| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Per [1], Yocto is going to start requiring both branch names and
`protocol=https` in GitHub SRC_URI variables. Ran the upstream tool to
automatically fix our URIs.
1. https://git.yoctoproject.org/poky/tree/documentation/migration-guides/migration-3.5.rst#n10
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I5f9619f7ff707050b469ae74c8aa16846568c5e4
|
|
Manojkiran Eda (1):
Add OWNERS file
Change-Id: If866b765b8f9bb6579de503ea28d9d3f1dd4dad2
Signed-off-by: Andrew Geissler <openbmcbump-github@yahoo.com>
|
|
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I588025b614416c43aa2d053765ab53bacf890cb5
|
|
Patrick Williams (1):
bootstrap: fix shellcheck warnings
Change-Id: I7a4c4f81532605e60deee58ab4b2e39e350ad827
Signed-off-by: Andrew Geissler <openbmcbump-github@yahoo.com>
|
|
Patrick Williams (1):
build: fix install race condition
(From meta-phosphor rev: 6e06bc89f693006888095fde80a6e0db6600e645)
Change-Id: Ib0acb5b310ec16a0300d717aae9e992e2655b05a
Signed-off-by: Andrew Geissler <openbmcbump-github@yahoo.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
Include pam-localuser to the rootfs file system. This will be
used to do pam_authenticate restriction based on group ownership
for localusers and ignore it for ldap users.
Tested:
Along with pam-webserver changes with authenticate required, verified
that local users belonging to redfish group are only allowed to login to
bmcweb.
(From meta-phosphor rev: 4f3be3adf5e30894f7749bfa8c52e4a9b506d01b)
Change-Id: Icec9ae4f2c8e08c6d66733995158aeae85352beb
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
Vernon Mauery (1):
[pam-ipmi]: Fix key & password file permission
(From meta-phosphor rev: 2a570d00c317f02af8488be2cae6add1da089f77)
Change-Id: I0184bf2ac29890eb90185bda7c41fab307c4d31e
Signed-off-by: Andrew Geissler <openbmcbump-github@yahoo.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
Vernon Mauery (1):
[pam-ipmi]: fix default data file permissions
(From meta-phosphor rev: c049f668387f981bf866ac95f9d97d40fd357c07)
Change-Id: Iec3a97a41dec1a9784184e66e6a6b877155e8d92
Signed-off-by: Andrew Geissler <openbmcbump-github@yahoo.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
Include pam-succeed-if to the rootfs file system. This will be
used to do pam_authenticate restriction based on group ownership.
Tested:
Along with pam-webserver changes with authenticate required, verified
that users belonging to redfish group are only allowed to login to
bmcweb.
(From meta-phosphor rev: 8c65b60518d8c447918371f3dbc7aceca35aaaa5)
Change-Id: Ie81c0c9c6a2d3188a5d74a845c2a584b9ad36101
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
This fixes a bug where Linux-PAM asks for the new password three times
when changing the password. With this fix, PAM asks for the new password
and then only once more to confirm it - two times total.
This bug applies to the `passwd` command, to the expired password dialog
when signing into the console using an account which has an expired
password, and to other similar use of the PAM conversation function such
as changing the password during SSH login.
This does not affect the external behavior of the REST APIs or the webui
because they use automated PAM conversation functions which programmatically
supply the password as many times as it is requested.
The bug happens like this:
When PAM is asked to change a password via pam_chauthtok, it reads the
/etc/pam.d/common-password file and executes the first module, pam_ipmicheck.
This calls pam_get_authtok(pamh, PAM_AUTHTOK, &pass_new, NULL) which prompts
for the new password and then prompts again to verify they are the same.
The next module, pam_cracklib makes two calls: a call to
pam_get_authtok_noverify() followed by a call to pam_get_authtok_verify().
The call to pam_get_authtok_noverify() does NOT prompt because the new
password is already known to PAM, but the call to pam_get_authtok_verify()
unconditionally prompts to validate the password. That's why we see two
prompts to "Retype" the new password. The first is from pam_ipmicheck, and
second is from pam_cracklib/pam_get_authtok_verify.
The fix is to invoke pam_cracklib first and pam_ipmicheck second.
Then pam_cracklib does all if its prompting, and pam_ipmicheck gets what it
needs without prompting. The pam_ipmicheck module only checks the username
and password length, so switching the sequence of these modules should be
harmless.
