[yocto-security] CA law and expired password design
Joseph Reynolds
jrey at linux.ibm.com
Mon Jul 22 15:36:41 PDT 2019
I am working on a design to help manufacturers comply with [CA law
SB-327 Information privacy: connected devices][SB-327], specifically per
paragraph 1798.91.04(b)(2) (paraphrased): to create an image that
requires the user to generate a new password the first time they access
the system. The main idea is to bake the image with expired passwords,
so users have to change the password before they can use their device.
[SB-327]:
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
How would I set the root password to expired?
- I see the `usermod ... root` examples in the manual.
- I looked in https://wiki.yoctoproject.org/wiki/PAM_Integration
- I read meta-skeleton/recipes-skeleton/useradd/useradd-example.bb
- as well as useradd.bbclass and extrausers.bbclass
But it is not clear how to accomplish this goal.
- I don't want to expire, disable, or lock the account; that would
prevent access.
- I don't want to disable the password; that would prevent access.
- I do want to expire the password, so it the old password works and
invokes the mechanism that requires the password be changed.
Something like: `passwd --expire root` or `chage --lastday 0 root`.
What is the best way to do this in my recipes? Would this be a
candidate for a Yocto distro or image feature?
- Joseph
More information about the yocto-security
mailing list