diff options
| author | Joseph Reynolds <joseph-reynolds@charter.net> | 2021-02-25 02:20:01 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2021-05-13 15:17:14 +0300 |
| commit | 68e567f9e76d4e54a70a84dbc43050d4cf214562 (patch) | |
| tree | 7f0b2303f18125cffbff28fca850bfcd20023e1e /meta-ibm/conf/machine | |
| parent | 01439a98f9b7b599ac02da3d90bc1954aee86cd8 (diff) | |
| download | openbmc-68e567f9e76d4e54a70a84dbc43050d4cf214562.tar.xz | |
IBM DISTRO_FEATURE ibm-service-account-policy
This creates a new DISTRO_FEATURE "ibm-service-account-policy" which
- Adds an admin account which cannot SSH to the BMC's command shell.
- Adds a service account which can SSH and has passwordless sudo access.
This feature is applied to witherspoon-tacoma and p10bmc (rainier).
Tested:
The image behaves as before when the distro feature is not configured.
When the distro feature is configured:
The root user has the same access as before.
The admin user:
- Is not allowed to access the BMC's command shell.
- Console login gets: This account is currently not available.
- SSH login gets: Permission denied, please try again.
- Redfish and REST API access works with role=Administrator.
The service user:
- Console login to the BMC's command shell works. The home
directory is /. Passwordless sudo works.
- SSH login works and using sudo from a SSH session works.
- Redfish and REST API access works with role=Administrator.
Change-Id: Icac5ba7f4fa663047709ab55007bbcfec8158f5e
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Diffstat (limited to 'meta-ibm/conf/machine')
| -rw-r--r-- | meta-ibm/conf/machine/p10bmc.conf | 1 | ||||
| -rw-r--r-- | meta-ibm/conf/machine/witherspoon-tacoma.conf | 1 |
2 files changed, 2 insertions, 0 deletions
diff --git a/meta-ibm/conf/machine/p10bmc.conf b/meta-ibm/conf/machine/p10bmc.conf index 2cab74e4d..5206c27c5 100644 --- a/meta-ibm/conf/machine/p10bmc.conf +++ b/meta-ibm/conf/machine/p10bmc.conf @@ -15,6 +15,7 @@ require conf/distro/include/openpower-virtual-pnor.inc require conf/distro/include/phosphor-mmc.inc require conf/distro/include/ibm-mpreboot.inc require conf/distro/include/ibm-yaml.inc +DISTRO_FEATURES += "ibm-service-account-policy" SERIAL_CONSOLES = "115200;ttyS4" diff --git a/meta-ibm/conf/machine/witherspoon-tacoma.conf b/meta-ibm/conf/machine/witherspoon-tacoma.conf index 9826d55ec..2d696ecd8 100644 --- a/meta-ibm/conf/machine/witherspoon-tacoma.conf +++ b/meta-ibm/conf/machine/witherspoon-tacoma.conf @@ -14,6 +14,7 @@ require conf/distro/include/ibm-yaml.inc require conf/distro/include/openpower-virtual-pnor.inc require conf/distro/include/phosphor-mmc.inc require conf/distro/include/ibm-mpreboot.inc +DISTRO_FEATURES += "ibm-service-account-policy" SERIAL_CONSOLES = "115200;ttyS4" |