Re: Request new repo for IBM-specific code - pam_2fa discussion

From: Patrick Williams <patrick@stwcx.xyz>
To: Joseph Reynolds <jrey@linux.ibm.com>
Cc: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Request new repo for IBM-specific code - pam_2fa discussion
Date: Mon, 8 Mar 2021 16:41:40 -0600	[thread overview]
Message-ID: <YEaoJH+TP0A79tfM@heinlein> (raw)
In-Reply-To: <15f3a43c-d876-38e0-8397-9db8a3896d38@linux.ibm.com>

[-- Attachment #1: Type: text/plain, Size: 2399 bytes --]

On Mon, Mar 08, 2021 at 02:30:26PM -0600, Joseph Reynolds wrote:
> Patrick, thanks for that.  I was unaware of the pam_2fa project.  I 
> agree this could a be a good way for BMCs to get 2FA.
> 
> However, as I tried to state in this email thread, the IBM firmware 
> service organization requires that all credentials be brought onto the 
> work site because some sites have no way to communicate with an external 
> server.  That is, once you are on a customer site, you might not be able 
> to call into IBM (or even have access to a phone).  Although this is not 
> typical, I don't think it is unique to IBM.  What is done other secure 
> installations?

I might have poorly explained my thought process before.  I know
*normal* 2FA requires remote access to the 2FA server.  The PAM_2FA
allows configuration of the URL and there is no reason why the URL
cannot be a localhost implementation of the 2FA protocol.  All the
protocol does is POST to the URL and make a decision based on the HTTP
return code.

Proposal:
    * Use 'pam_2fa' using Yubikey protocol to point at a 'localhost' URL.
    * Implement Yubikey 2FA protocol (described in pam_2fa
      documentation) in a small daemon on the BMC, specific for ACF
      certificates.
        - 2FA request will get the ACF password.
        - ACF daemon hashes password, checks with installed certificate
          and returns 4xx/2xx codes as appropriate.
    * Set PAM config to use 'pam_2fa' (pointed at localhost) for IBM
      service users.

In summary, the service accounts can have a static primary password AND
an ACF-secured secondary password which is checked with the standard 2FA
protocol.

> The IBM ACF design in terms of 2FA is:
...
> 2. The ACF has no secrets (other than the password hash stored within 
> it) and can be installed onto the BMC by the admin or the service rep.

Doesn't the service user have access you're not expecting the 'admin' to
be able to have on your machines?  How do you ensure a compromised ACF
cannot be replayed onto another machine?  With admin-level access it is
fairly trivial to fake out the serial number.

I might be misunderstanding something with "... or ther service rep".
It seems like there is a gap in how the service rep would install
something when the ACF is what gives them permissions to do the install?

-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]