Interface support for security configuration
Configuration support for password and security
enforcement for user account under AccountPolicy
interface (which will manage global policies
related to accounts).
Change-Id: Icdea6d83654f9449088a6319f453788cb25ecfc2
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
diff --git a/xyz/openbmc_project/User/AccountPolicy.interface.yaml b/xyz/openbmc_project/User/AccountPolicy.interface.yaml
new file mode 100644
index 0000000..9397f4b
--- /dev/null
+++ b/xyz/openbmc_project/User/AccountPolicy.interface.yaml
@@ -0,0 +1,33 @@
+description: >
+ Provides global user account policy related management.
+
+properties:
+ - name: MaxLoginAttemptBeforeLockout
+ type: uint16
+ description: >
+ Configures the maximum permissible attempt before locking
+ out the user. Value of 0 indicates that account lockout
+ feature is disabled.
+
+ - name: AccountUnlockTimeout
+ type: uint32
+ description: >
+ Configures timeout needed (in seconds) to unlock the account
+ after a lockout. Value of 0 indicates that account must be
+ unlocked manually.
+
+ - name: MinPasswordLength
+ type: byte
+ description: >
+ Configures the minimum password length. Minimum password length
+ specified in build time is marked as default value. This property
+ cannot be configured below the build time default value but can be
+ set to higher one for security reasons.
+
+ - name: RememberOldPasswordTimes
+ type: byte
+ description: >
+ Configures the number of times old password shouldn't be allowed
+ when trying to update new password. Value of 0 (by default) indicates
+ this feature is not enforced.
+# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4
diff --git a/xyz/openbmc_project/User/Attributes.interface.yaml b/xyz/openbmc_project/User/Attributes.interface.yaml
index 108934d..31d9939 100644
--- a/xyz/openbmc_project/User/Attributes.interface.yaml
+++ b/xyz/openbmc_project/User/Attributes.interface.yaml
@@ -18,4 +18,14 @@
type: boolean
description: >
Enabled or disabled state of the user.
+
+ - name: UserLockedForFailedAttempt
+ type: boolean
+ description: >
+ Locked or unlocked state of the user. After repeated failed
+ login attempt (configured through MaxLoginAttemptBeforeLockout),
+ locked out user can be unlocked manually by setting false to
+ this property. This property will return true if user is locked
+ out user. AccountUnlockTimeout property can be configured to unlock
+ the user after a timeout.
# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4
diff --git a/xyz/openbmc_project/User/Common.errors.yaml b/xyz/openbmc_project/User/Common.errors.yaml
index a1c60ab..ccca302 100644
--- a/xyz/openbmc_project/User/Common.errors.yaml
+++ b/xyz/openbmc_project/User/Common.errors.yaml
@@ -9,7 +9,7 @@
description: Specified Group related restriction failure for user name.
# xyz.openbmc_project.User.Common.Error.UserNamePrivFail
- name: UserNamePrivFail
- description: Specificed privilege related restriction failure for user name.
+ description: Specified privilege related restriction failure for user name.
# xyz.openbmc_project.User.Common.Error.NoResource
- name: NoResource
description: No resource available.
diff --git a/xyz/openbmc_project/User/README.md b/xyz/openbmc_project/User/README.md
index cbda1e3..1ce17e0 100644
--- a/xyz/openbmc_project/User/README.md
+++ b/xyz/openbmc_project/User/README.md
@@ -19,8 +19,18 @@
##### signals
* UserRenamed - Signal sent out when user is renamed in the system.
+#### xyz.openbmc_project.User.AccountPolicy interface
+##### properties
+* MaxLoginAttemptBeforeLockout - Permissible attempt before locking out the
+user for failed login attempts.
+* AccountUnlockTimeout - Timeout (in seconds) to unlock the account after a
+lockout.
+* MinPasswordLength - Minimum password length, which can be set.
+* RememberOldPasswordTimes – Number of times old password shouldn’t be allowed
+when updating password for the user.
+
### Users Interface
-User manager daemon, will create user objects for each and every user existing
+User manager daemon, will create user objects for every user existing
in the system under object path `/xyz/openbmc_project/user/<user name>`.
Each user object can be handled through 'org.freedesktop.DBus.ObjectManager'.
User object will expose following properties and methods.
@@ -30,12 +40,13 @@
* UserPrivilege - Privilege of the user.
* UserGroups - Groups to which the user belongs.
* UserEnabled - User enabled state.
+* UserLockedForFailedAttempt - Locked or unlocked state of the user account.
#### xyz.openbmc_project.Object.Delete
#### methods
* Delete - To delete the user object in the system.
##Note
-This interface doesn't provide ways to set / update password. The same has to
+This interface doesn't provide ways to set / update password. The same must
be set / updated through pam_chauthtok() (PAM modules). This is to avoid
sending out password through D-Bus.