BMCWeb changes login password

BMCWeb changes login password

[George Liu (刘锡伟)]

[-- Attachment #1.1: Type: text/plain, Size: 591 bytes --]

I want to discuss with everyone about the solution to change the login
password.

  In the WEB, When the user needs to change the login password, the current
solution is to directly enter the new password twice to change successfully,
but the old password is not verified. the advantage is that we can use the
new password through this solution if we forget the old password. but for
the security reasons, I think should verifying the old password instead of
directly entering the new password before change login password. 

if everyone have any ideas or experience, please share, thanks!


[-- Attachment #1.2: Type: text/html, Size: 2659 bytes --]

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 3600 bytes --]

Re: BMCWeb changes login password

[Joseph Reynolds]

On 8/28/19 3:20 AM, George Liu (刘锡伟) wrote:
>
> I want to discuss with everyone about the solution to change the login 
> password.
>
>   In the WEB, When the user needs to change the login password, the 
> current solution is to directly enter the new password twice to change 
> successfully, but the old password is not verified. the advantage is 
> that we can use the new password through this solution if we forget 
> the old password. but for the security reasons, I think should 
> verifying the old password instead of directly entering the new 
> password before change login password.
>
> if everyone have any ideas or experience, please share, thanks!
>
Are you referring to the phosphor-webui design mentioned here?: 
https://github.com/ibm-openbmc/dev/issues/1048

OWASP has some recommendations:
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session

- Joseph

Re: BMCWeb changes login password

[George Liu]

[-- Attachment #1: Type: text/plain, Size: 1437 bytes --]

Joseph Reynolds <jrey@linux.ibm.com> 于2019年8月29日周四 上午3:48写道：

>
> On 8/28/19 3:20 AM, George Liu (刘锡伟) wrote:
> >
> > I want to discuss with everyone about the solution to change the login
> > password.
> >
> >   In the WEB, When the user needs to change the login password, the
> > current solution is to directly enter the new password twice to change
> > successfully, but the old password is not verified. the advantage is
> > that we can use the new password through this solution if we forget
> > the old password. but for the security reasons, I think should
> > verifying the old password instead of directly entering the new
> > password before change login password.
> >
> > if everyone have any ideas or experience, please share, thanks!
> >
> Are you referring to the phosphor-webui design mentioned here?:
> https://github.com/ibm-openbmc/dev/issues/1048
>
> OWASP has some recommendations:
>
> https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features
>
> https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session


Thanks, the password change was mentioned in step 4.
I think should add an input field to enter the old password and verify it
when the form is submitted(phosphor-webui).
>
>
> - Joseph
>
>

[-- Attachment #2: Type: text/html, Size: 2428 bytes --]

BMCWeb changes login password

[Wang, Kuiying]

[-- Attachment #1: Type: text/plain, Size: 2294 bytes --]

Currently only administrator is allowed to add user/modify user/change password.
Administrator has the permission to change other users password or delete it directly.
Administrator no need to know the old password of other users.
For administrator to change itself password thing, still no need the old password, because administrator is already login a session.
So we don’t need to add “input field to enter the old password”.

But there is an open for multiple administrator user supporting, currently administrator user could add more administrator level users.
And anyone of the administrators login, he could modify other administrator users like change password or delete it directly.
I think it is a bit security issue. Have to restrict multiple administrator user or do not allow administrator to modify other administrator users.


Thanks,
Kwin.



>

> On 8/28/19 3:20 AM, George Liu (刘锡伟) wrote:

> >

> > I want to discuss with everyone about the solution to change the login

> > password.

> >

> >   In the WEB, When the user needs to change the login password, the

> > current solution is to directly enter the new password twice to change

> > successfully, but the old password is not verified. the advantage is

> > that we can use the new password through this solution if we forget

> > the old password. but for the security reasons, I think should

> > verifying the old password instead of directly entering the new

> > password before change login password.

> >

> > if everyone have any ideas or experience, please share, thanks!

> >

> Are you referring to the phosphor-webui design mentioned here?:

> https://github.com/ibm-openbmc/dev/issues/1048

>

> OWASP has some recommendations:

>

> https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features

>

> https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session





Thanks, the password change was mentioned in step 4.

I think should add an input field to enter the old password and verify it

when the form is submitted(phosphor-webui).

