From: Ed Tanous <ed@tanous.net>
To: Joseph Reynolds <jrey@linux.ibm.com>
Cc: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Request new repo for IBM-specific code
Date: Mon, 8 Mar 2021 08:03:40 -0800 [thread overview]
Message-ID: <CACWQX8048sDqehYaRAS9-T8G8ffWgLo-1fOVsozAC=4TtJdFqw@mail.gmail.com> (raw)
In-Reply-To: <b8af3438-f85a-cb82-c88c-9c4e120399e9@linux.ibm.com>
On Thu, Mar 4, 2021 at 7:15 PM Joseph Reynolds <jrey@linux.ibm.com> wrote:
>
> What is the right repository for a new Linux-PAM module to implement an
> IBM-specific ACF authentication?
>
> The access control file (ACF) design was introduced to the OpenBMC
> security working group and is described in [IBM issue 1737][] and
> further explained in [IBM issue 2562][].
Could you describe it in a design doc? Implementing ACL seems like
something that's going to affect a lot of the system (at a minimum
every outward facing client). Unless you really think that you can do
this with no changes to the client repos or phosphor-user-manager, it
seems like it's worth discussion. For what it's worth, I really don't
want to branch the authorization code in bmcweb depending on what
company compiled the code. They were hard enough to get right in the
general case, and matter a lot for security. The likelihood we get
them right for every flavor of auth that a company might want to do
seems unlikely. If we as a project need an "ultra user" that seems
like it shouldn't be specific to IBM, or should be a generic
configuration that IBM systems apply on top, using common routines.
I've already detailed a path toward this in a previous email on this
topic.
>
> Note the [pam-ipmi modules][] are scoped to the OpenBMC project because
> the IPMI implementation is shared by all of OpenBMC. By comparison, the
> proposed ibm-pam-acf module is intended only for IBM Enterprise
> systems. The intended implementation is based on standard cryptography
> techniques and could be developed into a general authentication
> solution, but the ACF is specific to IBM in terms of its exact format
> and content, and I expect it will only be used by IBM and its partners.
Have you released the specifications for this file format with an
appropriate license? That seems like a good first step to figuring
out if these could find a home in OpenBMC. If you've already done
that, could you link them?
>
> Can we create a new OpenBMC repo for this? Perhaps ibm-pam-acf? Or
> should this go into some other repo?
Could you please post the code you're planning on putting there
somewhere that we can see it in gerrit? I suspect that would help
review whether or not a new repo is warranted, and probably give hints
as to what design you're planning on implementing.
>
> - Joseph
>
> [IBM issue 1737]: https://github.com/ibm-openbmc/dev/issues/1737
> [IBM issue 2562]: https://github.com/ibm-openbmc/dev/issues/2562
> [pam-ipmi modules]: https://github.com/openbmc/pam-ipmi
next prev parent reply other threads:[~2021-03-08 16:04 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-05 3:14 Request new repo for IBM-specific code Joseph Reynolds
2021-03-05 19:15 ` Patrick Williams
2021-03-05 22:05 ` Patrick Williams
2021-03-07 4:09 ` Joseph Reynolds
2021-03-08 18:45 ` Patrick Williams
2021-03-08 20:30 ` Request new repo for IBM-specific code - pam_2fa discussion Joseph Reynolds
2021-03-08 22:41 ` Patrick Williams
2021-03-09 17:43 ` Joseph Reynolds
2021-04-29 21:09 ` Request new repo for IBM-specific code Joseph Reynolds
2021-04-29 21:24 ` Ed Tanous
2021-04-30 0:47 ` Joseph Reynolds
2021-04-30 13:29 ` Patrick Williams
2021-05-01 5:30 ` Request new repo for IBM-specific code: ibm-acf Joseph Reynolds
2021-05-02 23:46 ` Andrew Jeffery
2021-05-03 1:37 ` Andrew Jeffery
2021-05-03 16:21 ` Request new repo for IBM-specific code Ed Tanous
2021-03-08 16:03 ` Ed Tanous [this message]
2021-03-08 17:30 ` Joseph Reynolds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACWQX8048sDqehYaRAS9-T8G8ffWgLo-1fOVsozAC=4TtJdFqw@mail.gmail.com' \
--to=ed@tanous.net \
--cc=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).