Tested: yes, via the "passwd USER" command
(From meta-phosphor rev: a71db86192df0b0268db93e7ae6dc4633fce271e)
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: I044df5731a69e45eca9597a345fa6d1b01041b58
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
pam_unix logs user name when sessions are established, quiet
the same in configuraiton. This is done to avoid logging user name
as logs will be exported as part of debug log dump etc, thereby
compramising sensitive information.
Also disallow nullok login from security point of it.
Tested:
1. Verified that session establishment are not recorded with user
name.
2. Verfieid webui, redfish, ipmi, ssh login works as expected.
(From meta-phosphor rev: 15a293b458ef2f013356f9746c0ac7a20e59c1c1)
Change-Id: Ic0fcdbfd9a5968fa55a27b7d2de379f8ba131cac
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Not querying password for invalid user name is security
issue and can be used to determine valid / invalid user names
in the system. Always proceed to password acceptance screen
for invalid user login attempt too. This commit configures
pam_tally2 to ignore unknown user and proceed to do password
check.
Tested:
Verified the same in bmc serial console login with invalid user
name and password was requested, before displaying login incorrect.
Note: dropbear handles this already and hence ssh will not exhibit
this behavior.
(From meta-phosphor rev: 356ec08b989c84d1d034c3ff283a6909658d9435)
Change-Id: I72483d26ad7b7c39068ac33b7387adf2b10a1a27
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Default credit for pam-cracklib was used, causing issue
in meeting minlen requirement for new password. i.e. 1 credit
will be applied if the password containts, digits, upper case,
or lower case etc, making minlen to be accepted. "fw6ev9" will
pass pam_cracklib earlier for minlen as password length was 6, +2
credit got substitued for lower case & digits use in the password.
Correcting the same now, by not providing any credit, and so the
minlen of 8 chars in the password must be met.
Tested
1. Tested password 'fw6ev9' fails to set
2. Tested password '0penBmc1' was accepted as it passes 8 character
Note: With this commit, the current default passwd for root user
'0penBmc' will work fine, but the same can't be used as password
during password update.
(From meta-phosphor rev: 0e67cd66f4f530b4ccccb2ab400ba2dabb3c0737)
Change-Id: Ieeebef45a655563ac7779627b1cf38ef6080c046
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Absence of ldap distro feature will not generate pam_ldap.so because
of which we might see some unwanted error messages regarding the
failure in opening the pam_ldap.so in journalctl incase if pam_ldap
is present in PAM Configuration.
This commit would:
- Leverage '-' option before the 'type' in pam configuration, by which
the PAM library will not log any errors in the syslog if it is not
able to load the module beacause it is missing in the system.By using
this we don't need two pam configuration files for ldap and unix.
- Leverages ignore_unknown_user & ignore_authinfo_unavail options of
pam_ldap.so, which forces the PAM framework to ignore pam_ldap incase
if the user is not present in LDAP server or if the client cannot
connect to LDAP Server.
(From meta-phosphor rev: 2c7efc937785a76e35a06b6807e12765ad40d99d)
Change-Id: Ic1044989ccae4e6e442de9865cf00cea33f75262
Signed-off-by: manojkiraneda <manojkiran.eda@gmail.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
Move pam metadata from recipes-core to recipes-extended, to match
oe-core.
(From meta-phosphor rev: 6f75a62ec75deb7ba6efdc5b5c3dda960dda701d)
Change-Id: If8e36b1199f9e70ce27522d915ceaa281caaabc6
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
The libpam recipe adds pam_systemd.so into
/etc/pam.d/common-session if it detects systemd is
enabled.
However, systemd only installs pam_systemd.so if the
systemd-logind package is installed, which openBMC
doesn't want. So now when common-session is used by
a pam module, there are errors in the journal saying
it can't find pam_systemd.so.
To fix this, remove the pam_systemd.so line ourselves.
Tested: Verified that the line containing pam_systemd.so
is no longer in the common-session file, and that
there are no errors in the journal when logging
in via REST.
(From meta-phosphor rev: 3457266de2ac93bb453a094a45d14e4ea082e955)
Change-Id: Iae091e2df1c543b5f679a55863329b4dd4d3b5c8
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
