xref: /openbmc/docs/designs/expired-password.md (revision 31de159f) 
1# Initial expired passwords
2
3Author:
4  Joseph Reynolds <josephreynolds1>
5
6Primary assignee:
7  Joseph Reynolds <josephreynolds1>
8
9Other contributors:
10  None
11
12Created:
13  2019-07-24
14
15## Problem Description
16OpenBMC has a default password, connects to the network via DHCP, and
17does not have a mechanism to require administrators to change the
18BMC's password.  This may lead to BMCs which have default passwords
19being on the network for long time periods, effectively giving
20unrestricted access to the BMC.
21
22## Background and References
23Various computer systems ship with default userid and passwords and
24require the password be changed on the initial signon.  This reduces
25the time window when the system is accessible with a default password.
26
27Various BMC interfaces require authentication before access is
28granted.  The authentication and account validation steps typically
29result in outcomes like this:
301. Success, when the access credentials (such as username and password)
31   are correct and the account being accessed is valid.
322. Failure, when either the access credentials are invalid or the
33   account being accessed is invalid.  For example, the account itself
34   (not merely its password) may be expired.
353. PasswordChangeRequired, when the access credentials are correct and
36   the account is valid except the account's password is expired (such as
37   indicated by PAM_CHANGE_EXPIRED_AUTHTOK).
38
39OpenBMC currently implements the first two outcomes; it treats
40PasswordChangeRequired the same as an account that is invalid for any
41other reason.  Some servers (such as the OpenSSH server) handle the
42PasswordChangeRequired by implementing a "password change dialog".
43
44The [Redfish Specification version 1.7.0][] section 13.2.6.1 ("Password
45change required handling") provides the ManagerAccount resource v1.3
46with a PasswordChangeRequired property which supports a password
47change dialog.
48
49[Redfish Specification version 1.7.0]: https://www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.7.0.pdf
50
51Note the terminology:
52An "expired password" is a special case of "password change required".
53
54The meaning of the term "access" varies by context.  It could mean:
55 1. Access to the BMC's network interfaces.
56 2. Access to the BMC's authentication mechanisms together with
57    correct credentials, whether or not those credentials have
58    expired and must be changed.
59 3. Access to the BMC's function via an authenticated interface, for
60    example, such as establishing a session after you've changed your
61    initial password.
62 4. Access to the BMC's function via an unauthenticated interface such
63    as host IPMI or physical control panel (example: power button).
64
65This design uses meanings 3 and 4 except where indicated.
66
67## Requirements
68The requirements are:
69 - The BMC's initial password must be expired when the new
70   EXPIRED_PASSWORD image feature is used.
71 - An account with an expired password must not be allowed to use the
72   BMC (except to change the password).
73 - There must be a way to change the expired password using a
74   supported interface.
75
76The use case is:
77 - The BMC automatically connects to its management network which
78   offers administrative or operational interfaces (whether or not the
79   BMC is normally operated via its host).
80 - The BMC is operated from its management network.
81
82Preconditions for the BMC include:
83 - The BMC has at least one account with a default password built in.
84 - The BMC can update the password; for example, the `/etc/passwd`
85   file is writeable.
86
87## Proposed Design
88This design has three main parts:
89
901. There is a new image feature EXPIRED_PASSWORD. When
91   EXPIRED_PASSWORD is enabled, the BMC's default password will
92   initially be expired as if via the `passwd --expire root` command.
93   This administratively expires the password and is not based on
94   time.  An account with an expired password is neither locked nor
95   disabled.
96
97   This feature is intended to be enabled by default, with a staging
98   plan: the feature will be disabled to give time for the continuous
99   integration (CI) and test automation efforts to adapt, then enabled
100   for the overall project.
101
1022. The BMC's network interfaces (such as REST APIs, SSH, and IPMI)
103   disallow access via an account which has an expired password.  If
104   the access credentials are otherwise correct and the reason for the
105   authentication failure is an expired password (determined by the
106   usual Linux practices), where possible, the interface should
107   indicate the password is expired and how to change it (see below).
108   Otherwise the usual security protocols apply (giving no additional
109   information).
110
111   The `/login` URI is enhanced.  If it is used with correct
112   credentials (userid and password) and the password needs to be
113   changed the request will fail to create a session and indicate a
114   password change is needed.  If it is used with correct userid and
115   incorrect password, or with an incorrect userid, the behavior must
116   not change.  Note the `/login` URI is deprecated.
117
118   The '/redfish/v1/SessionService/Sessions/<session>' and
119   '/redfish/v1/AccountService/Accounts/<account>' resources are
120   enhanced to indicate PasswordChangeRequired per the Redfish spec.
121
122   The `ipmitool` command treats an expired password the same as an
123   invalid password.  Note the RMCP+ standard, such as used for the
124   BMC's network IPMI interface, does not support changing the
125   password when establishing a session.  The ipmitool is not being
126   enhanced by this design.
127
128   The Secure Shell access (via the `ssh` command) already correctly
129   indicates when the password is expired.  No change is needed.  But
130   see the next bullet for the expired password dialog.
131
1323. There is a way for an account owner to change their own expired
133   password.  This can be either from a network-facing or in-band
134   password changing protocol.  For example:
135    - Redfish: This design adds the Redfish PasswordChangeRequired
136      handling to BMCWeb.  See below for details.
137    - SSH server: The SSH servers may have an expired password change
138      dialog.  For example, OpenSSH implement this feature.  However,
139      the Dropbear SSH server announces the password is expired, but
140      does not implement the dialog to change it.
