From: Vernon Mauery <vernon.mauery@linux.intel.com>
To: Brad Bishop <bradleyb@fuzziesquirrel.com>
Cc: OpenBMC <openbmc@lists.ozlabs.org>
Subject: Re: OpenBMC community telecon - 11/27 Agenda
Date: Tue, 5 Dec 2017 16:49:31 -0800 [thread overview]
Message-ID: <20171206004931.GI113334@mauery> (raw)
In-Reply-To: <20171205010205.GH113334@mauery>
On 04-Dec-2017 05:02 PM, Vernon Mauery wrote:
>On 04-Dec-2017 05:06 PM, Brad Bishop wrote:
>>multi configuration images / runtime configurability
>>user management
>>secure coding guidelines
>>
>>—————————
>>Monday, 10:00pm EDT
>>888-426-6840
>>password: 85891389
>
>For the discussion on user management.
>
>Overview:
>1. User management is done via PAM.
>2. If IPMI is being used, PAM loads the pam_ipmi.so password module.
> a. pam_ipmi.so intercepts password changes and saves the password
> for IPMI-enabled users to a file that can be read at a later time
> to initiate an RMCP+ session. (encrypted or obfuscated with a
>per-BMC key so no passwords are written directly in flash.)
> b. pam_ipmi.so implements a method to decrypt passwords and provide
> them to host-ipmi (for test password command) and net-ipmi (for
> session initiation)
>3. If a user is not enabled for IPMI, their password will not be saved
> in the ipmi database, and thus must be reset if/when that user gains
> IPMI capability.
>4. If a user loses IPMI capability, their password is reset to force a
> password change so their password is secure again.
>5. Capabilities is done via unix groups
> a. Groups like ipmi, webserver, redfish, ssh, sol can provide login
>or 'channel' access.
> b. Groups like user-manager, media, power, sensor, etc., can provide
> fine-grained access for various capabilities. Providers of
>capabilities should check to see that accessors (users) have the
>required permission.
>6. Admin-defined 'super-groups'
> a. Provide a set of pre-defined groups of capabilities that can be
> assigned to users: Admin, User, Operator or similar that each have
> groups associated with them.
> b. Changes to groups via APIs can make sure that if a user is
>assigned to a 'super-group' will stay assigned to the sub-groups
> c. Changes made to users via manual commands may override API groups
Items yet to be decided:
1. How providers of services export the service/permission pairs so the
user manager can manage the permission groups.
2. How to manage the permissions groups (is there a PAM group mechanism?)
3. How to create users (call adduser?)
4. Do we force users to have different passwords for RMCP+ and other
logins because RMCP+ passwords are insecurely stored? Or is this a
policy thing that we allow system administrators to choose?
--Vernon
>
>Methods:
> 1. CREATE_USER
> Privilege-required: USER-MANAGER
> Args:
> UserName - STRING (16 bytes only - else role change to IPMI can't be done)
> Password - Byte Array (Max of 20 bytes if IPMID is chosen. For
> others can send more bytes, but change role to IPMI will
> request password again under 20 bytes)
> Roles - STRING with comma separated
> Return:
> SUCCESS ERR_USERNAME_EXIST ERR_PASSWORD_FAILS ERR_ROLE_FAILS
> ERR_PASSWORD_ROLE_FAIL ERR_NO_RESOURCE ERR_UNKNOWN
> ERR_AUTHORIZATION_FAIL
>
> 2. DELETE_USER
> Privilege-required: USER-MANAGER
> Args:
> UserName - STRING
> Return:
> SUCCESS ERR_USERNAME_NOT_EXIST ERR_UNKNOWN ERR_AUTHORIZATION_FAIL
>
> 3. CHANGE ROLE / CHANGE_PASSWORD (OTHERS)
> Privilege-required: USER-MANAGER
> Args:
> UserName - STRING
> New Password (if changed) - Byte Array
> New Role (if changed) - Array of STRING
> Return:
> SUCCESS ERR_USERNAME_NOT_EXIST ERR_UNKNOWN ERR_AUTHORIZATION_FAIL
> ERR_PASSWORD_FAILS ERR_PASSWORD_ROLE_FAIL ERR_NO_RESOURCE
>
> 4. CHANGE_PASSWORD (SELF)
> Privilege-required: Any Valid user
> Args:
> New Password - Byte Array
> Return:
> SUCCESS ERR_PASSWORD_FAILS ERR_PASSWORD_ROLE_FAIL ERR_UNKNOWN
>
> 5. LIST_USER_DETAILS
> Privilege-required: USER-MANAGER
> Args:
> NULL
> Return:
> Array of:
> USER_NAME (String)
> ROLES (String)
>
>Signals:
> 1. UPDATED_USER_SIGNAL
> Args:
> UserName of updated user
> UpdateType:
> Role changed / User Deleted / User created / Password
>Changed etc.
>
next prev parent reply other threads:[~2017-12-06 0:49 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-04 22:06 OpenBMC community telecon - 11/27 Agenda Brad Bishop
2017-12-05 1:02 ` Vernon Mauery
2017-12-06 0:49 ` Vernon Mauery [this message]
2017-12-14 13:51 ` Tom Joseph
2017-12-14 16:51 ` Vernon Mauery
2017-12-18 18:16 ` Brad Bishop
2017-12-18 18:07 ` Brad Bishop
2017-12-18 22:39 ` Vernon Mauery
2017-12-19 0:31 ` Brad Bishop
2017-12-20 20:26 ` Michael.E.Brown
2017-12-20 20:29 ` Brad Bishop
2017-12-21 17:55 ` Michael.E.Brown
2017-12-22 0:43 ` Stewart Smith
2017-12-22 17:21 ` Michael.E.Brown
2017-12-28 23:37 ` Vernon Mauery
2018-01-04 16:58 ` Michael E Brown
2018-01-05 21:57 ` Christopher Covington
2018-01-06 16:57 ` Michael E Brown
2018-01-06 17:33 ` Brad Bishop
2018-01-06 17:33 ` Brad Bishop
2018-01-08 16:25 ` Michael E Brown
2018-01-09 2:22 ` Brad Bishop
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171206004931.GI113334@mauery \
--to=vernon.mauery@linux.intel.com \
--cc=bradleyb@fuzziesquirrel.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.