IBM DISTRO_FEATURE ibm-service-account-policy
This creates a new DISTRO_FEATURE "ibm-service-account-policy" which
- Adds an admin account which cannot SSH to the BMC's command shell.
- Adds a service account which can SSH and has passwordless sudo access.
This feature is applied to witherspoon-tacoma and p10bmc (rainier).
Tested:
The image behaves as before when the distro feature is not configured.
When the distro feature is configured:
The root user has the same access as before.
The admin user:
- Is not allowed to access the BMC's command shell.
- Console login gets: This account is currently not available.
- SSH login gets: Permission denied, please try again.
- Redfish and REST API access works with role=Administrator.
The service user:
- Console login to the BMC's command shell works. The home
directory is /. Passwordless sudo works.
- SSH login works and using sudo from a SSH session works.
- Redfish and REST API access works with role=Administrator.
Change-Id: Icac5ba7f4fa663047709ab55007bbcfec8158f5e
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
diff --git a/meta-ibm/recipes-extended/sudo/sudo_%.bbappend b/meta-ibm/recipes-extended/sudo/sudo_%.bbappend
new file mode 100644
index 0000000..f4254e7
--- /dev/null
+++ b/meta-ibm/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1,8 @@
+# Allow passwordless use of sudo
+
+PACKAGECONFIG += "pam-wheel"
+
+do_install_append () {
+ # Allow members of the 'wheel' group to use passwordless sudo
+ sed -i 's/# \(%wheel ALL=(ALL) NOPASSWD: ALL\)/\1/' ${D}${sysconfdir}/sudoers
+}