IBM DISTRO_FEATURE ibm-service-account-policy
This creates a new DISTRO_FEATURE "ibm-service-account-policy" which
- Adds an admin account which cannot SSH to the BMC's command shell.
- Adds a service account which can SSH and has passwordless sudo access.
This feature is applied to witherspoon-tacoma and p10bmc (rainier).
Tested:
The image behaves as before when the distro feature is not configured.
When the distro feature is configured:
The root user has the same access as before.
The admin user:
- Is not allowed to access the BMC's command shell.
- Console login gets: This account is currently not available.
- SSH login gets: Permission denied, please try again.
- Redfish and REST API access works with role=Administrator.
The service user:
- Console login to the BMC's command shell works. The home
directory is /. Passwordless sudo works.
- SSH login works and using sudo from a SSH session works.
- Redfish and REST API access works with role=Administrator.
Change-Id: Icac5ba7f4fa663047709ab55007bbcfec8158f5e
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
diff --git a/meta-ibm/conf/machine/p10bmc.conf b/meta-ibm/conf/machine/p10bmc.conf
index 2cab74e..5206c27 100644
--- a/meta-ibm/conf/machine/p10bmc.conf
+++ b/meta-ibm/conf/machine/p10bmc.conf
@@ -15,6 +15,7 @@
require conf/distro/include/phosphor-mmc.inc
require conf/distro/include/ibm-mpreboot.inc
require conf/distro/include/ibm-yaml.inc
+DISTRO_FEATURES += "ibm-service-account-policy"
SERIAL_CONSOLES = "115200;ttyS4"