obmc-console-ssh@.service: add ECDSA and ED25519 keys

With RSA-SHA1 being deprecated, have our dropbear server also support
ECDSA and ED25519 keys.

The key generation and support within our standar

obmc-console-ssh@.service: add ECDSA and ED25519 keys

With RSA-SHA1 being deprecated, have our dropbear server also support
ECDSA and ED25519 keys.

The key generation and support within our standard ssh port 22 was added
via commit [1].

This commit adds support for our virtual console ports that come in via
ssh.

The service files have a somewhat unfortunately named variable,
DROPBEAR_RSAKEY_DIR, which assumed dropbear was only going to support
RSA keys. As this commit shows, dropbear supports multiple key types and
the directory, /etc/dropbear/, has no limitations on the type of key
that can go in that directory. Initially, we changed this variable name
to DROPBEAR_KEY_DIR but upon further investigation we saw that this
naming convention was utilized heavily in the dropbear recipes. To keep
things consistent with dropbear, we left it as DROPBEAR_RSAKEY_DIR even
though other key types will be stored in that directory.

Tested:
- Confirmed port 2200 and 2201 dropbear services loaded new RSA keys
(via 'ps' command) on p10bmc machine
- Confirmed when an ssh was done to port 2200, it connected, properly
and listed the following as supported via "ssh -vv":
host key algorithms: ssh-ed25519,ecdsa-sha2-nistp384,rsa-sha2-256

[1]: https://gerrit.openbmc.org/c/openbmc/openbmc/+/70265

Change-Id: I76dd742654a67645d12856ae8fd15dfe71876b9d
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>

show more ...

80-obmc-console-uart.rules: fix udevadm warnings

Without this change we get the following warnings:
```
udevadm verify

/usr/lib/udev/rules.d/80-obmc-console-uart.rules:1 style: a comma between toke

80-obmc-console-uart.rules: fix udevadm warnings

Without this change we get the following warnings:
```
udevadm verify

/usr/lib/udev/rules.d/80-obmc-console-uart.rules:1 style: a comma between tokens is expected.
/usr/lib/udev/rules.d/80-obmc-console-uart.rules:2 style: a comma between tokens is expected.
/usr/lib/udev/rules.d/80-obmc-console-uart.rules: udev rules have style issues.

41 udev rules files have been checked.
Success: 40
Fail: 1
```

Tested:
- Confirmed 'udevadm verify' returns no warnings

Change-Id: Ic1e1ddd212619fa5c9666adeb268bcfb60b0fb3a
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>

show more ...

obmc-console: Introduce console-id, deprecate socket-id

The name `socket-id` exposes too much detail about the implementation.
Really the tag identifies the console, so name it as such.

Maintain ba

obmc-console: Introduce console-id, deprecate socket-id

The name `socket-id` exposes too much detail about the implementation.
Really the tag identifies the console, so name it as such.

Maintain backwards compatibility until we've converted all the in-tree
OpenBMC users over to `console-id`. Once that's done we can drop support
for `socket-id`.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I5aa2ba84835d64901e459b42bfe7be59043466c7

show more ...

Changes for new pre-defined usergroup hostconsole

The new pre-defined usergroup named "hostconsole" is added to
differentiate access between host console and manager console.
The only users allowed

Changes for new pre-defined usergroup hostconsole

The new pre-defined usergroup named "hostconsole" is added to
differentiate access between host console and manager console.
The only users allowed to interact with host console are part of the
"hostconsole" group.

Note: The changes are spread across multiple repositories listed under
"Related commits:"

The obmc-console changes to incorporate new group are as follows:
- Remove dependency on dropbear.default file by adding new default file
dropbear.env for obmc-console. This file is required for obmc
services. This file is added in obmc-console-ssh@.service.in and
use-socket.conf
- In future we can add file /etc/obmc-console/dropbear.%i.env for port
specific configuration.

Tested:
Loaded on system and qemu eumulator. Made sure that the new file
contents are reflected on the system.

Related commits:
docs: https://gerrit.openbmc.org/c/openbmc/docs/+/60968
phosphor-user-manager: https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/61583
openbmc: https://gerrit.openbmc.org/c/openbmc/openbmc/+/61582
obmc-console: https://gerrit.openbmc.org/c/openbmc/obmc-console/+/61581
bmcweb: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/61580

Change-Id: Id080d0cf1c8dea7c383bc040c988dae2b4a09800
Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>

show more ...

Support systemd socket activation

Check if systemd passed us a socket when starting obmc-console before
creating the socket ourselves. This will support use cases where we
don't need obmc-console un

Support systemd socket activation

Check if systemd passed us a socket when starting obmc-console before
creating the socket ourselves. This will support use cases where we
don't need obmc-console until a SoL is activated by the user.

Tested: Verified that existing unit file installation is unchanged -
statically enabled obmc-console@.service instances will be started.

Then disabled obmc-console@ttyS2.service and enabled
obmc-console@ttyS2.socket (with a drop-in change to override
ListenStream to "obmc-console") and verifed that activating Redfish and
SSH SoL would start obmc-console@ttyS2.service and console redirection
worked.

Change-Id: I42e96af46a5893145abf27761e97fd4f1b73719d
Signed-off-by: Jonathan Doman <jonathan.doman@intel.com>

show more ...

ssh-console: only enable keepalive option

There was some further discussion on dc0eec8 after it was merged. The
consensus was that it may have gone a bit too far on client connection
restrictions. F

ssh-console: only enable keepalive option

There was some further discussion on dc0eec8 after it was merged. The
consensus was that it may have gone a bit too far on client connection
restrictions. For example, why add the -I to disconnect a fully working
(but idle) session?

It was also clarified that the -K option enables a keepalive message
every X seconds. The client is disconnected after 3 keepalive timeouts.
Given this, it was agreed to reduce the value from 10 to 5 to give the
client a total of 15 seconds to keep a connection alive.

Tested:
- Loaded on a p10bmc system, connected multiple clients to 2200 and
2201 and caused extensive traffic in both. No issues found.

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I83dbda457f0de0a727434614539f5fee8c7c665d

show more ...

ssh-console: introduce reasonable timeout values

The obmc-console design is that it must successfully send its data to
all connected clients before it will process any new data. This
guarantees ther

ssh-console: introduce reasonable timeout values

The obmc-console design is that it must successfully send its data to
all connected clients before it will process any new data. This
guarantees there are no data losses to clients.

The drawback to this design is that if a single client stops responding
or gets hung up in some way, all clients get hung up. At IBM, our test
teams utilize some fairly extensive perl/expect based test suites that
utilize the host virtual console extensively. We continue to see
intermittent issues when running these test suites where the virtual
console to our hypervisor becomes unusable. If we log in and start to
kill dropbear ssh console sessions, we eventually find the right one and
the console starts working again.

This commit introduces some parameters to dropbear to drop the bad
client connection if it becomes unresponsive:
-I <idle_timeout>
-K <keepalive>

For idle_timeout, it seems reasonable to give the client 30 minutes
(1800 seconds) of inactivity.

For keepalive, it seems reasonable to assume that a client connection
can be verified within 10 seconds.

Tested:
- The issue is somewhat difficult to recreate but we did patch a system
which was having this issue and we were unable to recreate the problem
with this change. The test suite appears to recover if it senses it
has a dropped connection.

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Iaa1182d52fb75762c47e515e43f1fc6352b5bdd1

show more ...

conf: Add udev rules for other UARTS

Listing tty mapped to regular uarts 1-4 from Aspeed Soc for launching
console server listening on respective uarts.

Tested: Verified for FB tiogapass platform w

conf: Add udev rules for other UARTS

Listing tty mapped to regular uarts 1-4 from Aspeed Soc for launching
console server listening on respective uarts.

Tested: Verified for FB tiogapass platform with ttyS2 and also team
verified for multi host platform by launching ttyS0-S3.

Signed-off-by: Vijay Khemka <vijaykhemka@fb.com>
Change-Id: I34bc36526a66e3084354399eab34be27311f438b

show more ...

conf: Ship udev rules for launching obmc-console-server

The systemd unit has a ConditionPathExists for the server configuration
file, so we can support listing any number of UARTs in the udev rule
w

conf: Ship udev rules for launching obmc-console-server

The systemd unit has a ConditionPathExists for the server configuration
file, so we can support listing any number of UARTs in the udev rule
without negatively impacting the system. For the moment however, list
just the two virtual UARTs on the ASPEED SoCs.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Ie0bebbf64388c62f7cbb77c399f3d064713d586f

show more ...

conf: Ship default configuration and systemd units

Two configurations are supported:

1. A socket-activated, single-port client service arrangement, and
2. A port-templated client service

systemd's

conf: Ship default configuration and systemd units

Two configurations are supported:

1. A socket-activated, single-port client service arrangement, and
2. A port-templated client service

systemd's template-unit constraints prevent us from mapping ports to a
daemon configuration for the socket-activated case. To support multiple
concurrent console servers we have to revert to a standard daemon
arrangement where dropbear binds, listens and accepts its own
connections. This brings with it immediate memory overhead of running
dropbear before connections are received. As such configuration 2 is
opt-in as there are very few systems that require it.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Ifbcac1b1ca75ab3ff08c73855d7ed2ebabc27c0a

show more ...