|
Revision tags: 2.18.0-dev, 2.17.0-dev, 2.16.0-dev, 2.14.0, 2.14.0-rc1, 2.15.0-dev, 2.13.0, 2.14.0-dev, 2.12.0, 2.12.0-rc1, 2.13.0-dev, 2.11.0, 2.12.0-dev, 2.10.0-rc1, 2.11.0-dev |
|
| #
fa324837 |
| 16-Mar-2021 |
Joseph Reynolds <joseph-reynolds@charter.net> |
Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for
pam_cracklib and pam_tally2. They are replaced by pam_pwquality and
pam_faillock respectively.
Since parameters
Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for
pam_cracklib and pam_tally2. They are replaced by pam_pwquality and
pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through
Redfish, it's possible that they will remain in the overlay of
/etc/pam.d with the old module names preventing PAM from working
correctly. To avoid this, this commit includes a script that will detect
if the old modules are in the overlay and update the overlay with the
new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there
are configured parameters during a downgrade from libpam 1.5.2 to libpam
1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security
and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack
differently than pam_tally2.
This patchset causes a BMC operational change:
- The pam_tally2 command (invoked from the BMC's command line) is no
longer present. If you used the "pam_tally2 -u USER -r" command
to unlock a user after repeated authentication failures, change to
use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate
users after installing this change, the cause might be an overlayfs file
hiding the new /etc/pam.d/common-auth file. To find out, use
`grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2"
then your BMC is affected. The recovery is to delete the overlay file,
to factory reset the BMC, or manually-install the changed files.
The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold
value of 0 which does not lock account passwords no matter how many
consecutive failed authentication attempts. To configure this on
the BMC, for example, use:
curl -X PATCH https://${bmc}/redfish/v1/AccountService
-d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios:
1. Install from scratch. Success.
2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces:
- the passwd command
- the PATCH Refish AccountService {Password: NEW}
- SSH (accessible only when the password is expired)
- IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords
Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the
D-Bus User AccountPolicy RememberOldPasswordTimes property continues to
work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
show more ...
|
|
Revision tags: 2.9.0, 2.9.0-rc1, 2.10.0-dev, 2.8.0, 2.8.0-rc1, 2.9.0-dev |
|
| #
2b597051 |
| 02-Nov-2019 |
Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com> |
pam: Disable sensitive log & nullok
pam_unix logs user name when sessions are established, quiet
the same in configuraiton. This is done to avoid logging user name
as logs will be exported as part o
pam: Disable sensitive log & nullok
pam_unix logs user name when sessions are established, quiet
the same in configuraiton. This is done to avoid logging user name
as logs will be exported as part of debug log dump etc, thereby
compramising sensitive information.
Also disallow nullok login from security point of it.
Tested:
1. Verified that session establishment are not recorded with user
name.
2. Verfieid webui, redfish, ipmi, ssh login works as expected.
(From meta-phosphor rev: 15a293b458ef2f013356f9746c0ac7a20e59c1c1)
Change-Id: Ic0fcdbfd9a5968fa55a27b7d2de379f8ba131cac
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
show more ...
|
| #
4bfffde7 |
| 30-Aug-2019 |
Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com> |
pam: Fix not querying password for invalid user
Not querying password for invalid user name is security
issue and can be used to determine valid / invalid user names
in the system. Always proceed to
pam: Fix not querying password for invalid user
Not querying password for invalid user name is security
issue and can be used to determine valid / invalid user names
in the system. Always proceed to password acceptance screen
for invalid user login attempt too. This commit configures
pam_tally2 to ignore unknown user and proceed to do password
check.
Tested:
Verified the same in bmc serial console login with invalid user
name and password was requested, before displaying login incorrect.
Note: dropbear handles this already and hence ssh will not exhibit
this behavior.
(From meta-phosphor rev: 356ec08b989c84d1d034c3ff283a6909658d9435)
Change-Id: I72483d26ad7b7c39068ac33b7387adf2b10a1a27
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
show more ...
|
|
Revision tags: 2.7.0, 2.7.0-rc1, 2.8.0-dev, 2.7.0-dev |
|
| #
56e35711 |
| 05-Feb-2019 |
manojkiraneda <manojkiran.eda@gmail.com> |
Adding pam_ldap.so by masking pam load errors
Absence of ldap distro feature will not generate pam_ldap.so because
of which we might see some unwanted error messages regarding the
failure in opening
Adding pam_ldap.so by masking pam load errors
Absence of ldap distro feature will not generate pam_ldap.so because
of which we might see some unwanted error messages regarding the
failure in opening the pam_ldap.so in journalctl incase if pam_ldap
is present in PAM Configuration.
This commit would:
- Leverage '-' option before the 'type' in pam configuration, by which
the PAM library will not log any errors in the syslog if it is not
able to load the module beacause it is missing in the system.By using
this we don't need two pam configuration files for ldap and unix.
- Leverages ignore_unknown_user & ignore_authinfo_unavail options of
pam_ldap.so, which forces the PAM framework to ignore pam_ldap incase
if the user is not present in LDAP server or if the client cannot
connect to LDAP Server.
(From meta-phosphor rev: 2c7efc937785a76e35a06b6807e12765ad40d99d)
Change-Id: Ic1044989ccae4e6e442de9865cf00cea33f75262
Signed-off-by: manojkiraneda <manojkiran.eda@gmail.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
show more ...
|
| #
f61a81a2 |
| 04-Feb-2019 |
Brad Bishop <bradleyb@fuzziesquirrel.com> |
phosphor: pam: move libpam to recipes-extended
Move pam metadata from recipes-core to recipes-extended, to match
oe-core.
(From meta-phosphor rev: 6f75a62ec75deb7ba6efdc5b5c3dda960dda701d)
Change-
phosphor: pam: move libpam to recipes-extended
Move pam metadata from recipes-core to recipes-extended, to match
oe-core.
(From meta-phosphor rev: 6f75a62ec75deb7ba6efdc5b5c3dda960dda701d)
Change-Id: If8e36b1199f9e70ce27522d915ceaa281caaabc6
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
show more ...
|