Age | Commit message (Collapse) | Author | Files | Lines |
|
pam password history module is required to not allow the
history passwords.
We have the following D-bus property which is required this
module.
https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/
xyz/openbmc_project/User/AccountPolicy.interface.yaml#L27
(From meta-phosphor rev: 59e8633fc824999fcef46f099174ee322a9750f7)
Change-Id: I3493c1386c08ea8497a3d3868ed8ffb67a024a1d
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Update meta-phosphor to master HEAD.
Patrick Venture (52):
meta-phosphor: obmc-console: set LICENSE field
meta-phosphor: dbus-interfaces: set LICENSE field
meta-phosphor: rest-dbus: set LICENSE field
meta-phosphor: slpd-lite: set LICENSE field
meta-phosphor: ipmi-host: set LICENSE field
meta-phosphor: ipmi-net: set LICENSE field
meta-phosphor: network: inarp: set LICENSE field
meta-phosphor: network: set LICENSE field
meta-phosphor: logging: set LICENSE field
meta-phosphor: ipmi-tool: fixup LICENSE
meta-phosphor: clear-once: set LICENSE field
meta-phosphor: preinit-mounts: set LICENSE field
meta-phosphor: systemd: obmc-targets: set LICENSE field
meta-phosphor: dbus: perms: set LICENSE field
meta-phosphor: dbus-interfaces-mapper-config-native: set LICENSE field
meta-phosphor: dbus-monitor-config-native: set LICENSE field
meta-phosphor: legacy-namespace-mapper-config-native: set LICENSE field
meta-phosphor: mapper-config-native: set LICENSE field
meta-phosphor: obmc-host-failure-reboots: set LICENSE field
meta-phosphor: fan-control-events-config-native: set LICENSE field
meta-phosphor: fan-control-fan-config-native: set LICENSE field
meta-phosphor: fan-control-zone-conditions-config-native: set LICENSE field
meta-phosphor: fan-control-zone-config-native: set LICENSE field
meta-phosphor: fan-monitor-config-native: set LICENSE field
meta-phosphor: fan-presence-config-native: set LICENSE field
meta-phosphor: image-signing: set LICENSE field
meta-phosphor: insecure-signing-key-native: set LICENSE field
meta-phosphor: inventory-manager-assettag-native: set LICENSE field
meta-phosphor: inventory-manager-config-native: set LICENSE field
meta-phosphor: ipmi-channel-inventory-native: set LICENSE field
meta-phosphor: ipmi-config: set LICENSE field
meta-phosphor: ipmi-fru-merge-config-native: set LICENSE field
meta-phosphor: ipmi-fru-properties-native: set LICENSE field
meta-phosphor: ipmi-fru-read-bmc-inventory-native: set LICENSE field
meta-phosphor: ipmi-fru-read-not-sent-by-host-inventory-native: set LICENSE field
meta-phosphor: ipmi-fru-whitelist-native: set LICENSE field
meta-phosphor: ipmi-inventory-sel-native: set LICENSE field
meta-phosphor: ipmi-sensor-config-native: set LICENSE field
meta-phosphor: ipmi-sensor-inventory-native: set LICENSE field
meta-phosphor: logging-callouts-example-native: set LICENSE field
meta-phosphor: logging-error-logs-native: set LICENSE field
meta-phosphor: settings-defaults-native: set LICENSE field
meta-phosphor: fan-presence-mrw-native: set LICENSE field
meta-phosphor: fan-control-fan-config-mrw-native: set LICENSE field
meta-phosphor: ipmi-fru-properties-mrw-native: set LICENSE field
meta-phosphor: ipmi-inventory-sel-mrw-native: set LICENSE field
meta-phosphor: ipmi-sensor-inventory-mrw-config-native: set LICENSE field
meta-phosphor: ipmi-sensor-inventory-mrw-native: set LICENSE field
meta-phosphor: led-manager-config-mrw-native: set LICENSE field
meta-phosphor: logging-callouts-mrw-native: set LICENSE field
meta-phosphor: hwmon-config-mrw: set LICENSE field
meta-phosphor: settings-read-settings-mrw-native: set LICENSE field
Change-Id: Ibe919c3f1a748fae67b45ff6908a236b08902450
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
The Dropbear SSH client and server configuration is changed to not
accept the HMAC-MD5 algorithm when making connections.
