On Thu, Mar 04, 2021 at 09:14:47PM -0600, Joseph Reynolds wrote:
> What is the right repository for a new Linux-PAM module to implement an 
> IBM-specific ACF authentication?
> 
> The access control file (ACF) design was introduced to the OpenBMC 
> security working group and is described in [IBM issue 1737][] and 
> further explained in [IBM issue 2562][].

I'm not really seeing much documentation on this in either issue.  Do
you have a document describing your requirements and how you're planning
to accomplish it?

My first reading of what is there, I'm not sure why typical certificate
based authentication couldn't solve your needs (but I'm just guessing
what your needs are).  It seems like you have a root-authority (IBM), a
a daily expiring certificate, and some fields in the certificate you
want to confirm (ex. serial number).  I've seen other production-level
systems doing similar for SSH/HTTPS without additional PAM modules.

> Note the [pam-ipmi modules][] are scoped to the OpenBMC project because 
> the IPMI implementation is shared by all of OpenBMC.  By comparison, the 
> proposed ibm-pam-acf module is intended only for IBM Enterprise 
> systems.  The intended implementation is based on standard cryptography 
> techniques and could be developed into a general authentication 
> solution, but the ACF is specific to IBM in terms of its exact format 
> and content, and I expect it will only be used by IBM and its partners.

Are you planning to open up the tools necessary to create these ACFs?

> Can we create a new OpenBMC repo for this?  Perhaps ibm-pam-acf?  Or 
> should this go into some other repo?
> 
> - Joseph
> 
> [IBM issue 1737]: https://github.com/ibm-openbmc/dev/issues/1737
> [IBM issue 2562]: https://github.com/ibm-openbmc/dev/issues/2562
> [pam-ipmi modules]: https://github.com/openbmc/pam-ipmi

-- 
Patrick Williams