IBM DISTRO_FEATURE ibm-service-account-policy

This creates a new DISTRO_FEATURE "ibm-service-account-policy" which
 - Adds an admin account which cannot SSH to the BMC's command shell.
 - Adds a service account which can SSH and has passwordless sudo access.

This feature is applied to witherspoon-tacoma and p10bmc (rainier).

Tested:
  The image behaves as before when the distro feature is not configured.
  When the distro feature is configured:
  The root user has the same access as before.
  The admin user:
   - Is not allowed to access the BMC's command shell.
   - Console login gets: This account is currently not available.
   - SSH login gets: Permission denied, please try again.
   - Redfish and REST API access works with role=Administrator.
  The service user:
   - Console login to the BMC's command shell works.  The home
     directory is /.  Passwordless sudo works.
   - SSH login works and using sudo from a SSH session works.
   - Redfish and REST API access works with role=Administrator.

Change-Id: Icac5ba7f4fa663047709ab55007bbcfec8158f5e
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>

4 files changed, 68 insertions, 0 deletions

diff --git a/meta-ibm/conf/machine/p10bmc.conf b/meta-ibm/conf/machine/p10bmc.conf
index 2cab74e4dd..5206c27c5d 100644
--- a/meta-ibm/conf/machine/p10bmc.conf
+++ b/meta-ibm/conf/machine/p10bmc.conf
@@ -15,6 +15,7 @@ require conf/distro/include/openpower-virtual-pnor.inc
 require conf/distro/include/phosphor-mmc.inc
 require conf/distro/include/ibm-mpreboot.inc
 require conf/distro/include/ibm-yaml.inc
+DISTRO_FEATURES += "ibm-service-account-policy"
 
 SERIAL_CONSOLES = "115200;ttyS4"
 
diff --git a/meta-ibm/conf/machine/witherspoon-tacoma.conf b/meta-ibm/conf/machine/witherspoon-tacoma.conf
index 9826d55ecd..2d696ecd8c 100644
--- a/meta-ibm/conf/machine/witherspoon-tacoma.conf
+++ b/meta-ibm/conf/machine/witherspoon-tacoma.conf
@@ -14,6 +14,7 @@ require conf/distro/include/ibm-yaml.inc
 require conf/distro/include/openpower-virtual-pnor.inc
 require conf/distro/include/phosphor-mmc.inc
 require conf/distro/include/ibm-mpreboot.inc
+DISTRO_FEATURES += "ibm-service-account-policy"
 
 SERIAL_CONSOLES = "115200;ttyS4"
 
diff --git a/meta-ibm/recipes-extended/sudo/sudo_%.bbappend b/meta-ibm/recipes-extended/sudo/sudo_%.bbappend
new file mode 100644
index 0000000000..f4254e7ba0
--- /dev/null
+++ b/meta-ibm/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1,8 @@
+# Allow passwordless use of sudo
+
+PACKAGECONFIG += "pam-wheel"
+
+do_install_append () {
+        # Allow members of the 'wheel' group to use passwordless sudo
+        sed -i 's/# \(%wheel ALL=(ALL) NOPASSWD: ALL\)/\1/' ${D}${sysconfdir}/sudoers
+}
diff --git a/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend b/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend
index 403bfa0cc2..57260f06b1 100644
--- a/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend
+++ b/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend
@@ -5,3 +5,61 @@ OBMC_IMAGE_EXTRA_INSTALL_append_mihawk = " mboxd liberation-fonts uart-render-co
 
 # remove so things fit in available flash space
 IMAGE_FEATURES_remove_witherspoon = "obmc-user-mgmt-ldap"
+
+# Optionally configure IBM service accounts
+#
+# To configure your distro, add the following line to its config:
+#     DISTRO_FEATURES += "ibm-service-account-policy"
+#
+# The service account policy is as follows:
+#   root - The root account remains present.  It is needed for internal
+#     accounting purposes and for debugging service access.
+#   admin - Provides administrative control over the BMC.  The role is
+#     SystemAdministrator.  Admin users have access to interfaces including:
+#     Redfish, REST APIs, Web.  No access to the BMC via: the BMC's physical
+#     console, SSH to the BMC's command line.
+#     IPMI access is not granted by default, but admins can authorize
+#     themselves and enable the IPMI service.
+#     The admin has access to the host console: ssh -p2200 admin@${bmc}.
+#     The admin account does not have a home directory.
+#   service - Provides IBM service and support representatives (SSRs, formerly
+#     known as customer engineers or CEs) access to the BMC.  The role is
+#     OemIBMServiceAgent.  The service user has full admin access, plus access
+#     to BMC interfaces intended only to service the BMC and host, including
+#     SSH access to the BMC's command line.
+#     The service account is not authorized to IPMI because of the inherent
+#     security weakness in the IPMI spec and also because the IPMI
+#     implementation was not enhanced to use the ACF support.
+#     The service account does not have a home directory.  The home directory is
+#     set to / (the root directory) to allow dropbear ssh connections.
+
+inherit extrausers
+
+# The password hash used here is the traditional 0penBmc password.
+
+#IBM_EXTRA_USERS_PARAMS += " \
+#  usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' root; \
+#  "
+
+# Add group "wheel" (before adding the "service" account).
+IBM_EXTRA_USERS_PARAMS += " \
+  groupadd wheel; \
+  "
+
+# Add the "admin" account.
+IBM_EXTRA_USERS_PARAMS += " \
+  useradd -M -d / --groups priv-admin,redfish,web -s /sbin/nologin admin; \
+  usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' admin; \
+  "
+
+# Add the "service" account.
+IBM_EXTRA_USERS_PARAMS += " \
+  useradd -M -d / --groups priv-admin,redfish,web,wheel service; \
+  usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' service; \
+  "
+
+# This is recipe specific to ensure it takes effect.
+EXTRA_USERS_PARAMS_pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}"
+
+# The service account needs sudo.
+IMAGE_INSTALL_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}"