/openbmc/openbmc/meta-ampere/meta-common/recipes-extended/pam/libpam/ |
H A D | faillock.conf | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
/openbmc/openbmc/meta-phosphor/recipes-extended/pam/libpam/ |
H A D | convert-pam-configs.service | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
H A D | faillock.conf | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
H A D | convert-pam-configs.sh | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
/openbmc/openbmc/meta-ampere/meta-common/recipes-extended/libpwquality/libpwquality/ |
H A D | pwquality.conf | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
/openbmc/openbmc/meta-ampere/meta-common/recipes-extended/libpwquality/ |
H A D | libpwquality_%.bbappend | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
/openbmc/openbmc/meta-phosphor/recipes-extended/libpwquality/ |
H A D | libpwquality_%.bbappend | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
/openbmc/openbmc/meta-supermicro/meta-common/recipes-extended/libpwquality/ |
H A D | libpwquality_%.bbappend | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
/openbmc/openbmc/meta-supermicro/meta-common/recipes-extended/libpwquality/libpwquality/ |
H A D | pwquality.conf | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
/openbmc/openbmc/meta-ampere/meta-common/recipes-extended/pam/ |
H A D | libpam_%.bbappend | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
/openbmc/openbmc/meta-phosphor/recipes-extended/libpwquality/libpwquality/ |
H A D | pwquality.conf | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
/openbmc/openbmc/meta-google/recipes-extended/pam/ |
H A D | libpam_%.bbappend | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
/openbmc/openbmc/meta-phosphor/recipes-extended/pam/libpam/pam.d/ |
H A D | common-account | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
H A D | common-auth | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
H A D | common-password | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
/openbmc/openbmc/meta-phosphor/recipes-extended/pam/ |
H A D | libpam_%.bbappend | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
/openbmc/openbmc/meta-google/recipes-phosphor/images/ |
H A D | obmc-phosphor-image.bbappend | fa324837 Tue Mar 16 16:30:40 CDT 2021 Joseph Reynolds <joseph-reynolds@charter.net> Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for pam_cracklib and pam_tally2. They are replaced by pam_pwquality and pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through Redfish, it's possible that they will remain in the overlay of /etc/pam.d with the old module names preventing PAM from working correctly. To avoid this, this commit includes a script that will detect if the old modules are in the overlay and update the overlay with the new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there are configured parameters during a downgrade from libpam 1.5.2 to libpam 1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack differently than pam_tally2.
This patchset causes a BMC operational change: - The pam_tally2 command (invoked from the BMC's command line) is no longer present. If you used the "pam_tally2 -u USER -r" command to unlock a user after repeated authentication failures, change to use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate users after installing this change, the cause might be an overlayfs file hiding the new /etc/pam.d/common-auth file. To find out, use `grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2" then your BMC is affected. The recovery is to delete the overlay file, to factory reset the BMC, or manually-install the changed files. The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold value of 0 which does not lock account passwords no matter how many consecutive failed authentication attempts. To configure this on the BMC, for example, use: curl -X PATCH https://${bmc}/redfish/v1/AccountService -d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios: 1. Install from scratch. Success. 2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces: - the passwd command - the PATCH Refish AccountService {Password: NEW} - SSH (accessible only when the password is expired) - IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the D-Bus User AccountPolicy RememberOldPasswordTimes property continues to work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net> Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com> Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|