>

>

> - Joseph

>

>


[-- Attachment #2: Type: text/html, Size: 7681 bytes --]

Re: BMCWeb changes login password

[Joseph Reynolds]

On 8/30/19 2:18 AM, Wang, Kuiying wrote:
>
> Currently only administrator is allowed to add user/modify user/change 
> password.
>
> Administrator has the permission to change other users password or 
> delete it directly.
>
> Administrator no need to know the old password of other users.
>
> For administrator to change itself password thing, still no need the 
> old password, because administrator is already login a session.
>
> So we don’t need to add “input field to enter the old password”.
>

I don't think we are talking about the same things here.

1. I agree that the BMC admin user should not have to enter the old 
password when changing a user's password.  => However, we may want to 
force the admin to re-enter their password when accessing a sensitive 
feature such as changing someone's account.  Reference the link below -

/https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features/


2. The scenario where we may want to ask for the old password is the 
"password change dialog".  This dialog is accessed when the user signs 
into the Web App login page and the web app informs the user that their 
password is expired and must be changed before they can access the BMC  
The dialog asks for their new password (twice) ... and does it also ask 
for the old password? <== That's the question.


> But there is an open for multiple administrator user supporting, 
> currently administrator user could add more administrator level users.
>
> And anyone of the administrators login, he could modify other 
> administrator users like change password or delete it directly.
>
> I think it is *a bit security issue*. Have to restrict multiple 
> administrator user or do not allow administrator to modify other 
> administrator users.
>
According to Redfish spec 
https://www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.7.0.pdf
section 13.2.9 ("Privilege model/Authorization"), the predefined 
"Administrator" role has the "ConfigureUsers" privilege.  It is my 
understanding that the ConfigureUsers privilege is sufficient 
(reference: section 13.2.6) to create, delete, and manage other user 
accounts.

Given this privilege model, I think you want to be able to trust your 
Admin users, and give less-trusted users the Operator role (section 
13.2.9).  If you were thinking of something more complicated, Redfish 
allows you to define Custom roles and OEM privileges.

- Joseph

> Thanks,
>
> Kwin.
>
> >//
> >/On 8/28/19 3:20 AM, George Liu (//刘锡伟) wrote:/
> >/>/
> >/> I want to discuss with everyone about the solution to change the login/
> >/> password./
> >/>/
> >/>   In the WEB, When the user needs to change the login password, the/
> >/> current solution is to directly enter the new password twice to change/
> >/> successfully, but the old password is not verified. the advantage is/
> >/> that we can use the new password through this solution if we forget/
> >/> the old password. but for the security reasons, I think should/
> >/> verifying the old password instead of directly entering the new/
> >/> password before change login password./
> >/>/
> >/> if everyone have any ideas or experience, please share, thanks!/
> >/>/
> >/Are you referring to the phosphor-webui design mentioned here?:/
> >/https://github.com/ibm-openbmc/dev/issues/1048/
> >//
> >/OWASP has some recommendations:/
> >//
> >/https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features/
> >//
> >/https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session/
> Thanks, the password change was mentioned in step 4.
> I think should add an input field to enter the old password and verify it
> when the form is submitted(phosphor-webui).
> >//
> >//
> >/- Joseph/
> >//
> >
>

Re: BMCWeb changes login password

[Alexander Tereschenko]

On 04-Sep-19 04:06, Joseph Reynolds wrote:
> 2. The scenario where we may want to ask for the old password is the 
> "password change dialog".  This dialog is accessed when the user signs 
> into the Web App login page and the web app informs the user that 
> their password is expired and must be changed before they can access 
> the BMC  The dialog asks for their new password (twice) ... and does 
> it also ask for the old password? <== That's the question.

FWIW, by the time the BMC is able to determine that user's password is 
expired (and make sure that's indeed that user who's accessing the web 
app), the user must have entered their password, so asking it once again 
sounds like surplus step in this particular scenario.

regards,
Alexander

Re: BMCWeb changes login password

[Joseph Reynolds]

On 9/4/19 9:57 AM, Alexander Tereschenko wrote:
> On 04-Sep-19 04:06, Joseph Reynolds wrote:
>> 2. The scenario where we may want to ask for the old password is the 
>> "password change dialog".  This dialog is accessed when the user 
>> signs into the Web App login page and the web app informs the user 
>> that their password is expired and must be changed before they can 
>> access the BMC  The dialog asks for their new password (twice) ... 
>> and does it also ask for the old password? <== That's the question.
>
> FWIW, by the time the BMC is able to determine that user's password is 
> expired (and make sure that's indeed that user who's accessing the web 
> app), the user must have entered their password, so asking it once 
> again sounds like surplus step in this particular scenario.
I agree.  Industry standards are not clear about the best practices in 
this situation.

- Joseph

>
> regards,
> Alexander
>