docs/designs/expired-password.md

7 Created: 2019-07-24
67 - The BMC's initial password must be expired when the new EXPIRED_PASSWORD image
69 - An account with an expired password must not be allowed to use the BMC (except
71 - There must be a way to change the expired password using a supported
76 - The BMC automatically connects to its management network which offers
79 - The BMC is operated from its management network.
83 - The BMC has at least one account with a default password built in.
84 - The BMC can update the password; for example, the `/etc/passwd` file is
93    `passwd --expire root` command. This administratively expires the password
129    This can be either from a network-facing or in-band password changing
131    - Redfish: This design adds the Redfish PasswordChangeRequired handling to
133    - SSH server: The SSH servers may have an expired password change dialog. For
137    - Access via the BMC's host: for example, via the
138      `ipmitool user set password` command when accessed in-band.
154 as aging or via the `passwd --expire` command.
156 This design is intended to enable the webui-vue web application to implement a
163 - If the `/login` URI was used, the HTTP response indicates the password must be
166 - POST to `/redfish/v1/SessionService/Sessions` will establish a session which
168 - At this point the web app can display a message that the password is expired
170 - PATCH the password to the account specified in the PasswordChangeRequired
172 - DELETE the Session object to terminate the session.
173 - Create a new session and continue.
179 - Unique password per machine. That approach requires additional effort, for
181 - Default to having no users with access to the BMC via its network. When
185   requires the tech to have access, and requires re-provisioning the account
187 - Disable network access by default. That approach requires another BMC access
190 - Provision the BMC with a certificate instead of a password, for example, an
194 - Require physical presence to change the password. For example, applying a
196 - Have LDAP (or any authentication/authorization server) configured and have no
198   That approach requires the customer have an LDAP (or similar) server. Also,
199   how we can configure the LDAP, as we don't know the customer LDAP server
201 - Have a new service to detect if any password has its default value, and write
218 condition and re-asserts the user's usual authority immediately without
228 To help with this, the [REDFISH-cheatsheet][] will be updated with commands
231 [redfish-cheatsheet]:
232   https://github.com/openbmc/docs/blob/master/REDFISH-cheatsheet.md
241    - All available network interfaces deny access.
242    - Selected interfaces allow the password to be changed.