IBM DISTRO_FEATURE ibm-service-account-policy
This creates a new DISTRO_FEATURE "ibm-service-account-policy" which
- Adds an admin account which cannot SSH to the BMC's command shell.
- Adds a service account which can SSH and has passwordless sudo access.
This feature is applied to witherspoon-tacoma and p10bmc (rainier).
Tested:
The image behaves as before when the distro feature is not configured.
When the distro feature is configured:
The root user has the same access as before.
The admin user:
- Is not allowed to access the BMC's command shell.
- Console login gets: This account is currently not available.
- SSH login gets: Permission denied, please try again.
- Redfish and REST API access works with role=Administrator.
The service user:
- Console login to the BMC's command shell works. The home
directory is /. Passwordless sudo works.
- SSH login works and using sudo from a SSH session works.
- Redfish and REST API access works with role=Administrator.
Change-Id: Icac5ba7f4fa663047709ab55007bbcfec8158f5e
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
diff --git a/meta-ibm/conf/machine/p10bmc.conf b/meta-ibm/conf/machine/p10bmc.conf
index 2cab74e..5206c27 100644
--- a/meta-ibm/conf/machine/p10bmc.conf
+++ b/meta-ibm/conf/machine/p10bmc.conf
@@ -15,6 +15,7 @@
require conf/distro/include/phosphor-mmc.inc
require conf/distro/include/ibm-mpreboot.inc
require conf/distro/include/ibm-yaml.inc
+DISTRO_FEATURES += "ibm-service-account-policy"
SERIAL_CONSOLES = "115200;ttyS4"
diff --git a/meta-ibm/conf/machine/witherspoon-tacoma.conf b/meta-ibm/conf/machine/witherspoon-tacoma.conf
index 9826d55..2d696ec 100644
--- a/meta-ibm/conf/machine/witherspoon-tacoma.conf
+++ b/meta-ibm/conf/machine/witherspoon-tacoma.conf
@@ -14,6 +14,7 @@
require conf/distro/include/openpower-virtual-pnor.inc
require conf/distro/include/phosphor-mmc.inc
require conf/distro/include/ibm-mpreboot.inc
+DISTRO_FEATURES += "ibm-service-account-policy"
SERIAL_CONSOLES = "115200;ttyS4"
diff --git a/meta-ibm/recipes-extended/sudo/sudo_%.bbappend b/meta-ibm/recipes-extended/sudo/sudo_%.bbappend
new file mode 100644
index 0000000..f4254e7
--- /dev/null
+++ b/meta-ibm/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1,8 @@
+# Allow passwordless use of sudo
+
+PACKAGECONFIG += "pam-wheel"
+
+do_install_append () {
+ # Allow members of the 'wheel' group to use passwordless sudo
+ sed -i 's/# \(%wheel ALL=(ALL) NOPASSWD: ALL\)/\1/' ${D}${sysconfdir}/sudoers
+}
diff --git a/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend b/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend
index 403bfa0..57260f0 100644
--- a/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend
+++ b/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend
@@ -5,3 +5,61 @@
# remove so things fit in available flash space
IMAGE_FEATURES_remove_witherspoon = "obmc-user-mgmt-ldap"
+
+# Optionally configure IBM service accounts
+#
+# To configure your distro, add the following line to its config:
+# DISTRO_FEATURES += "ibm-service-account-policy"
+#
+# The service account policy is as follows:
+# root - The root account remains present. It is needed for internal
+# accounting purposes and for debugging service access.
+# admin - Provides administrative control over the BMC. The role is
+# SystemAdministrator. Admin users have access to interfaces including:
+# Redfish, REST APIs, Web. No access to the BMC via: the BMC's physical
+# console, SSH to the BMC's command line.
+# IPMI access is not granted by default, but admins can authorize
+# themselves and enable the IPMI service.
+# The admin has access to the host console: ssh -p2200 admin@${bmc}.
+# The admin account does not have a home directory.
+# service - Provides IBM service and support representatives (SSRs, formerly
+# known as customer engineers or CEs) access to the BMC. The role is
+# OemIBMServiceAgent. The service user has full admin access, plus access
+# to BMC interfaces intended only to service the BMC and host, including
+# SSH access to the BMC's command line.
+# The service account is not authorized to IPMI because of the inherent
+# security weakness in the IPMI spec and also because the IPMI
+# implementation was not enhanced to use the ACF support.
+# The service account does not have a home directory. The home directory is
+# set to / (the root directory) to allow dropbear ssh connections.
+
+inherit extrausers
+
+# The password hash used here is the traditional 0penBmc password.
+
+#IBM_EXTRA_USERS_PARAMS += " \
+# usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' root; \
+# "
+
+# Add group "wheel" (before adding the "service" account).
+IBM_EXTRA_USERS_PARAMS += " \
+ groupadd wheel; \
+ "
+
+# Add the "admin" account.
+IBM_EXTRA_USERS_PARAMS += " \
+ useradd -M -d / --groups priv-admin,redfish,web -s /sbin/nologin admin; \
+ usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' admin; \
+ "
+
+# Add the "service" account.
+IBM_EXTRA_USERS_PARAMS += " \
+ useradd -M -d / --groups priv-admin,redfish,web,wheel service; \
+ usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' service; \
+ "
+
+# This is recipe specific to ensure it takes effect.
+EXTRA_USERS_PARAMS_pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}"
+
+# The service account needs sudo.
+IMAGE_INSTALL_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}"