Update to libpam 1.5.2

This updates to libpam 1.5.2. This version removes support for
pam_cracklib and pam_tally2. They are replaced by pam_pwquality and
pam_faillock respectively.

Since parameters of pam_cracklb and pam_tally2 are configurable through
Redfish, it's possible that they will remain in the overlay of
/etc/pam.d with the old module names preventing PAM from working
correctly. To avoid this, this commit includes a script that will detect
if the old modules are in the overlay and update the overlay with the
new modules and configuration.

The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there
are configured parameters during a downgrade from libpam 1.5.2 to libpam
1.3.1, it will require a factory reset before the downgrade.

pam_pwquality was selected over pam_passwdqc because of better security
and compatibility with pam_cracklib.

Note pam_faillock is necessarily configured into the pam module stack
differently than pam_tally2.

This patchset causes a BMC operational change:
- The pam_tally2 command (invoked from the BMC's command line) is no
  longer present.  If you used the "pam_tally2 -u USER -r" command
  to unlock a user after repeated authentication failures, change to
  use: faillock --user USER --reset

Compatibility note / migration issue.  If your BMC cannot authenticate
users after installing this change, the cause might be an overlayfs file
hiding the new /etc/pam.d/common-auth file.  To find out, use
`grep deny= /etc/pam.d/common-auth` on your BMC.  If it shows "tally2"
then your BMC is affected.  The recovery is to delete the overlay file,
to factory reset the BMC, or manually-install the changed files.
The convert-pam-configs service is intended to handle this problem.

Tested: as follows, for local users only (not tested with LDAP)

Note OpenBMC configuration defaults to an AccountLockoutThreshold
value of 0 which does not lock account passwords no matter how many
consecutive failed authentication attempts.  To configure this on
the BMC, for example, use:
curl -X PATCH https://${bmc}/redfish/v1/AccountService
  -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'

Tested update scenarios:
1. Install from scratch.  Success.
2. Install over firmware which had old PAM configs.  Success.

Tested update scenarios for the convert-pam-configs service.

Tested changing the password via various interfaces:
- the passwd command
- the PATCH Refish AccountService {Password: NEW}
- SSH (accessible only when the password is expired)
- IPMI user set password (accessible for unexpired password)

Tested both good and bad (unacceptable) passwords.

Tested account lockout after N bad passwords
Tested unlock via Redfish.

Also, because its implementation changed, ensure reading and writing the
D-Bus User AccountPolicy RememberOldPasswordTimes property continues to
work.  There is no Redfish API for this.

Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
25 files changed
tree: da12d4f9acb277c6c43b57372d8a47b734c0c892
  1. .github/
  2. meta-amd/
  3. meta-ampere/
  4. meta-arm/
  5. meta-aspeed/
  6. meta-asrock/
  7. meta-bytedance/
  8. meta-delta/
  9. meta-evb/
  10. meta-facebook/
  11. meta-fii/
  12. meta-google/
  13. meta-hpe/
  14. meta-ibm/
  15. meta-ingrasys/
  16. meta-inspur/
  17. meta-intel-openbmc/
  18. meta-inventec/
  19. meta-nuvoton/
  20. meta-openembedded/
  21. meta-openpower/
  22. meta-phosphor/
  23. meta-qualcomm/
  24. meta-quanta/
  25. meta-raspberrypi/
  26. meta-security/
  27. meta-supermicro/
  28. meta-tyan/
  29. meta-ufispace/
  30. meta-wistron/
  31. meta-yadro/
  32. poky/
  33. .eslintrc.json
  34. .gitignore
  35. .gitreview
  36. openbmc-env
  37. OWNERS
  38. README.md
  39. setup
README.md

OpenBMC

Build Status

OpenBMC is a Linux distribution for management controllers used in devices such as servers, top of rack switches or RAID appliances. It uses Yocto, OpenEmbedded, systemd, and D-Bus to allow easy customization for your platform.

Setting up your OpenBMC project

1) Prerequisite

See the Yocto documentation for the latest requirements

Ubuntu

sudo apt install git python3-distutils gcc g++ make file wget \
    gawk diffstat bzip2 cpio chrpath zstd lz4 bzip2

Fedora

sudo dnf install git python3 gcc g++ gawk which bzip2 chrpath cpio \
    hostname file diffutils diffstat lz4 wget zstd rpcgen patch

2) Download the source

git clone https://github.com/openbmc/openbmc
cd openbmc

3) Target your hardware

Any build requires an environment set up according to your hardware target. There is a special script in the root of this repository that can be used to configure the environment as needed. The script is called setup and takes the name of your hardware target as an argument.