141    - Access via the BMC's host: for example, via the `ipmitool user
142      set password` command when accessed in-band.
143
144When Redfish creates a session with PasswordChangeRequired, every
145response contains a PasswordChangeRequired message.  The session
146effectively has only the ConfigureSelf privilege which allows it to
147only change the password and terminate the session.  The usage
148pattern is:
149 1. Create a session.
150 2. If the PasswordChangeRequired message is present:
151     1. PATCH the new password into the ManagerAccount object.
152     2. Any other use of the session will get HTTP status code 403
153        Forbidden.
154     3. DELETE the Session object to terminate the session.
155     4. Create a new session and continue.
156
157This design is intended to cover any cause of expired password,
158including both the BMC's initial expired password and password expired
159for another cause such as aging or via the `passwd --expire` command.
160
161This design is intended to enable the phosphor-webui web application
162to implement a password change dialog for the signon screen.
163
164Per the above design, when the web app uses either `/login` or
165`/redfish/v1/SessionService` to establish a session and the account
166has an expired password:
167 - If the `/login` URI was used, the HTTP response indicates the
168   password must be changed, and will not establish a session.  In
169   this case, the web app must use the Redfish API to establish a
170   session.
171 - POST to `/redfish/v1/SessionService/Sessions` will establish a
172   session which will have the PasswordChangeRequired message.
173 - At this point the web app can display a message that the password
174   is expired and must be changed, then get the new password.
175 - PATCH the password to the account specified in the
176   PasswordChangeRequired message.
177 - DELETE the Session object to terminate the session.
178 - Create a new session and continue.
179
180## Alternatives Considered
181The following alternate designs were considered:
182- Unique password per machine.  That approach requires additional
183  effort, for example, to set and track assigned passwords.
184- Default to having no users with access to the BMC via its network.
185  When network access is needed, a technician would create or modify
186  the userid to have network authority and establish a password at
187  that time.  This may be through the BMC's host system or via the
188  BMC's serial console.  That approach requires the tech to have
189  access, and requires re-provisioning the account after factory reset
190- Disable network access by default.  That approach requires another
191  BMC access vector, such as physical access or via the BMC's host, to
192  enable network access.
193- Provision the BMC with a certificate instead of a password, for
194  example, an SSH client certificate.  That approach suffers from the
195  same limitations as a default password (when the matching private
196  certificate becomes well known) and requires the BMC provide SSH
197  access.
198- Require physical presence to change the password.  For example,
199  applying a jumper, or signing in via a serial cable.  That approach
200  is not standard.
201- Have LDAP (or any authentication/authorization server) configured
202  and have no local users which have default passwords configured in
203  the BMC firmware image.  That approach requires the customer have an
204  LDAP (or similar) server.  Also, how we can configure the LDAP, as
205  we don't know the customer LDAP server configuration?
206- Have a new service to detect if any password has its default value,
207  and write log messages for that condition, with the idea to alert
208  the system owner of this condition. That approach doesn't solve the
209  problem and burdens BMC resources.
210
211Warning.  This design may leave the BMC with its default password for
212an extended period of time if the use case given in the requirements
213section of this design does not apply.  For example, when the host is
214operated strictly via its power button and not through the BMC's
215network interface.  In this case, the alternatives listed above may
216mitigate this risk.  Another alternative is a design where the BMC is
217initially in a provisioning mode which does not allow the BMC to
218operate its host.  The idea is that you have to establish access to
219the BMC (which includes changing its password) before you can leave
220provisioning mode.
221
222The BMCWeb Redfish server could be enhanced so that when the Password
223is successfully patched, the session no longer asserts the
224PasswordChangeRequired condition and re-asserts the user's usual
225authority immediately without requiring a new session.  This is
226allowed by the Redfish spec, but was not implemented because it would
227be more difficult to code and test.
228
229## Impacts
230Having to change an expired password is annoying and breaks
231operational procedures and scripts.  Documentation, lifecycle review,
232and test are needed.  Expect pain when this is enabled.
233
234To help with this, the [REDFISH-cheatsheet][] will be updated with
235commands needed to detect and change an expired password.
236
237[REDFISH-cheatsheet]: https://github.com/openbmc/docs/blob/master/REDFISH-cheatsheet.md
238
239This design does not affect other policies such as password aging.
240
241## Testing
242Scenarios:
2431. Ensure that when the BMC is in its initial state:
244    - All available network interfaces deny access.
245    - Selected interfaces allow the password to be changed.
2462. Ensure factory reset resets the password to its initial expired
247   state (repeat the tests above).
2483. Ensure the password change is effective for users entering from all
249   supported interfaces.  For example, change the password via the
250   Redfish API, and validate that the old password does not work and
251   the new password does work via IPMI for the same user.
2524. Handle BMC code update scenarios.  For example, (A) Ensure code
253   update does not cause a previously set password to change to
254   default or to expire.  (B) Validate what happens when the BMC has a
255   default password and does code update to a release which has the
256   default expired password design (this design).
2575. Ensure the BMC continues to operate its host, for example, when the
258   BMC is factory reset while the host is running.  Ensure the power
259   button can be used to power off the host while the BMC's password is
260   expired.
2616. Test on BMC using Linux PAM both with and without LDAP or
262   ActiveDirectory configured.
2637. Validate you can to change an IPMI user's expired password, such as
264   with: ipmitool user set password 1 NEWPASSWORD.  This can be from
265   another IPMI user's session or from unauthenticated access.
266