[yocto-security] Design for initial expired default password
Joseph Reynolds
jrey at linux.ibm.com
Fri Jul 26 15:23:15 PDT 2019
Richard and yocto-security (and dropped OpenBMC from the to: list),
Thank you, I'll plan this as an image feature, disabled by default.
My investigation is proceeding. We believe this approach would comply
with the law and provide significant security over having a default
password.
There is one glitch in the plan: the dropbear SSH server does NOT
implement the capability to change expired passwords. The dropbear SSH
server's default setup on OpenBMC DOES indicate the password is expired,
but gives no opportunity change it:
$ ssh testuser@${bmc}
testuser@[REDACTED]'s password:
You are required to change your password immediately (administrator
enforced)
Permission denied, please try again.
testuser@[REDACTED]'s password:
The Dropbear source code (use the source, Luke!) shows the change
password feature is not implemented:
https://github.com/mkj/dropbear/blob/a0aa2749813331134452f80bb8a808bdc871ba41/svr-authpam.c#L198
/* check if client wants to change password */
/* not implemented by this server */
So, Yocto users who use dropbear and enable the new EXPIRED_PASSWORD
image feature and have no other way to access their system would be
locked out. I suppose switching to OpenSSH is a workaround. I also
suppose Dropbear could be enhanced to change the user's password (but I
don't have expertise in this area). I'll see what can be done. Any ideas?
This glitch will not stop OpenBMC from pursuing this design because we
have Redfish REST APIs and IPMI commands to change the password. For
example: Slide 7 titled "Password Change Required support":
https://www.dmtf.org/sites/default/files/Redfish_2019.1_Work_in_Progess.pdf
I will continue to investigate.
- Joseph
On 7/25/19 3:43 AM, Richard Purdie wrote:
> On Wed, 2019-07-24 at 18:06 -0500, Joseph Reynolds wrote:
>> I pushed an OpenBMC design to [Gerrit review][] for the OpenBMC
>> project
>> for a new distro or image feature (disabled by default) which causes
>> the
>> initial password to be disabled by default, so the password has to
>> be
>> changed before using the BMC.
>>
>> This design is intended to make it easier to comply with the new CA
>> law
>> [SB-327][] which becomes effective on 2020-01-01 (in 5 months).
>>
>> - Joseph
>>
>> [Gerrit review]:
>> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849
>> [SB-327]:
>> https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
> I'm fine with adding a mechanism like this. I'd suggest it should be an
> image feature rather than a distro feature as you'll only realistically
> know the users, image usage and so on in the image recipe itself
> (locking up an initramfs would be bad).
>
> Cheers,
>
> Richard
>
More information about the yocto-security
mailing list