The MD5 algorithm is no longer considered secure.
With this change, Dropbear supports the following MAC algorithms:
SHA1_HMAC, SHA2_256_HMAC, and SHA2_512_HMAC.
Note that Dropbear does not yet support HMAC-SHA3.
Tested:
$ ssh -m hmac-sha1-96 root@${bmc}
Unable to negotiate with ${bmc} port 22:
no matching MAC found.
Their offer: hmac-sha1,hmac-sha2-256,hmac-sha2-512
$ ssh root@${bmc} # worked
(From meta-phosphor rev: ec86af05553a7a66af68356cb2b4ec451d5bbf91)
Change-Id: Iba30c9f1ea66e2c72c75d16a16194ede808fe64a
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Continue to hit two major issues with having coredumps
enabled in OpenBMC:
1. Filesystem space for coredumps
Systemd writes the core files to /var/lib/systemd/coredump/
This is a persistent filesystem so space is very limited.
There is currently no way to configure this location (would
need upstream work). Due to issue #2 below, when a single
application fails, it starts to cause other services to
coredump which results in the available space quickly
filling up. This can result in the UBI kernel driver
remounting the filesystem read-only.
2. CPU utilization
When an application fails, and causes a coredump, it is
restarted by systemd. The restart causes mapper to fire
up and introspect the restarted application. In parallel
the coredump is being generated and collected. These two
things heavily load the CPU. If this occurs during the
initial startup of the BMC, where lots of other services
are also starting and being introspected by mapper, then
those services can start hitting their systemd timeout
limit. This then results in core dumps being collected for
them and mapper instrospects being called on their restarts.
This causes a snowball affect where the system just
continues to restart services and collect core dumps.
The systemd restart policy can not account for these long
delays between restart (due to the CPU load) so the
limit is never hit within the time limit, resulting
in an infinite restart loop.
There is upstream work that could be done with systemd to
make the core dump function more embedded system friendly. This
would be a long term solution but may become a moot point
as performance improvmenents come in (c++ mapper), more
powerful CPU's are used, and more flash space is allocated
in future systems.
Personally, I've never used a core dump to debug an issue
and have dealt with the above issues multiple times so
I'm probably a bit biased. This could definitely be a
meta-ibm layer type change if others in the community
prefer this enabled as the default.
resolves openbmc/openbmc#3379
(From meta-phosphor rev: dde999f1076f571a1760c9e5e536e63796749e57)
Change-Id: Ib229d8bf58aa075926fd302a0139a042d069f446
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Enabled pam-ipmicheck & pam-ipmisave modules in
pam password stacked modules. This modules will
store 'ipmi' group users password in encrypted
form in /etc/ipmi_pass file along with /etc/shadow.
This special file will be used by phosphor-ipmi-net
during RAKP messages.
This will not affect users who doesn't belong to
'ipmi' group.
(From meta-phosphor rev: 945a28a80ea24c59441ce511aff95092121dfc78)
Change-Id: I1b9e2c78c1e0b8a0f8da2a28c6d89638c45f692d
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Add pam-ipmi recipe from OpenBmc repo. This adds
pam_ipmisave & pam_ipmicheck modules which is responsible
for storing password in encrypted form for "ipmi" group
users.
(From meta-phosphor rev: 6176e3213c113eca4ecfda32ad929797cfec86d6)
Change-Id: I38b39266d82ed1cd3d7fe130a972cb6943a540df
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Add suitable pam modules in place which will enforce
password security
1. pam_cracklib is added with minimum length of 8. Length
greater than 8 can be configured through D-Bus interface.
2. pam_pwhistory is added to remember old password. Disabled
by default. Can be enabled through D-Bus interface
3. pam-tally2 used to lock out account after failed attempts.
