diff options
author | Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com> | 2018-07-16 00:29:50 +0530 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-08-06 03:28:37 +0000 |
commit | 02486300e9f4c5a4af04ffbfd6898ee59c654873 (patch) | |
tree | 44b655283a4d3f9644517d2a1a29bce086e1ceec /xyz/openbmc_project | |
parent | f019ea0979ce9d29654e0ce7bfbeb57783c59bd9 (diff) | |
download | phosphor-dbus-interfaces-02486300e9f4c5a4af04ffbfd6898ee59c654873.tar.gz phosphor-dbus-interfaces-02486300e9f4c5a4af04ffbfd6898ee59c654873.zip |
Interface support for security configuration
Configuration support for password and security
enforcement for user account under AccountPolicy
interface (which will manage global policies
related to accounts).
Change-Id: Icdea6d83654f9449088a6319f453788cb25ecfc2
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Diffstat (limited to 'xyz/openbmc_project')
-rw-r--r-- | xyz/openbmc_project/User/AccountPolicy.interface.yaml | 33 | ||||
-rw-r--r-- | xyz/openbmc_project/User/Attributes.interface.yaml | 10 | ||||
-rw-r--r-- | xyz/openbmc_project/User/Common.errors.yaml | 2 | ||||
-rw-r--r-- | xyz/openbmc_project/User/README.md | 15 |
4 files changed, 57 insertions, 3 deletions
diff --git a/xyz/openbmc_project/User/AccountPolicy.interface.yaml b/xyz/openbmc_project/User/AccountPolicy.interface.yaml new file mode 100644 index 0000000..9397f4b --- /dev/null +++ b/xyz/openbmc_project/User/AccountPolicy.interface.yaml @@ -0,0 +1,33 @@ +description: > + Provides global user account policy related management. + +properties: + - name: MaxLoginAttemptBeforeLockout + type: uint16 + description: > + Configures the maximum permissible attempt before locking + out the user. Value of 0 indicates that account lockout + feature is disabled. + + - name: AccountUnlockTimeout + type: uint32 + description: > + Configures timeout needed (in seconds) to unlock the account + after a lockout. Value of 0 indicates that account must be + unlocked manually. + + - name: MinPasswordLength + type: byte + description: > + Configures the minimum password length. Minimum password length + specified in build time is marked as default value. This property + cannot be configured below the build time default value but can be + set to higher one for security reasons. + + - name: RememberOldPasswordTimes + type: byte + description: > + Configures the number of times old password shouldn't be allowed + when trying to update new password. Value of 0 (by default) indicates + this feature is not enforced. +# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 diff --git a/xyz/openbmc_project/User/Attributes.interface.yaml b/xyz/openbmc_project/User/Attributes.interface.yaml index 108934d..31d9939 100644 --- a/xyz/openbmc_project/User/Attributes.interface.yaml +++ b/xyz/openbmc_project/User/Attributes.interface.yaml @@ -18,4 +18,14 @@ properties: type: boolean description: > Enabled or disabled state of the user. + + - name: UserLockedForFailedAttempt + type: boolean + description: > + Locked or unlocked state of the user. After repeated failed + login attempt (configured through MaxLoginAttemptBeforeLockout), + locked out user can be unlocked manually by setting false to + this property. This property will return true if user is locked + out user. AccountUnlockTimeout property can be configured to unlock + the user after a timeout. # vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 diff --git a/xyz/openbmc_project/User/Common.errors.yaml b/xyz/openbmc_project/User/Common.errors.yaml index a1c60ab..ccca302 100644 --- a/xyz/openbmc_project/User/Common.errors.yaml +++ b/xyz/openbmc_project/User/Common.errors.yaml @@ -9,7 +9,7 @@ description: Specified Group related restriction failure for user name. # xyz.openbmc_project.User.Common.Error.UserNamePrivFail - name: UserNamePrivFail - description: Specificed privilege related restriction failure for user name. + description: Specified privilege related restriction failure for user name. # xyz.openbmc_project.User.Common.Error.NoResource - name: NoResource description: No resource available. diff --git a/xyz/openbmc_project/User/README.md b/xyz/openbmc_project/User/README.md index cbda1e3..1ce17e0 100644 --- a/xyz/openbmc_project/User/README.md +++ b/xyz/openbmc_project/User/README.md @@ -19,8 +19,18 @@ methods, properties and signals. ##### signals * UserRenamed - Signal sent out when user is renamed in the system. +#### xyz.openbmc_project.User.AccountPolicy interface +##### properties +* MaxLoginAttemptBeforeLockout - Permissible attempt before locking out the +user for failed login attempts. +* AccountUnlockTimeout - Timeout (in seconds) to unlock the account after a +lockout. +* MinPasswordLength - Minimum password length, which can be set. +* RememberOldPasswordTimes – Number of times old password shouldn’t be allowed +when updating password for the user. + ### Users Interface -User manager daemon, will create user objects for each and every user existing +User manager daemon, will create user objects for every user existing in the system under object path `/xyz/openbmc_project/user/<user name>`. Each user object can be handled through 'org.freedesktop.DBus.ObjectManager'. User object will expose following properties and methods. @@ -30,12 +40,13 @@ User object will expose following properties and methods. * UserPrivilege - Privilege of the user. * UserGroups - Groups to which the user belongs. * UserEnabled - User enabled state. +* UserLockedForFailedAttempt - Locked or unlocked state of the user account. #### xyz.openbmc_project.Object.Delete #### methods * Delete - To delete the user object in the system. ##Note -This interface doesn't provide ways to set / update password. The same has to +This interface doesn't provide ways to set / update password. The same must be set / updated through pam_chauthtok() (PAM modules). This is to avoid sending out password through D-Bus. |