Author: Joseph Reynolds
Other contributors: None
Created: 2019-07-24
OpenBMC has a default password, connects to the network via DHCP, and does not have a mechanism to require administrators to change the BMC's password. This may lead to BMCs which have default passwords being on the network for long time periods, effectively giving unrestricted access to the BMC.
Various computer systems ship with default userid and passwords and require the password be changed on the initial signon. This reduces the time window when the system is accessible with a default password.
Various BMC interfaces require authentication before access is granted. The authentication and account validation steps typically result in outcomes like this:
OpenBMC currently implements the first two outcomes; it treats PasswordChangeRequired the same as an account that is invalid for any other reason. Some servers (such as the OpenSSH server) handle the PasswordChangeRequired by implementing a "password change dialog".
The Redfish Specification version 1.7.0 section 13.2.6.1 ("Password change required handling") provides the ManagerAccount resource v1.3 with a PasswordChangeRequired property which supports a password change dialog.
Note the terminology: An "expired password" is a special case of "password change required".
The meaning of the term "access" varies by context. It could mean:
This design uses meanings 3 and 4 except where indicated.
The requirements are:
The use case is:
Preconditions for the BMC include:
/etc/passwd
file is writeable.This design has three main parts:
There is a new image feature EXPIRED_PASSWORD. When EXPIRED_PASSWORD is enabled, the BMC's default password will initially be expired as if via the passwd --expire root
command. This administratively expires the password and is not based on time. An account with an expired password is neither locked nor disabled.
This feature is intended to be enabled by default, with a staging plan: the feature will be disabled to give time for the continuous integration (CI) and test automation efforts to adapt, then enabled for the overall project.
The BMC's network interfaces (such as REST APIs, SSH, and IPMI) disallow access via an account which has an expired password. If the access credentials are otherwise correct and the reason for the authentication failure is an expired password (determined by the usual Linux practices), where possible, the interface should indicate the password is expired and how to change it (see below). Otherwise the usual security protocols apply (giving no additional information).
The /login
URI is enhanced. If it is used with correct credentials (userid and password) and the password needs to be changed the request will fail to create a session and indicate a password change is needed. If it is used with correct userid and incorrect password, or with an incorrect userid, the behavior must not change. Note the /login
URI is deprecated.
The '/redfish/v1/SessionService/Sessions/' and '/redfish/v1/AccountService/Accounts/' resources are enhanced to indicate PasswordChangeRequired per the Redfish spec.
The ipmitool
command treats an expired password the same as an invalid password. Note the RMCP+ standard, such as used for the BMC's network IPMI interface, does not support changing the password when establishing a session. The ipmitool is not being enhanced by this design.
The Secure Shell access (via the ssh
command) already correctly indicates when the password is expired. No change is needed. But see the next bullet for the expired password dialog.
There is a way for an account owner to change their own expired password. This can be either from a network-facing or in-band password changing protocol. For example:
ipmitool user set password
command when accessed in-band.When Redfish creates a session with PasswordChangeRequired, every response contains a PasswordChangeRequired message. The session effectively has only the ConfigureSelf privilege which allows it to only change the password and terminate the session. The usage pattern is:
This design is intended to cover any cause of expired password, including both the BMC's initial expired password and password expired for another cause such as aging or via the passwd --expire
command.
This design is intended to enable the webui-vue web application to implement a password change dialog for the signon screen.
Per the above design, when the web app uses either /login
or /redfish/v1/SessionService
to establish a session and the account has an expired password:
/login
URI was used, the HTTP response indicates the password must be changed, and will not establish a session. In this case, the web app must use the Redfish API to establish a session./redfish/v1/SessionService/Sessions
will establish a session which will have the PasswordChangeRequired message.The following alternate designs were considered:
Warning. This design may leave the BMC with its default password for an extended period of time if the use case given in the requirements section of this design does not apply. For example, when the host is operated strictly via its power button and not through the BMC's network interface. In this case, the alternatives listed above may mitigate this risk. Another alternative is a design where the BMC is initially in a provisioning mode which does not allow the BMC to operate its host. The idea is that you have to establish access to the BMC (which includes changing its password) before you can leave provisioning mode.
The BMCWeb Redfish server could be enhanced so that when the Password is successfully patched, the session no longer asserts the PasswordChangeRequired condition and re-asserts the user's usual authority immediately without requiring a new session. This is allowed by the Redfish spec, but was not implemented because it would be more difficult to code and test.
Having to change an expired password is annoying and breaks operational procedures and scripts. Documentation, lifecycle review, and test are needed. Expect pain when this is enabled.
To help with this, the REDFISH-cheatsheet will be updated with commands needed to detect and change an expired password.
This design does not affect other policies such as password aging.
Scenarios: