Lines Matching refs:password
11 OpenBMC has a default password, connects to the network via DHCP, and does not
12 have a mechanism to require administrators to change the BMC's password. This
19 password be changed on the initial signon. This reduces the time window when the
20 system is accessible with a default password.
26 1. Success, when the access credentials (such as username and password) are
30 password) may be expired.
32 account is valid except the account's password is expired (such as indicated
38 PasswordChangeRequired by implementing a "password change dialog".
42 property which supports a password change dialog.
47 Note the terminology: An "expired password" is a special case of "password
57 such as establishing a session after you've changed your initial password.
67 - The BMC's initial password must be expired when the new EXPIRED_PASSWORD image
69 - An account with an expired password must not be allowed to use the BMC (except
70 to change the password).
71 - There must be a way to change the expired password using a supported
83 - The BMC has at least one account with a default password built in.
84 - The BMC can update the password; for example, the `/etc/passwd` file is
92 enabled, the BMC's default password will initially be expired as if via the
93 `passwd --expire root` command. This administratively expires the password
94 and is not based on time. An account with an expired password is neither
102 access via an account which has an expired password. If the access
104 failure is an expired password (determined by the usual Linux practices),
105 where possible, the interface should indicate the password is expired and how
110 and password) and the password needs to be changed the request will fail to
111 create a session and indicate a password change is needed. If it is used with
112 correct userid and incorrect password, or with an incorrect userid, the
119 The `ipmitool` command treats an expired password the same as an invalid
120 password. Note the RMCP+ standard, such as used for the BMC's network IPMI
121 interface, does not support changing the password when establishing a
125 when the password is expired. No change is needed. But see the next bullet
126 for the expired password dialog.
128 3. There is a way for an account owner to change their own expired password.
129 This can be either from a network-facing or in-band password changing
133 - SSH server: The SSH servers may have an expired password change dialog. For
135 announces the password is expired, but does not implement the dialog to
138 `ipmitool user set password` command when accessed in-band.
142 ConfigureSelf privilege which allows it to only change the password and
147 1. PATCH the new password into the ManagerAccount object.
152 This design is intended to cover any cause of expired password, including both
153 the BMC's initial expired password and password expired for another cause such
157 password change dialog for the signon screen.
161 expired password:
163 - If the `/login` URI was used, the HTTP response indicates the password must be
168 - At this point the web app can display a message that the password is expired
169 and must be changed, then get the new password.
170 - PATCH the password to the account specified in the PasswordChangeRequired
179 - Unique password per machine. That approach requires additional effort, for
183 have network authority and establish a password at that time. This may be
190 - Provision the BMC with a certificate instead of a password, for example, an
192 default password (when the matching private certificate becomes well known)
194 - Require physical presence to change the password. For example, applying a
201 - Have a new service to detect if any password has its default value, and write
206 Warning. This design may leave the BMC with its default password for an extended
213 the BMC (which includes changing its password) before you can leave provisioning
224 Having to change an expired password is annoying and breaks operational
229 needed to detect and change an expired password.
234 This design does not affect other policies such as password aging.
242 - Selected interfaces allow the password to be changed.
243 2. Ensure factory reset resets the password to its initial expired state (repeat
245 3. Ensure the password change is effective for users entering from all supported
246 interfaces. For example, change the password via the Redfish API, and
247 validate that the old password does not work and the new password does work
250 not cause a previously set password to change to default or to expire. (B)
251 Validate what happens when the BMC has a default password and does code
252 update to a release which has the default expired password design (this
256 to power off the host while the BMC's password is expired.
259 7. Validate you can to change an IPMI user's expired password, such as with:
260 ipmitool user set password 1 NEWPASSWORD. This can be from another IPMI