/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb>
>
> The reason for the first-boot-expire-password.service has to do
> with how
> the factory reset function works.
> Neither of these are merged into the OpenBMC project or OE core.
>
> (2)
> Both BMCWeb and the WebUI have the functions to handle expired
> passwords. Specifically:
> - BMCWeb follows the Redfish "password change required handling" spec.
> - The WebUI has a special dialog which allows a user to change
> their own
> expired password during login.
>
> Note a proposed BMCWeb change breaks the "password change required
> handling" function:
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39756
> <https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39756>
> Work on that is pending.
>
> (3)
> The dropbear SSH server does not allow you to login or to change your
> password when your password is expired. My attempt to patch dropbear
> has failed, and I carry a local patch here:
> https://github.com/ibm-openbmc/openbmc/blob/86f9791c2a2d991c3509f5e785322b1011c71d26/meta-phosphor/recipes-core/dropbear/dropbear_%25.bbappend
> <https://github.com/ibm-openbmc/openbmc/blob/86f9791c2a2d991c3509f5e785322b1011c71d26/meta-phosphor/recipes-core/dropbear/dropbear_%25.bbappend>
>
> You can avoid this issue by using the OpenSSH server in place of
> dropbear.
>
>
> - Joseph
>
> >
> > Thanks,
> > --Mario.
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-13 22:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-13 15:39 OpenBMC expired password feature Joseph Reynolds
[not found] ` <CAK_FChHSGO0z5qGknmzBfuvD4A7bp4DTBmusDshZOHVZCU-4Gw@mail.gmail.com>
2021-04-13 22:07 ` Joseph Reynolds
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).