1# Initial expired passwords 2 3Author: Joseph Reynolds <josephreynolds1> 4 5Other contributors: None 6 7Created: 2019-07-24 8 9## Problem Description 10 11OpenBMC has a default password, connects to the network via DHCP, and does not 12have a mechanism to require administrators to change the BMC's password. This 13may lead to BMCs which have default passwords being on the network for long time 14periods, effectively giving unrestricted access to the BMC. 15 16## Background and References 17 18Various computer systems ship with default userid and passwords and require the 19password be changed on the initial signon. This reduces the time window when the 20system is accessible with a default password. 21 22Various BMC interfaces require authentication before access is granted. The 23authentication and account validation steps typically result in outcomes like 24this: 25 261. Success, when the access credentials (such as username and password) are 27 correct and the account being accessed is valid. 282. Failure, when either the access credentials are invalid or the account being 29 accessed is invalid. For example, the account itself (not merely its 30 password) may be expired. 313. PasswordChangeRequired, when the access credentials are correct and the 32 account is valid except the account's password is expired (such as indicated 33 by PAM_CHANGE_EXPIRED_AUTHTOK). 34 35OpenBMC currently implements the first two outcomes; it treats 36PasswordChangeRequired the same as an account that is invalid for any other 37reason. Some servers (such as the OpenSSH server) handle the 38PasswordChangeRequired by implementing a "password change dialog". 39 40The [Redfish Specification version 1.7.0][] section 13.2.6.1 ("Password change 41required handling") provides the ManagerAccount resource v1.3 with a 42PasswordChangeRequired property which supports a password change dialog. 43 44[redfish specification version 1.7.0]: 45 https://www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.7.0.pdf 46 47Note the terminology: An "expired password" is a special case of "password 48change required". 49 50The meaning of the term "access" varies by context. It could mean: 51 521. Access to the BMC's network interfaces. 532. Access to the BMC's authentication mechanisms together with correct 54 credentials, whether or not those credentials have expired and must be 55 changed. 563. Access to the BMC's function via an authenticated interface, for example, 57 such as establishing a session after you've changed your initial password. 584. Access to the BMC's function via an unauthenticated interface such as host 59 IPMI or physical control panel (example: power button). 60 61This design uses meanings 3 and 4 except where indicated. 62 63## Requirements 64 65The requirements are: 66 67- The BMC's initial password must be expired when the new EXPIRED_PASSWORD image 68 feature is used. 69- An account with an expired password must not be allowed to use the BMC (except 70 to change the password). 71- There must be a way to change the expired password using a supported 72 interface. 73 74The use case is: 75 76- The BMC automatically connects to its management network which offers 77 administrative or operational interfaces (whether or not the BMC is normally 78 operated via its host). 79- The BMC is operated from its management network. 80 81Preconditions for the BMC include: 82 83- The BMC has at least one account with a default password built in. 84- The BMC can update the password; for example, the `/etc/passwd` file is 85 writeable. 86 87## Proposed Design 88 89This design has three main parts: 90 911. There is a new image feature EXPIRED_PASSWORD. When EXPIRED_PASSWORD is 92 enabled, the BMC's default password will initially be expired as if via the 93 `passwd --expire root` command. This administratively expires the password 94 and is not based on time. An account with an expired password is neither 95 locked nor disabled. 96 97 This feature is intended to be enabled by default, with a staging plan: the 98 feature will be disabled to give time for the continuous integration (CI) and 99 test automation efforts to adapt, then enabled for the overall project. 100 1012. The BMC's network interfaces (such as REST APIs, SSH, and IPMI) disallow 102 access via an account which has an expired password. If the access 103 credentials are otherwise correct and the reason for the authentication 104 failure is an expired password (determined by the usual Linux practices), 105 where possible, the interface should indicate the password is expired and how 106 to change it (see below). Otherwise the usual security protocols apply 107 (giving no additional information). 108 109 The `/login` URI is enhanced. If it is used with correct credentials (userid 110 and password) and the password needs to be changed the request will fail to 111 create a session and indicate a password change is needed. If it is used with 112 correct userid and incorrect password, or with an incorrect userid, the 113 behavior must not change. Note the `/login` URI is deprecated. 114 115 The '/redfish/v1/SessionService/Sessions/<session>' and 116 '/redfish/v1/AccountService/Accounts/<account>' resources are enhanced to 117 indicate PasswordChangeRequired per the Redfish spec. 118 119 The `ipmitool` command treats an expired password the same as an invalid 120 password. Note the RMCP+ standard, such as used for the BMC's network IPMI 121 interface, does not support changing the password when establishing a 122 session. The ipmitool is not being enhanced by this design. 123 124 The Secure Shell access (via the `ssh` command) already correctly indicates 125 when the password is expired. No change is needed. But see the next bullet 126 for the expired password dialog. 127 1283. There is a way for an account owner to change their own expired password. 129 This can be either from a network-facing or in-band password changing 130 protocol. For example: 131 - Redfish: This design adds the Redfish PasswordChangeRequired handling to 132 BMCWeb. See below for details. 133 - SSH server: The SSH servers may have an expired password change dialog. For 134 example, OpenSSH implement this feature. However, the Dropbear SSH server 135 announces the password is expired, but does not implement the dialog to 136 change it. 137 - Access via the BMC's host: for example, via the 138 `ipmitool user set password` command when accessed in-band. 139 140When Redfish creates a session with PasswordChangeRequired, every response 141contains a PasswordChangeRequired message. The session effectively has only the 142ConfigureSelf privilege which allows it to only change the password and 143terminate the session. The usage pattern is: 144 1451. Create a session. 