Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / a64c49f8082587bed0e106a0dcf00ff0b014535f
commita64c49f8082587bed0e106a0dcf00ff0b014535f[log] [tgz]
authorJoseph Reynolds <joseph-reynolds@charter.net>Mon Dec 02 23:11:47 2019 -0600
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Tue Dec 03 10:11:17 2019 -0500
tree06c8735af41d84438d48c470f36fc5b46301ff07
parent278ec1393025b4fd4efff35cde6e045c5f80e6e5 [diff]
PAM config: move pam_cracklib to first position

This fixes a bug where Linux-PAM asks for the new password three times
when changing the password.  With this fix, PAM asks for the new password
and then only once more to confirm it - two times total.

This bug applies to the `passwd` command, to the expired password dialog
when signing into the console using an account which has an expired
password, and to other similar use of the PAM conversation function such
as changing the password during SSH login.

This does not affect the external behavior of the REST APIs or the webui
because they use automated PAM conversation functions which programmatically
supply the password as many times as it is requested.

The bug happens like this:
When PAM is asked to change a password via pam_chauthtok, it reads the
/etc/pam.d/common-password file and executes the first module, pam_ipmicheck.
This calls pam_get_authtok(pamh, PAM_AUTHTOK, &pass_new, NULL) which prompts
for the new password and then prompts again to verify they are the same.
The next module, pam_cracklib makes two calls: a call to
pam_get_authtok_noverify() followed by a call to pam_get_authtok_verify().
The call to pam_get_authtok_noverify() does NOT prompt because the new
password is already known to PAM, but the call to pam_get_authtok_verify()
unconditionally prompts to validate the password.  That's why we see two
prompts to "Retype" the new password.  The first is from pam_ipmicheck, and
second is from pam_cracklib/pam_get_authtok_verify.

The fix is to invoke pam_cracklib first and pam_ipmicheck second.
Then pam_cracklib does all if its prompting, and pam_ipmicheck gets what it
needs without prompting.  The pam_ipmicheck module only checks the username
and password length, so switching the sequence of these modules should be
harmless.

Tested: yes, via the "passwd USER" command

(From meta-phosphor rev: a71db86192df0b0268db93e7ae6dc4633fce271e)

Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: I044df5731a69e45eca9597a345fa6d1b01041b58
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
1 file changed
tree: 06c8735af41d84438d48c470f36fc5b46301ff07
  1. .github/
  2. meta-arm/
  3. meta-aspeed/
  4. meta-evb/
  5. meta-facebook/
  6. meta-google/
  7. meta-hxt/
  8. meta-ibm/
  9. meta-ingrasys/
  10. meta-inspur/
  11. meta-intel/
  12. meta-inventec/
  13. meta-lenovo/
  14. meta-mellanox/
  15. meta-microsoft/
  16. meta-nuvoton/
  17. meta-openembedded/
  18. meta-openpower/
  19. meta-phosphor/
  20. meta-portwell/
  21. meta-qualcomm/
  22. meta-quanta/
  23. meta-raspberrypi/
  24. meta-security/
  25. meta-x86/
  26. meta-xilinx/
  27. meta-yadro/
  28. poky/
  29. bitbakepoky/bitbake/
  30. LICENSEpoky/LICENSE
  31. metapoky/meta
  32. meta-pokypoky/meta-poky/
  33. meta-skeletonpoky/meta-skeleton
  34. oe-init-build-envpoky/oe-init-build-env
  35. scriptspoky/scripts/
  36. .gitignore
  37. .gitreview
  38. .templateconf
  39. MAINTAINERS
  40. openbmc-env
  41. README.md
  42. setup
README.md

OpenBMC

Build Status

The OpenBMC project can be described as a Linux distribution for embedded devices that have a BMC; typically, but not limited to, things like servers, top of rack switches or RAID appliances. The OpenBMC stack uses technologies such as Yocto, OpenEmbedded, systemd, and D-Bus to allow easy customization for your server platform.

Setting up your OpenBMC project

1) Prerequisite

  • Ubuntu 14.04
sudo apt-get install -y git build-essential libsdl1.2-dev texinfo gawk chrpath diffstat
  • Fedora 28
sudo dnf install -y git patch diffstat texinfo chrpath SDL-devel bitbake \
    rpcgen perl-Thread-Queue perl-bignum perl-Crypt-OpenSSL-Bignum
sudo dnf groupinstall "C Development Tools and Libraries"

2) Download the source

git clone git@github.com:openbmc/openbmc.git
cd openbmc

3) Target your hardware

Any build requires an environment variable known as TEMPLATECONF to be set to a hardware target. You can see all of the known targets with find meta-* -name local.conf.sample. Choose the hardware target and then move to the next step. Additional examples can be found in the OpenBMC Cheatsheet

MachineTEMPLATECONF
Palmettometa-ibm/meta-palmetto/conf
Zaiusmeta-ingrasys/meta-zaius/conf
Witherspoonmeta-ibm/meta-witherspoon/conf
Romulusmeta-ibm/meta-romulus/conf

As an example target Romulus

export TEMPLATECONF=meta-ibm/meta-romulus/conf

4) Build

. openbmc-env
bitbake obmc-phosphor-image

Additional details can be found in the docs repository.

OpenBMC Development

The OpenBMC community maintains a set of tutorials new users can go through to get up to speed on OpenBMC development out here

Build Validation and Testing

Commits submitted by members of the OpenBMC GitHub community are compiled and tested via our Jenkins server. Commits are run through two levels of testing. At the repository level the makefile make check directive is run. At the system level, the commit is built into a firmware image and run with an arm-softmmu QEMU model against a barrage of CI tests.

Commits submitted by non-members do not automatically proceed through CI testing. After visual inspection of the commit, a CI run can be manually performed by the reviewer.

Automated testing against the QEMU model along with supported systems are performed. The OpenBMC project uses the Robot Framework for all automation. Our complete test repository can be found here.

Submitting Patches

Support of additional hardware and software packages is always welcome. Please follow the contributing guidelines when making a submission. It is expected that contributions contain test cases.

Bug Reporting

Issues are managed on GitHub. It is recommended you search through the issues before opening a new one.

Questions

First, please do a search on the internet. There's a good chance your question has already been asked.

For general questions, please use the openbmc tag on Stack Overflow. Please review the discussion on Stack Overflow licensing before posting any code.

For technical discussions, please see contact info below for IRC and mailing list information.

Features of OpenBMC

Feature List

  • Host management: Power, Cooling, LEDs, Inventory, Events, Watchdog
  • Full IPMI 2.0 Compliance with DCMI
  • Code Update Support for multiple BMC/BIOS images
  • Web-based user interface
  • REST interfaces
  • D-Bus based interfaces
  • SSH based SOL
  • Remote KVM
  • Hardware Simulation
  • Automated Testing

Features In Progress

  • OpenCompute Redfish Compliance
  • User management
  • Virtual media
  • Verified Boot

Features Requested but need help

  • OpenBMC performance monitoring

Finding out more

Dive deeper into OpenBMC by opening the docs repository.

Contact