Re: Request new repo for IBM-specific code

[Ed Tanous <ed@tanous.net>]

On Thu, Apr 29, 2021 at 2:10 PM Joseph Reynolds <jrey@linux.ibm.com> wrote:
>
> On 3/8/21 12:45 PM, Patrick Williams wrote:
> > On Sat, Mar 06, 2021 at 10:09:36PM -0600, Joseph Reynolds wrote:
> >> On 3/5/21 1:15 PM, Patrick Williams wrote:
> >>> On Thu, Mar 04, 2021 at 09:14:47PM -0600, Joseph Reynolds wrote:
> >>> My first reading of what is there, I'm not sure why typical certificate
> >>> based authentication couldn't solve your needs (but I'm just guessing
> >>> what your needs are).  It seems like you have a root-authority (IBM), a
> >>> a daily expiring certificate, and some fields in the certificate you
> >>> want to confirm (ex. serial number).  I've seen other production-level
> >>> systems doing similar for SSH/HTTPS without additional PAM modules.
> >> Our service team requires password based authentication.  Period. And
> >> they don't like the idea of having to generate a certificate/password
> >> pair for each service call.  But certificates offer the best technology
> >> we have to solve the access problem.  And we are not yet prepared to go
> >> to a certificate-only solution. ... So this is where we are at.
> >>
> >>>> Note the [pam-ipmi modules][] are scoped to the OpenBMC project because
> >>>> the IPMI implementation is shared by all of OpenBMC.  By comparison, the
> >>>> proposed ibm-pam-acf module is intended only for IBM Enterprise
> >>>> systems.  The intended implementation is based on standard cryptography
> >>>> techniques and could be developed into a general authentication
> >>>> solution, but the ACF is specific to IBM in terms of its exact format
> >>>> and content, and I expect it will only be used by IBM and its partners.
> >>> Are you planning to open up the tools necessary to create these ACFs?
> >> No, I hadn't been, but good idea!  We have prototype tools to generate
> >> and read the ACF.  They should be useful to our test team.
> >> There should be nothing secret in the code.  ("The only secret is the
> >> private key.")  I'll check with my security team.
> > My two concerns about hosting a repository for this are:
> >     1. Is it actually a secure method?
> >     2. Is it [potentially] useful to anyone else?
> >
> > WRT, #1, I think we need more details to make an assessment.
> >
> > For #2 I think there is some unsettled debate around "what do we do
> > about code that is only ever going to be useful to one company"?
> > Opening up the tools would at least make it possible that someone else
> > could find this useful.  I think the proposed "Repository Review Board"
> > might work on better guidance otherwise.
> >
> > Beyond that, I just have the normal "is this the right way to be doing
> > this" questions.  You've answered that somewhat with the Certs.  I may
> > disagree with it, but you obviously know your support team better than I
> > do.
> >
> > I recommended some SSH support for certificates before.  Based on your
> > ask for password-based authentiation, I would suggest looking into
> > pam_2fa[1] as a potential implementation as well.
> ...snip...
>
> Let's restart this thread from where we left off.  I am working on an
> IBM-specific design to explain the BMC portions of the IBM ACF design to
> the OpenBMC community.
>
> For item 1 ("is the ACF design a secure method"), we discussed an
> abbreviated threat model in this email thread.  From the service
> organizations point of view, it only allows authorized service reps into
> the service account.  And from the BMC admin's point of view, they can
> either lock out or authorize the service user via how they handle the
> ACFm but they don't know the password so they cannot login to the
> service account.
> The ACF features including its digital signature, matching system serial
> number, and expiration date -- all of these limit which ACFs a BMC will
> accept.  The new Linux-PAM module login is a straightforward decoding
> and validation of the ACF, and then checking the password hash.  We
> discussed using pam_2fa in this email thread, and I believe it only
> trades the complexity of a PAM module (which I regard as
> straightforward) for the complexity of a REST server.
>
> For item 2 ("is it useful to anyone else"), the answer is no.  This will
> ever only be useful to IBM and to vendors who clone OpenPOWER systems
> including IBM's approach to service account access.
>
> So ... does the GitHub OpenBMC organization host vendor specific repos
> (perhaps github.com/openbmc/ibm-misc), or does the source code go
> somewhere else (such as IBM's public fork in
> github.com/ibm-openbmc/pam-ibm-acf)?

FYI, both of these return 404.  I'm assuming the permissions don't
make them public yet.

>
> - Joseph
>