Closed joseph-reynolds closed 1 year ago
Asked a related questions in the OpenBMC open source email list: https://lists.ozlabs.org/pipermail/openbmc/2019-June/016703.html
Here is an idea. Have a new distro feature to expire the password. The feature would be off by default, and security conscious use cases can opt-in. When the feature is used, the root and its default password are still used, but the password is expired. This expired password:
It seems like this would this comply with the law, specifically CA Law TITLE 1.81.26., Security of Connected Devices, 1798.91.04 b.2 (but I am software engineer, not a lawyer).
The work for OpenBMC would be:
The testing scenario would be:
Can be used to change the password (mechanism to be determined), perhaps via ssh into the system or
ipmitool user set password 1 ${new_password}
.
I hope that this would require authentication from that point forward?
Changed the title to better reflect the purpose.
Although having an unique password per BMC is a solution, I am not pursuing it at this time.
Note the default for the OpenBMC project will remain to have a default password. For now, these are opt-in solutions which require an explicit recipe change to use. I hope one of these solutions can become the project's default, and make the "insecure default password" an opt-in choice.
I am considering two alternatives:
Here are some thoughts for design requirements common to the designs above, with questions:
We will probably want the Web GUI phosphor-webui to detect the use of an expired password and have a screen which users can change the password. The flows between web app to BMC would be something like (my initial draft, please correct and improve):
I am pursuing the "expired password" design for this, here: https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849
For a lab environment we wouldn't want it, but I would think for deployed systems we may want to require asserting physical presence as well. If we're not going to do that, we need to document when the BMC might fall into a vulnerable state (opening a race to set the password).
Thanks, I've added a Warning to the design for the system integrator to ensure their solution doesn't have holes. It points to the "physical presence" alternate design that you mentioned. In this sense, the design 23849 is only a solution for one of many use cases.
I've updated the design 23849 to incorporate all the comments. The design includes a starter kit for the WebGUI design. I believe 23849 is entirely approveable at this point.
I believe should pursue adding the password change facility to the dropbear SSH implementation.. Why? The right place to add this is to Yocto/OpenEmbedded, so I plan to add the new EXPIRED_PASSWORD image feature to the Yocto project, and they have agreed to a mechanism like this: https://lists.yoctoproject.org/pipermail/yocto-security/2019-July/000114.html I feel that Yocto uses ssh, and dropbear is one of the ssh servers, so if someone uses the EXPIRED_PASSWORD feature, they will need their dropbear ssh server to implement the expired password change mechanism. (A workaround is to use the OpenSSH SSH server.) Also, I feel that ssh access will continue to prevail in the OpenBMC project for quite a long time, so we should try to make it work with expired passwords. Note: There is a dropbear patch to enable changing expired password here: https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2016q2/001895.html I have not followed up on the status of this old patch.
I've emailed the BMCWeb maintainer to get initial agreement that this can be implemented. See https://lists.ozlabs.org/pipermail/openbmc/2019-August/017577.html For what it's worth, I agree with Ed's assessment that adding PasswordChangeRequired=True to the authority model will be tricky. I plan to vet that part of the low level design via email.
Development work items:
There is a design change for an upgrade scenario. This scenario has a BMC with an older version installed (like OP930) and the user has not changed the password so the BMC still has the default password. When the new driver is installed, the BMC should NOT cause the password to be expired. The thinking is: its not a new install, so the default expired password should not apply.
Some work related to this:
Pushed user docs "expired password cheatsheet" for review here: https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/25706
I've created https://github.com/openembedded/openembedded-core/pull/63 to merge this into openembeded-core. However, this is not currently needed. The alternate design was implemented here: https://github.com/ibm-openbmc/openbmc/blob/5434eaa5e4f53d9972c7bf3c4a90fd189f529547/meta-phosphor/recipes-phosphor/users/phosphor-user-manager/first-boot-expire-password.service
Upstream oe-core has the expire-password support. IBM systems are using it. Closing.
NOTE: This issue was originally titled "Move away from a default BMC password" as we were mulling over the various ways that could be accomplished. This issue is now limited in scope to the "expired password" design (details below). Although the original discussion is preserved here, this issue is specifically only for the "expired password" design.
The "expired password" design is intended to partially satisfy the requirements of CA Law SB-327 (referenced below), section 1798.91.04 (b) (2) which states, "The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time".
The original text is below.
If you have a project based on OpenBMC, you may want to provide reasonable security by ensuring that the BMC moves away from its default password.
You can not merely change the default password (such as provided by https://github.com/openbmc/openbmc/blob/master/meta-phosphor/conf/distro/include/phosphor-defaults.inc) to some other default password because that does not by itself provide a significant security benefit. For example, if a bad actor learns the default password from one device, that actor will likely know the password for many of them.
The idea is to create a single firmware image which uses the default password, then after you test each BMC, change its password to an unique value (such as from the
pwgen
command) and record that password with the BMC (such as by printing it on a sticker).If you store the generated password, such as in a database mapping the BMC serial number to its shipped password, consider privacy laws. For example, the EU GDPR law https://en.wikipedia.org/wiki/General_Data_Protection_Regulation.
TODO: Determine what happens to the password if the BMC is factory reset.
An alternate approach to the one described here is: Keep the default password, but operate with limited function, such as by locking the device into
Provisioning
mode per https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/21195 until the password is changed.Reference: Laws may require products to have reasonable security built into them, for example, by not having a default password. See, for example, CA Law SB-327 https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327