useradd/usermod doesn't update /etc/ipmi_pass

[tajudheenk]

useradd/usermod typically used with EXTRA_USERS_PARAMS to add or change user in the image.
But this doesn't update /etc/ipmi_pass file causes OOB IPMI to fail. But when user credentials are changed with passwd command it works fine.

Looks like pam_sm_chauthtok() is not getting called on useradd/usermod commands.

[lizlovesspurs]

We can try to add extra user password to ipmi_pass file as default value . But how to generate these hash code about extra user password in ipmi_pass file? @tajudheenk

[rthomaiy]

There is no direct way to update /etc/ipmi_pass, but once this image is flashed, login to bmc serial console, then try to execute passwd and update the password to the desired one (during this scenario, the new password is stored back in /etc/ipmi_pass). Now copy this /etc/ipmi_pass from your BMC to your development environment, and override it using bbappend.

Note: Our ultimate goal is to get rid of the default user name and password from the system (to whichever project it is feasible for security reason -- https://github.com/openbmc/docs/blob/master/user_management.md#deployment---out-of-factory)

Let me know if you need any further clarifications

Note: As i see some people are using this, thought of writing a small program, and add it in the userclass such that when new user password is set it can be done. Will think about the usage and if it make sense, will do the same (but as of now, it will be in lower priority, Let me know if anyone can contribute, can provide help in getting it done).

[tajudheenk]

@rthomaiy Isn't it required to add /etc/ipmi_pass file to whitelist to retain the password after image update?

[rthomaiy]

What do you mean by whitelist here. We are using overlay concepts, and /etc/ipmi_pass is rw filesystem for us. We preserve all rw filesystem as part of firmware update.

[tajudheenk]

As per my understanding, OpenBMC only preserves files in overlayFS specified in whitelist file during image update.

[jack206]

i want to add an user(ADMIN ADMIN) to /etc/ipmi_pass, but failed. How can i do for tihs?
passwd ADMIN
New password:
BAD PASSWORD: it is too short
passwd: Authentication token manipulation error
passwd: password unchanged

[williamspatrick]

BAD PASSWORD: it is too short

The PAM settings prohibit the password you have chosen.

[jack206]

Yes, I tried to modify pam_cracklib.so to generate this file, but it didn't work。
Is there a temporary plan？
Here are my provisional revisions：
msg = password_check(pamh, opt, pass_old, pass_new, user);
msg = NULL;
if (msg) {
if (ctrl & PAM_DEBUG_ARG)
pam_syslog(pamh, LOG_NOTICE,
"new passwd fails strength check : %s", msg);
pam_error(pamh, _("BAD PASSWORD1: %s"), msg);
//return PAM_AUTHTOK_ERR;
};
return PAM_SUCCESS;

[jack206]

Can someone tell me how to make an ipmi_pass file with two accounts (root 0penBmc) and (ADMIN ADMIN)？

[qkpidan]

Can someone tell me how to make an ipmi_pass file with two accounts (root 0penBmc) and (ADMIN ADMIN)？

#!/bin/bash -e

user_uid=`ipmitool user list 1 | grep ADMIN | awk '{print $1}'`

if [ -z "$user_uid" ]
then
    echo -e "Create Ipmi User ADMIN"
    ipmitool user set name 3 ADMIN
    ipmitool user set password 3 ADMIN@123
    ipmitool channel setaccess 1 3 callin=on ipmi=on link=on privilege=4
    ipmitool user enable 3
    ipmitool channel getaccess 1 3
else
        echo -e "Do nothing"
fi