docs/designs/expired-password.md

7 Created: 2019-07-24
67 - The BMC's initial password must be expired when the new EXPIRED_PASSWORD image
69 - An account with an expired password must not be allowed to use the BMC (except
71 - There must be a way to change the expired password using a supported
76 - The BMC automatically connects to its management network which offers
79 - The BMC is operated from its management network.
83 - The BMC has at least one account with a default password built in.
84 - The BMC can update the password; for example, the `/etc/passwd` file is
93    `passwd --expire root` command. This administratively expires the password
129    This can be either from a network-facing or in-band password changing
131    - Redfish: This design adds the Redfish PasswordChangeRequired handling to
133    - SSH server: The SSH servers may have an expired password change dialog. For
137    - Access via the BMC's host: for example, via the
138      `ipmitool user set password` command when accessed in-band.
154 as aging or via the `passwd --expire` command.
156 This design is intended to enable the webui-vue web application to implement a
163 - If the `/login` URI was used, the HTTP response indicates the password must be
166 - POST to `/redfish/v1/SessionService/Sessions` will establish a session which
168 - At this point the web app can display a message that the password is expired
170 - PATCH the password to the account specified in the PasswordChangeRequired
172 - DELETE the Session object to terminate the session.
173 - Create a new session and continue.
179 - Unique password per machine. That approach requires additional effort, for
181 - Default to having no users with access to the BMC via its network. When
185   requires the tech to have access, and requires re-provisioning the account
187 - Disable network access by default. That approach requires another BMC access
190 - Provision the BMC with a certificate instead of a password, for example, an
194 - Require physical presence to change the password. For example, applying a
196 - Have LDAP (or any authentication/authorization server) configured and have no
201 - Have a new service to detect if any password has its default value, and write
218 condition and re-asserts the user's usual authority immediately without
228 To help with this, the [REDFISH-cheatsheet][] will be updated with commands
231 [redfish-cheatsheet]:
232   https://github.com/openbmc/docs/blob/master/REDFISH-cheatsheet.md
241    - All available network interfaces deny access.
242    - Selected interfaces allow the password to be changed.
250    not cause a previously set password to change to default or to expire. (B)