Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-host-ipmid / 02650d53027326ed9b24a58b23596a74e5456654
commit02650d53027326ed9b24a58b23596a74e5456654[log] [tgz]
authorAyushi Smriti <smriti.ayushi@intel.com>Wed May 15 11:59:09 2019 +0000
committersmriti.ayushi <smriti.ayushi@linux.intel.com>Sun Jun 09 07:34:01 2019 +0000
treedd13b303b303242bfddf25a4773392923ce08889
parentea1c401c4bac43d6070bf7d515df08f8bf57c0a2 [diff]
User-mgmt: Add IPMI user pam authenticate check API

PAM user authentication check must be performed, before any RMCP+
session establishment, as this will be able to check whether user
is already locked out, due to failed attempt.
This patch introduces the pam user check API, which will be used by
netipmid daemon.

Tested:
Verified the API call check and making sure it works.
Real testing is performed by including the same in
phosphor-ipmi-net for RMCP+ session establishment both
for user locked for failed attempt and normal case.

Commands used-
Created new user using ipmitool

ipmitool user set name 2 testuser
ipmitool user enable 2
ipmitool user set password 2 pas1tes2
ipmitool user priv 2 4 3

ipmitool user list 3 //New user entry can be seen listed

ipmitool channel getaccess 3 2 //For getting channel access
ipmitool channel setaccess 3 2 ipmi=on priviledge=4

Normal Case:
ipmitool -I lanplus -U testuser -P pas1tes2 -H <bmc ip> raw 6 1
                                                      //Command
23 00 00 00 02 bf 57 01 00 7b 00 00 00 00 00         //Response

Negative Case:
busctl set-property xyz.openbmc_project.User.Manager
/xyz/openbmc_project/user xyz.openbmc_project.User.AccountPolicy
MaxLoginAttemptBeforeLockout q 3

Tried 3 failed login attempts from webpage, and then tried to
establish IPMI RMCP+ as expected, session establishment failed.

wait for the timeout or unlock the user using-
busctl set-property xyz.openbmc_project.User.Manager
/xyz/openbmc_project/user/sayushi xyz.openbmc_project.User.Attributes
UserLockedForFailedAttempt b false

busctl get-property xyz.openbmc_project.User.Manager
/xyz/openbmc_project/user/sayushi xyz.openbmc_project.User.Attributes
UserLockedForFailedAttempt b false //Command
b false //Response

After this RMCP+ session will be established as usual.

Change-Id: I5ee2dc0848944a12f682f0775930091d32508bde
Signed-off-by: Ayushi Smriti <smriti.ayushi@linux.intel.com>
4 files changed
tree: dd13b303b303242bfddf25a4773392923ce08889
  1. app/
  2. docs/
  3. include/
  4. libipmid/
  5. libipmid-host/
  6. scripts/
  7. softoff/
  8. test/
  9. user_channel/
  10. xyz/
  11. .build.sh
  12. .clang-format
  13. .gitignore
  14. .travis.yml
  15. apphandler.cpp
  16. apphandler.hpp
  17. bootstrap.sh
  18. chassishandler.cpp
  19. chassishandler.hpp
  20. configure.ac
  21. dcmihandler.cpp
  22. dcmihandler.hpp
  23. elog-errors.hpp
  24. error-HostEvent.hpp
  25. fruread.hpp
  26. generate_whitelist.sh
  27. globalhandler.cpp
  28. globalhandler.hpp
  29. groupext.cpp
  30. host-cmd-manager.cpp
  31. host-cmd-manager.hpp
  32. host-interface.cpp
  33. host-interface.hpp
  34. host-ipmid-whitelist.conf
  35. ipmi_fru_info_area.cpp
  36. ipmi_fru_info_area.hpp
  37. ipmid-new.cpp
  38. ipmisensor.cpp
  39. ipmiwhitelist.hpp
  40. LICENSE
  41. MAINTAINERS
  42. Makefile.am
  43. oemrouter.cpp
  44. read_fru_data.cpp
  45. read_fru_data.hpp
  46. README.md
  47. sample.cpp
  48. sample.h
  49. selutility.cpp
  50. selutility.hpp
  51. sensordatahandler.cpp
  52. sensordatahandler.hpp
  53. sensorhandler.cpp
  54. sensorhandler.hpp
  55. settings.cpp
  56. settings.hpp
  57. storageaddsel.cpp
  58. storageaddsel.hpp
  59. storagehandler.cpp
  60. storagehandler.hpp
  61. sys_info_param.cpp
  62. sys_info_param.hpp
  63. systemintfcmds.cpp
  64. systemintfcmds.hpp
  65. testaddsel.cpp
  66. testit.cpp
  67. transporthandler.cpp
  68. transporthandler.hpp
  69. whitelist-filter.cpp
README.md

To build this package, do the following steps:

1. ./bootstrap.sh
2. ./configure ${CONFIGURE_FLAGS}
3. make

To clean the repository run ./bootstrap.sh clean.