diff options
-rw-r--r-- | meta-ibm/conf/machine/p10bmc.conf | 1 | ||||
-rw-r--r-- | meta-ibm/conf/machine/witherspoon-tacoma.conf | 1 | ||||
-rw-r--r-- | meta-ibm/recipes-extended/sudo/sudo_%.bbappend | 8 | ||||
-rw-r--r-- | meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend | 58 |
4 files changed, 68 insertions, 0 deletions
diff --git a/meta-ibm/conf/machine/p10bmc.conf b/meta-ibm/conf/machine/p10bmc.conf index 2cab74e4d..5206c27c5 100644 --- a/meta-ibm/conf/machine/p10bmc.conf +++ b/meta-ibm/conf/machine/p10bmc.conf @@ -15,6 +15,7 @@ require conf/distro/include/openpower-virtual-pnor.inc require conf/distro/include/phosphor-mmc.inc require conf/distro/include/ibm-mpreboot.inc require conf/distro/include/ibm-yaml.inc +DISTRO_FEATURES += "ibm-service-account-policy" SERIAL_CONSOLES = "115200;ttyS4" diff --git a/meta-ibm/conf/machine/witherspoon-tacoma.conf b/meta-ibm/conf/machine/witherspoon-tacoma.conf index 9826d55ec..2d696ecd8 100644 --- a/meta-ibm/conf/machine/witherspoon-tacoma.conf +++ b/meta-ibm/conf/machine/witherspoon-tacoma.conf @@ -14,6 +14,7 @@ require conf/distro/include/ibm-yaml.inc require conf/distro/include/openpower-virtual-pnor.inc require conf/distro/include/phosphor-mmc.inc require conf/distro/include/ibm-mpreboot.inc +DISTRO_FEATURES += "ibm-service-account-policy" SERIAL_CONSOLES = "115200;ttyS4" diff --git a/meta-ibm/recipes-extended/sudo/sudo_%.bbappend b/meta-ibm/recipes-extended/sudo/sudo_%.bbappend new file mode 100644 index 000000000..f4254e7ba --- /dev/null +++ b/meta-ibm/recipes-extended/sudo/sudo_%.bbappend @@ -0,0 +1,8 @@ +# Allow passwordless use of sudo + +PACKAGECONFIG += "pam-wheel" + +do_install_append () { + # Allow members of the 'wheel' group to use passwordless sudo + sed -i 's/# \(%wheel ALL=(ALL) NOPASSWD: ALL\)/\1/' ${D}${sysconfdir}/sudoers +} diff --git a/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend b/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend index 403bfa0cc..57260f06b 100644 --- a/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend +++ b/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend @@ -5,3 +5,61 @@ OBMC_IMAGE_EXTRA_INSTALL_append_mihawk = " mboxd liberation-fonts uart-render-co # remove so things fit in available flash space IMAGE_FEATURES_remove_witherspoon = "obmc-user-mgmt-ldap" + +# Optionally configure IBM service accounts +# +# To configure your distro, add the following line to its config: +# DISTRO_FEATURES += "ibm-service-account-policy" +# +# The service account policy is as follows: +# root - The root account remains present. It is needed for internal +# accounting purposes and for debugging service access. +# admin - Provides administrative control over the BMC. The role is +# SystemAdministrator. Admin users have access to interfaces including: +# Redfish, REST APIs, Web. No access to the BMC via: the BMC's physical +# console, SSH to the BMC's command line. +# IPMI access is not granted by default, but admins can authorize +# themselves and enable the IPMI service. +# The admin has access to the host console: ssh -p2200 admin@${bmc}. +# The admin account does not have a home directory. +# service - Provides IBM service and support representatives (SSRs, formerly +# known as customer engineers or CEs) access to the BMC. The role is +# OemIBMServiceAgent. The service user has full admin access, plus access +# to BMC interfaces intended only to service the BMC and host, including +# SSH access to the BMC's command line. +# The service account is not authorized to IPMI because of the inherent +# security weakness in the IPMI spec and also because the IPMI +# implementation was not enhanced to use the ACF support. +# The service account does not have a home directory. The home directory is +# set to / (the root directory) to allow dropbear ssh connections. + +inherit extrausers + +# The password hash used here is the traditional 0penBmc password. + +#IBM_EXTRA_USERS_PARAMS += " \ +# usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' root; \ +# " + +# Add group "wheel" (before adding the "service" account). +IBM_EXTRA_USERS_PARAMS += " \ + groupadd wheel; \ + " + +# Add the "admin" account. +IBM_EXTRA_USERS_PARAMS += " \ + useradd -M -d / --groups priv-admin,redfish,web -s /sbin/nologin admin; \ + usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' admin; \ + " + +# Add the "service" account. +IBM_EXTRA_USERS_PARAMS += " \ + useradd -M -d / --groups priv-admin,redfish,web,wheel service; \ + usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' service; \ + " + +# This is recipe specific to ensure it takes effect. +EXTRA_USERS_PARAMS_pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}" + +# The service account needs sudo. +IMAGE_INSTALL_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}" |