Disabled by deault. Can be enabled through D-Bus interface
Note: pam_cracklib will do password verification one extra time,
hence with this fix, any password change will request,
Retype new password for 2 times.
(From meta-phosphor rev: bb70abc065a7eeb3206460ad20041bc132dab784)
Change-Id: Ibc5e275196509fb0b47c7174805195475d66590c
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
The Name Service Switch (NSS) configuration file (nsswitch.conf),
is used by the GNU C Library to determine the sources from which
to obtain name-service information in a range of categories, and in what order
With the introduction of LDAP we have to add the LDAP as a source for the
name service info for the various maps/database(passwd, group, shadow).
(From meta-phosphor rev: 68f0934af8ebb0332e5075728d8006e4d846bd78)
Change-Id: I0781da24c50278e439e953d595d275fbfc6bf48a
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
FILESEXTRAPATHS_prepend was conditional for only ubi-based-file system
now we have the requirement where we want to prepend path for
all other cases,so moving the fstab file in the specific
directory and add that subdirectory-path conditionaly.
(From meta-phosphor rev: cb9552f017c3803dc0ec0ab628dce14863bf8389)
Change-Id: I9d3baf42ef1d712ec6c52f53a5ae56a2ceef1ddf
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
After the commit bba38f38e7e41525c30116a2fe990d113b8157da the firmware
with a static flash layout is unable to reboot.
It happens because the `reboot` applet was removed from the `busybox`.
This commit restore the `reboot` in the `busybox` for static layout.
Resolves openbmc/openbmc#3399
Tested in the `qemu` with firmwares for `palmetto` and `romulus`.
(From meta-phosphor rev: 8f400dacfc9138bc9395fe995ff914c10bd7eed0)
Change-Id: I5dd7ba0f999f0aa58e54594ad32669e2283e4cee
Signed-off-by: Alexander Filippov <a.filippov@yadro.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
This changes the Dropbear SSH server configuration so it will not
accept medium-strength encryption ciphers including: CBC mode, MD5,
96-bit MAC, and triple DES.
The remaining ciphers include aes128-ctr and aes256-ctr. Dropbear
does not offer the arcfour cipher suite.
Note that Dropbear does not use a config file and instead uses
file options.h to control its features. This commit adds a
patch to disable the unwanted ciphers.
Tested:
On the qemu-based BMC:
ssh -c help 127.0.0.1
aes128-ctr,aes256-ctr
Before this change, the value was:
aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,
twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
Attempt to contact the BMC from host:
ssh -p 2222 -l root localhost # success
ssh -c aes128-cbc -p 2222 -l root localhost
Unable to negotiate with 127.0.0.1 port 2222: no matching cipher
found. Their offer: aes128-ctr,aes256-ctr
Before this change, the connection was successful.
Attempt to contact the BMC from older system:
ssh -V
OpenSSH_5.8p1, OpenSSL 0.9.8g 19 Oct 2007
ssh -p 2222 -l root ${BMC_IP_ADDR} # success
Resolves openbmc/openbmc#3186
(From meta-phosphor rev: 4ad7873e5dcd8475d48b6551002331a1efe4b2f1)
Change-Id: I5648a1602a3683afd9bd90ba62d8f6e4d9237506
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Patch systemd sources to fix detection of availability of
the kernel CONFIG_CGROUP_BPF option.
Resolves openbmc/linux#159
(From meta-phosphor rev: 7fbc79b12dc5e137830ffd35c0be839fe77b6699)
Change-Id: I82cd227cb6e14ca57a373b1c6a100a98cff799af
Signed-off-by: Alexander Filippov <a.filippov@yadro.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Adopt a more conventional directory hierarchy. meta-phosphor is still
a _long_ way from suitable for hosting on yoctoproject.org but things
like this don't help.
(From meta-phosphor rev: 471cfcefa74b8c7ceb704cb670e6d915cf27c63b)
Change-Id: I3f106b2f6cdc6cec734be28a6090800546f362eb
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|