1462. If the PasswordChangeRequired message is present: 147 1. PATCH the new password into the ManagerAccount object. 148 2. Any other use of the session will get HTTP status code 403 Forbidden. 149 3. DELETE the Session object to terminate the session. 150 4. Create a new session and continue. 151 152This design is intended to cover any cause of expired password, including both 153the BMC's initial expired password and password expired for another cause such 154as aging or via the `passwd --expire` command. 155 156This design is intended to enable the webui-vue web application to implement a 157password change dialog for the signon screen. 158 159Per the above design, when the web app uses either `/login` or 160`/redfish/v1/SessionService` to establish a session and the account has an 161expired password: 162 163- If the `/login` URI was used, the HTTP response indicates the password must be 164 changed, and will not establish a session. In this case, the web app must use 165 the Redfish API to establish a session. 166- POST to `/redfish/v1/SessionService/Sessions` will establish a session which 167 will have the PasswordChangeRequired message. 168- At this point the web app can display a message that the password is expired 169 and must be changed, then get the new password. 170- PATCH the password to the account specified in the PasswordChangeRequired 171 message. 172- DELETE the Session object to terminate the session. 173- Create a new session and continue. 174 175## Alternatives Considered 176 177The following alternate designs were considered: 178 179- Unique password per machine. That approach requires additional effort, for 180 example, to set and track assigned passwords. 181- Default to having no users with access to the BMC via its network. When 182 network access is needed, a technician would create or modify the userid to 183 have network authority and establish a password at that time. This may be 184 through the BMC's host system or via the BMC's serial console. That approach 185 requires the tech to have access, and requires re-provisioning the account 186 after factory reset 187- Disable network access by default. That approach requires another BMC access 188 vector, such as physical access or via the BMC's host, to enable network 189 access. 190- Provision the BMC with a certificate instead of a password, for example, an 191 SSH client certificate. That approach suffers from the same limitations as a 192 default password (when the matching private certificate becomes well known) 193 and requires the BMC provide SSH access. 194- Require physical presence to change the password. For example, applying a 195 jumper, or signing in via a serial cable. That approach is not standard. 196- Have LDAP (or any authentication/authorization server) configured and have no 197 local users which have default passwords configured in the BMC firmware image. 198 That approach requires the customer have an LDAP (or similar) server. Also, 199 how we can configure the LDAP, as we don't know the customer LDAP server 200 configuration? 201- Have a new service to detect if any password has its default value, and write 202 log messages for that condition, with the idea to alert the system owner of 203 this condition. That approach doesn't solve the problem and burdens BMC 204 resources. 205 206Warning. This design may leave the BMC with its default password for an extended 207period of time if the use case given in the requirements section of this design 208does not apply. For example, when the host is operated strictly via its power 209button and not through the BMC's network interface. In this case, the 210alternatives listed above may mitigate this risk. Another alternative is a 211design where the BMC is initially in a provisioning mode which does not allow 212the BMC to operate its host. The idea is that you have to establish access to 213the BMC (which includes changing its password) before you can leave provisioning 214mode. 215 216The BMCWeb Redfish server could be enhanced so that when the Password is 217successfully patched, the session no longer asserts the PasswordChangeRequired 218condition and re-asserts the user's usual authority immediately without 219requiring a new session. This is allowed by the Redfish spec, but was not 220implemented because it would be more difficult to code and test. 221 222## Impacts 223 224Having to change an expired password is annoying and breaks operational 225procedures and scripts. Documentation, lifecycle review, and test are needed. 226Expect pain when this is enabled. 227 228To help with this, the [REDFISH-cheatsheet][] will be updated with commands 229needed to detect and change an expired password. 230 231[redfish-cheatsheet]: 232 https://github.com/openbmc/docs/blob/master/REDFISH-cheatsheet.md 233 234This design does not affect other policies such as password aging. 235 236## Testing 237 238Scenarios: 239 2401. Ensure that when the BMC is in its initial state: 241 - All available network interfaces deny access. 242 - Selected interfaces allow the password to be changed. 2432. Ensure factory reset resets the password to its initial expired state (repeat 244 the tests above). 2453. Ensure the password change is effective for users entering from all supported 246 interfaces. For example, change the password via the Redfish API, and 247 validate that the old password does not work and the new password does work 248 via IPMI for the same user. 2494. Handle BMC code update scenarios. For example, (A) Ensure code update does 250 not cause a previously set password to change to default or to expire. (B) 251 Validate what happens when the BMC has a default password and does code 252 update to a release which has the default expired password design (this 253 design). 2545. Ensure the BMC continues to operate its host, for example, when the BMC is 255 factory reset while the host is running. Ensure the power button can be used 256 to power off the host while the BMC's password is expired. 2576. Test on BMC using Linux PAM both with and without LDAP or ActiveDirectory 258 configured. 2597. Validate you can to change an IPMI user's expired password, such as with: 260 ipmitool user set password 1 NEWPASSWORD. This can be from another IPMI 261 user's session or from unauthenticated access. 262