commit | a64c49f8082587bed0e106a0dcf00ff0b014535f | [log] [tgz] |
---|---|---|
author | Joseph Reynolds <joseph-reynolds@charter.net> | Mon Dec 02 23:11:47 2019 -0600 |
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | Tue Dec 03 10:11:17 2019 -0500 |
tree | 06c8735af41d84438d48c470f36fc5b46301ff07 | |
parent | 278ec1393025b4fd4efff35cde6e045c5f80e6e5 [diff] |
PAM config: move pam_cracklib to first position This fixes a bug where Linux-PAM asks for the new password three times when changing the password. With this fix, PAM asks for the new password and then only once more to confirm it - two times total. This bug applies to the `passwd` command, to the expired password dialog when signing into the console using an account which has an expired password, and to other similar use of the PAM conversation function such as changing the password during SSH login. This does not affect the external behavior of the REST APIs or the webui because they use automated PAM conversation functions which programmatically supply the password as many times as it is requested. The bug happens like this: When PAM is asked to change a password via pam_chauthtok, it reads the /etc/pam.d/common-password file and executes the first module, pam_ipmicheck. This calls pam_get_authtok(pamh, PAM_AUTHTOK, &pass_new, NULL) which prompts for the new password and then prompts again to verify they are the same. The next module, pam_cracklib makes two calls: a call to pam_get_authtok_noverify() followed by a call to pam_get_authtok_verify(). The call to pam_get_authtok_noverify() does NOT prompt because the new password is already known to PAM, but the call to pam_get_authtok_verify() unconditionally prompts to validate the password. That's why we see two prompts to "Retype" the new password. The first is from pam_ipmicheck, and second is from pam_cracklib/pam_get_authtok_verify. The fix is to invoke pam_cracklib first and pam_ipmicheck second. Then pam_cracklib does all if its prompting, and pam_ipmicheck gets what it needs without prompting. The pam_ipmicheck module only checks the username and password length, so switching the sequence of these modules should be harmless. Tested: yes, via the "passwd USER" command (From meta-phosphor rev: a71db86192df0b0268db93e7ae6dc4633fce271e) Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Change-Id: I044df5731a69e45eca9597a345fa6d1b01041b58 Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
The OpenBMC project can be described as a Linux distribution for embedded devices that have a BMC; typically, but not limited to, things like servers, top of rack switches or RAID appliances. The OpenBMC stack uses technologies such as Yocto, OpenEmbedded, systemd, and D-Bus to allow easy customization for your server platform.
sudo apt-get install -y git build-essential libsdl1.2-dev texinfo gawk chrpath diffstat
sudo dnf install -y git patch diffstat texinfo chrpath SDL-devel bitbake \ rpcgen perl-Thread-Queue perl-bignum perl-Crypt-OpenSSL-Bignum sudo dnf groupinstall "C Development Tools and Libraries"
git clone git@github.com:openbmc/openbmc.git cd openbmc
Any build requires an environment variable known as TEMPLATECONF
to be set to a hardware target. You can see all of the known targets with find meta-* -name local.conf.sample
. Choose the hardware target and then move to the next step. Additional examples can be found in the OpenBMC Cheatsheet
Machine | TEMPLATECONF |
---|---|
Palmetto | meta-ibm/meta-palmetto/conf |
Zaius | meta-ingrasys/meta-zaius/conf |
Witherspoon | meta-ibm/meta-witherspoon/conf |
Romulus | meta-ibm/meta-romulus/conf |
As an example target Romulus
export TEMPLATECONF=meta-ibm/meta-romulus/conf
. openbmc-env bitbake obmc-phosphor-image
Additional details can be found in the docs repository.
The OpenBMC community maintains a set of tutorials new users can go through to get up to speed on OpenBMC development out here
Commits submitted by members of the OpenBMC GitHub community are compiled and tested via our Jenkins server. Commits are run through two levels of testing. At the repository level the makefile make check
directive is run. At the system level, the commit is built into a firmware image and run with an arm-softmmu QEMU model against a barrage of CI tests.
Commits submitted by non-members do not automatically proceed through CI testing. After visual inspection of the commit, a CI run can be manually performed by the reviewer.
Automated testing against the QEMU model along with supported systems are performed. The OpenBMC project uses the Robot Framework for all automation. Our complete test repository can be found here.
Support of additional hardware and software packages is always welcome. Please follow the contributing guidelines when making a submission. It is expected that contributions contain test cases.
Issues are managed on GitHub. It is recommended you search through the issues before opening a new one.
First, please do a search on the internet. There's a good chance your question has already been asked.
For general questions, please use the openbmc tag on Stack Overflow. Please review the discussion on Stack Overflow licensing before posting any code.
For technical discussions, please see contact info below for IRC and mailing list information.
Feature List
Features In Progress
Features Requested but need help
Dive deeper into OpenBMC by opening the docs repository.