Re: Request new repo for IBM-specific code

[Joseph Reynolds <jrey@linux.ibm.com>]

On 4/29/21 4:24 PM, Ed Tanous wrote:
> On Thu, Apr 29, 2021 at 2:10 PM Joseph Reynolds <jrey@linux.ibm.com> wrote:
>> On 3/8/21 12:45 PM, Patrick Williams wrote:
>>> On Sat, Mar 06, 2021 at 10:09:36PM -0600, Joseph Reynolds wrote:
>>>> On 3/5/21 1:15 PM, Patrick Williams wrote:
>>>>> On Thu, Mar 04, 2021 at 09:14:47PM -0600, Joseph Reynolds wrote:
>>>>> My first reading of what is there, I'm not sure why typical certificate
>>>>> based authentication couldn't solve your needs (but I'm just guessing
>>>>> what your needs are).  It seems like you have a root-authority (IBM), a
>>>>> a daily expiring certificate, and some fields in the certificate you
>>>>> want to confirm (ex. serial number).  I've seen other production-level
>>>>> systems doing similar for SSH/HTTPS without additional PAM modules.
>>>> Our service team requires password based authentication.  Period. And
>>>> they don't like the idea of having to generate a certificate/password
>>>> pair for each service call.  But certificates offer the best technology
>>>> we have to solve the access problem.  And we are not yet prepared to go
>>>> to a certificate-only solution. ... So this is where we are at.
>>>>
>>>>>> Note the [pam-ipmi modules][] are scoped to the OpenBMC project because
>>>>>> the IPMI implementation is shared by all of OpenBMC.  By comparison, the
>>>>>> proposed ibm-pam-acf module is intended only for IBM Enterprise
>>>>>> systems.  The intended implementation is based on standard cryptography
>>>>>> techniques and could be developed into a general authentication
>>>>>> solution, but the ACF is specific to IBM in terms of its exact format
>>>>>> and content, and I expect it will only be used by IBM and its partners.
>>>>> Are you planning to open up the tools necessary to create these ACFs?
>>>> No, I hadn't been, but good idea!  We have prototype tools to generate
>>>> and read the ACF.  They should be useful to our test team.
>>>> There should be nothing secret in the code.  ("The only secret is the
>>>> private key.")  I'll check with my security team.
>>> My two concerns about hosting a repository for this are:
>>>      1. Is it actually a secure method?
>>>      2. Is it [potentially] useful to anyone else?
>>>
>>> WRT, #1, I think we need more details to make an assessment.
>>>
>>> For #2 I think there is some unsettled debate around "what do we do
>>> about code that is only ever going to be useful to one company"?
>>> Opening up the tools would at least make it possible that someone else
>>> could find this useful.  I think the proposed "Repository Review Board"
>>> might work on better guidance otherwise.
>>>
>>> Beyond that, I just have the normal "is this the right way to be doing
>>> this" questions.  You've answered that somewhat with the Certs.  I may
>>> disagree with it, but you obviously know your support team better than I
>>> do.
>>>
>>> I recommended some SSH support for certificates before.  Based on your
>>> ask for password-based authentiation, I would suggest looking into
>>> pam_2fa[1] as a potential implementation as well.
>> ...snip...
>>
>> Let's restart this thread from where we left off.
...snip
>>
>> So ... does the GitHub OpenBMC organization host vendor specific repos
>> (perhaps github.com/openbmc/ibm-misc), or does the source code go
>> somewhere else (such as IBM's public fork in
>> github.com/ibm-openbmc/pam-ibm-acf)?
> FYI, both of these return 404.  I'm assuming the permissions don't
> make them public yet.

I provided those URLs as concrete suggestions for where to host 
vendor-specific code.  They do not exist.  Sorry about the confusion.  
It is late in the day....:)
I have a weak preference to host ibm-specific code on 
github.com/openbmc/meta-ibm (maybe in subdirectory pam-ibmacf).  I 
realize this will set a precedent for the OpenBMC project, and can work 
either way.

-Joseph

>
>> - Joseph
>>