commit | ef73ad0d99623c67679008728daa578098c54a40 | [log] [tgz] |
---|---|---|
author | Paul Fertser <fercerpav@gmail.com> | Fri Jan 21 19:44:40 2022 +0000 |
committer | Ed Tanous <ed@tanous.net> | Wed Feb 09 06:44:06 2022 +0000 |
tree | 6080c7169572bf315b9f8f57ead6266cf11d8dae | |
parent | 6ba8c82ef6e67486b251cdc8c75e5a65a419a0ab [diff] |
Allow setting MinPasswordLength in AccountService The MinPasswordLength property is writable according to the Redfish schema and phosphor-user-manager allows setting it, so implement the corresponding call. Tested: $ curl -k 'https://root:0penBmc@[fe80::5054:ff:fe12:3402%tap0]/redfish/v1/AccountService' -X PATCH -d '{"MinPasswordLength": 12}' { "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_1.Message", "Message": "Successfully Completed Request", "MessageArgs": [], "MessageId": "Base.1.8.1.Success", "MessageSeverity": "OK", "Resolution": "None" } ] } $ curl -s -k 'https://root:0penBmc@[fe80::5054:ff:fe12:3402%tap0]/redfish/v1/AccountService' | jq .MinPasswordLength 12 root@qemuarm:~# grep cracklib /etc/pam.d/common-password password [success=ok default=die] pam_cracklib.so debug enforce_for_root reject_username minlen=12 difok=0 lcredit=0 ocredit=0 dcredit=0 ucredit=0 $ curl -k 'https://root:0penBmc@[fe80::5054:ff:fe12:3402%tap0]/redfish/v1/AccountService' -X PATCH -d '{"MinPasswordLength": 8}' { "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_1.Message", "Message": "Successfully Completed Request", "MessageArgs": [], "MessageId": "Base.1.8.1.Success", "MessageSeverity": "OK", "Resolution": "None" } ] } $ curl -s -k 'https://root:0penBmc@[fe80::5054:ff:fe12:3402%tap0]/redfish/v1/AccountService' | jq .MinPasswordLength 8 root@qemuarm:~# grep cracklib /etc/pam.d/common-password password [success=ok default=die] pam_cracklib.so debug enforce_for_root reject_username minlen=8 difok=0 lcredit=0 ocredit=0 dcredit=0 ucredit=0 With https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/50589 applied this doesn't silently ignore the value that is less than the lower limit and produces an error, the old value is preserved: $ curl -k 'https://root:0penBmc@[fe80::5054:ff:fe12:3402%tap0]/redfish/v1/AccountService' -X PATCH -d '{"MinPasswordLength": 7}' { "error": { "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_1.Message", "Message": "The request failed due to an internal service error. The service is still operational.", "MessageArgs": [], "MessageId": "Base.1.8.1.InternalError", "MessageSeverity": "Critical", "Resolution": "Resubmit the request. If the problem persists, consider resetting the service." } ], "code": "Base.1.8.1.InternalError", "message": "The request failed due to an internal service error. The service is still operational." } $ curl -s -k 'https://root:0penBmc@[fe80::5054:ff:fe12:3402%tap0]/redfish/v1/AccountService' | jq .MinPasswordLength 8 Signed-off-by: Paul Fertser <fercerpav@gmail.com> Change-Id: I17e5aa6ca7825fcffbec3939d572bc7ccc01405b
This component attempts to be a "do everything" embedded webserver for openbmc.
At this time, the webserver implements a few interfaces:
BMCWeb is configured by setting -D
flags that correspond to options in bmcweb/meson_options.txt
and then compiling. For example, meson <builddir> -Dkvm=disabled ...
followed by ninja
in build directory. The option names become C++ preprocessor symbols that control which code is compiled into the program.
meson builddir ninja -C builddir
meson builddir -Dbuildtype=minsize -Db_lto=true -Dtests=disabled ninja -C buildir
If any of the dependencies are not found on the host system during configuration, meson automatically gets them via its wrap dependencies mentioned in bmcweb/subprojects
.
meson builddir -Dwrap_mode=nofallback ninja -C builddir
meson builddir -Dbuildtype=debug ninja -C builddir
meson builddir -Db_coverage=true -Dtests=enabled ninja coverage -C builddir test
When BMCWeb starts running, it reads persistent configuration data (such as UUID and session data) from a local file. If this is not usable, it generates a new configuration.
When BMCWeb SSL support is enabled and a usable certificate is not found, it will generate a self-sign a certificate before launching the server. The keys are generated by the secp384r1
algorithm. The certificate
C=US, O=OpenBMC, CN=testhost
,SHA-256
algorithm.