| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Enabled pam-ipmicheck & pam-ipmisave modules in
pam password stacked modules. This modules will
store 'ipmi' group users password in encrypted
form in /etc/ipmi_pass file along with /etc/shadow.
This special file will be used by phosphor-ipmi-net
during RAKP messages.
This will not affect users who doesn't belong to
'ipmi' group.
(From meta-phosphor rev: 945a28a80ea24c59441ce511aff95092121dfc78)
Change-Id: I1b9e2c78c1e0b8a0f8da2a28c6d89638c45f692d
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Add pam-ipmi recipe from OpenBmc repo. This adds
pam_ipmisave & pam_ipmicheck modules which is responsible
for storing password in encrypted form for "ipmi" group
users.
(From meta-phosphor rev: 6176e3213c113eca4ecfda32ad929797cfec86d6)
Change-Id: I38b39266d82ed1cd3d7fe130a972cb6943a540df
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Add suitable pam modules in place which will enforce
password security
1. pam_cracklib is added with minimum length of 8. Length
greater than 8 can be configured through D-Bus interface.
2. pam_pwhistory is added to remember old password. Disabled
by default. Can be enabled through D-Bus interface
3. pam-tally2 used to lock out account after failed attempts.
Disabled by deault. Can be enabled through D-Bus interface
Note: pam_cracklib will do password verification one extra time,
hence with this fix, any password change will request,
Retype new password for 2 times.
(From meta-phosphor rev: bb70abc065a7eeb3206460ad20041bc132dab784)
Change-Id: Ibc5e275196509fb0b47c7174805195475d66590c
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
The Name Service Switch (NSS) configuration file (nsswitch.conf),
is used by the GNU C Library to determine the sources from which
to obtain name-service information in a range of categories, and in what order
With the introduction of LDAP we have to add the LDAP as a source for the
name service info for the various maps/database(passwd, group, shadow).
(From meta-phosphor rev: 68f0934af8ebb0332e5075728d8006e4d846bd78)
Change-Id: I0781da24c50278e439e953d595d275fbfc6bf48a
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
FILESEXTRAPATHS_prepend was conditional for only ubi-based-file system
now we have the requirement where we want to prepend path for
all other cases,so moving the fstab file in the specific
directory and add that subdirectory-path conditionaly.
(From meta-phosphor rev: cb9552f017c3803dc0ec0ab628dce14863bf8389)
Change-Id: I9d3baf42ef1d712ec6c52f53a5ae56a2ceef1ddf
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
After the commit bba38f38e7e41525c30116a2fe990d113b8157da the firmware
with a static flash layout is unable to reboot.
It happens because the `reboot` applet was removed from the `busybox`.
This commit restore the `reboot` in the `busybox` for static layout.
Resolves openbmc/openbmc#3399
Tested in the `qemu` with firmwares for `palmetto` and `romulus`.
(From meta-phosphor rev: 8f400dacfc9138bc9395fe995ff914c10bd7eed0)
Change-Id: I5dd7ba0f999f0aa58e54594ad32669e2283e4cee
Signed-off-by: Alexander Filippov <a.filippov@yadro.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
This changes the Dropbear SSH server configuration so it will not
accept medium-strength encryption ciphers including: CBC mode, MD5,
96-bit MAC, and triple DES.
The remaining ciphers include aes128-ctr and aes256-ctr. Dropbear
does not offer the arcfour cipher suite.
Note that Dropbear does not use a config file and instead uses
file options.h to control its features. This commit adds a
patch to disable the unwanted ciphers.
Tested:
On the qemu-based BMC:
ssh -c help 127.0.0.1
aes128-ctr,aes256-ctr
Before this change, the value was:
aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,
twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
Attempt to contact the BMC from host:
ssh -p 2222 -l root localhost # success
ssh -c aes128-cbc -p 2222 -l root localhost
Unable to negotiate with 127.0.0.1 port 2222: no matching cipher
found. Their offer: aes128-ctr,aes256-ctr
Before this change, the connection was successful.
Attempt to contact the BMC from older system:
ssh -V
OpenSSH_5.8p1, OpenSSL 0.9.8g 19 Oct 2007
ssh -p 2222 -l root ${BMC_IP_ADDR} # success
Resolves openbmc/openbmc#3186
(From meta-phosphor rev: 4ad7873e5dcd8475d48b6551002331a1efe4b2f1)
Change-Id: I5648a1602a3683afd9bd90ba62d8f6e4d9237506
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Patch systemd sources to fix detection of availability of
the kernel CONFIG_CGROUP_BPF option.
Resolves openbmc/linux#159
(From meta-phosphor rev: 7fbc79b12dc5e137830ffd35c0be839fe77b6699)
Change-Id: I82cd227cb6e14ca57a373b1c6a100a98cff799af
Signed-off-by: Alexander Filippov <a.filippov@yadro.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Adopt a more conventional directory hierarchy. meta-phosphor is still
a _long_ way from suitable for hosting on yoctoproject.org but things
like this don't help.
(From meta-phosphor rev: 471cfcefa74b8c7ceb704cb670e6d915cf27c63b)
Change-Id: I3f106b2f6cdc6cec734be28a6090800546f362eb
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