The script needs to be sourced while in the top directory of the OpenBMC repository clone, and, if run without arguments, will display the list of supported hardware targets, see the following example:

$ . setup <machine> [build_dir]
Target machine must be specified. Use one of:

bletchley               mori                    s8036
dl360poc                mtjade                  swift
e3c246d4i               mtmitchell              tatlin-archive-x86
ethanolx                nicole                  tiogapass
evb-ast2500             olympus-nuvoton         transformers
evb-ast2600             on5263m5                vegman-n110
evb-npcm750             p10bmc                  vegman-rx20
f0b                     palmetto                vegman-sx20
fp5280g2                qcom-dc-scm-v1          witherspoon
g220a                   quanta-q71l             witherspoon-tacoma
gbs                     romed8hm3               x11spi
greatlakes              romulus                 yosemitev2
gsj                     s2600wf                 zaius
kudo                    s6q
lannister               s7106

Once you know the target (e.g. romulus), source the setup script as follows:

. setup romulus

4) Build

bitbake obmc-phosphor-image

Additional details can be found in the docs repository.

OpenBMC Development

The OpenBMC community maintains a set of tutorials new users can go through to get up to speed on OpenBMC development out here

Build Validation and Testing

Commits submitted by members of the OpenBMC GitHub community are compiled and tested via our Jenkins server. Commits are run through two levels of testing. At the repository level the makefile make check directive is run. At the system level, the commit is built into a firmware image and run with an arm-softmmu QEMU model against a barrage of CI tests.

Commits submitted by non-members do not automatically proceed through CI testing. After visual inspection of the commit, a CI run can be manually performed by the reviewer.

Automated testing against the QEMU model along with supported systems are performed. The OpenBMC project uses the Robot Framework for all automation. Our complete test repository can be found here.

Submitting Patches

Support of additional hardware and software packages is always welcome. Please follow the contributing guidelines when making a submission. It is expected that contributions contain test cases.

Bug Reporting

Issues are managed on GitHub. It is recommended you search through the issues before opening a new one.

Questions

First, please do a search on the internet. There's a good chance your question has already been asked.

For general questions, please use the openbmc tag on Stack Overflow. Please review the discussion on Stack Overflow licensing before posting any code.

For technical discussions, please see contact info below for Discord and mailing list information. Please don't file an issue to ask a question. You'll get faster results by using the mailing list or Discord.

Will OpenBMC run on my Acme Server Corp. XYZ5000 motherboard?

This is a common question, particularly regarding boards from popular COTS (commercial off-the-shelf) vendors such as Supermicro and ASRock. You can see the list of supported boards by running . setup (with no further arguments) in the root of the OpenBMC source tree. Most of the platforms supported by OpenBMC are specialized servers operated by companies running large datacenters, but some more generic COTS servers are supported to varying degrees.

If your motherboard is not listed in the output of . setup it is not currently supported. Porting OpenBMC to a new platform is a non-trivial undertaking, ideally done with the assistance of schematics and other documentation from the manufacturer (it is not completely infeasible to take on a porting effort without documentation via reverse engineering, but it is considerably more difficult, and probably involves a greater risk of hardware damage).

However, even if your motherboard is among those listed in the output of . setup, there are two significant caveats to bear in mind. First, not all ports are equally mature -- some platforms are better supported than others, and functionality on some "supported" boards may be fairly limited. Second, support for a motherboard is not the same as support for a complete system -- in particular, fan control is critically dependent on not just the motherboard but also the fans connected to it and the chassis that the board and fans are housed in, both of which can vary dramatically between systems using the same board model. So while you may be able to compile and install an OpenBMC build on your system and get some basic functionality, rough edges (such as your cooling fans running continuously at full throttle) are likely.

Features of OpenBMC

Feature List

  • Host management: Power, Cooling, LEDs, Inventory, Events, Watchdog
  • Full IPMI 2.0 Compliance with DCMI
  • Code Update Support for multiple BMC/BIOS images
  • Web-based user interface
  • REST interfaces
  • D-Bus based interfaces
  • SSH based SOL
  • Remote KVM
  • Hardware Simulation
  • Automated Testing
  • User management
  • Virtual media

Features In Progress

  • OpenCompute Redfish Compliance
  • Verified Boot

Features Requested but need help

  • OpenBMC performance monitoring

Finding out more

Dive deeper into OpenBMC by opening the docs repository.

Technical Steering Committee

The Technical Steering Committee (TSC) guides the project. Members are:

  • Roxanne Clarke, IBM
  • Nancy Yuen, Google
  • Patrick Williams, Meta
  • Terry Duncan, Intel
  • Sagar Dharia, Microsoft
  • Samer El-Haj-Mahmoud, Arm

Contact