From 02486300e9f4c5a4af04ffbfd6898ee59c654873 Mon Sep 17 00:00:00 2001 From: Richard Marian Thomaiyar Date: Mon, 16 Jul 2018 00:29:50 +0530 Subject: Interface support for security configuration Configuration support for password and security enforcement for user account under AccountPolicy interface (which will manage global policies related to accounts). Change-Id: Icdea6d83654f9449088a6319f453788cb25ecfc2 Signed-off-by: Richard Marian Thomaiyar --- .../User/AccountPolicy.interface.yaml | 33 ++++++++++++++++++++++ xyz/openbmc_project/User/Attributes.interface.yaml | 10 +++++++ xyz/openbmc_project/User/Common.errors.yaml | 2 +- xyz/openbmc_project/User/README.md | 15 ++++++++-- 4 files changed, 57 insertions(+), 3 deletions(-) create mode 100644 xyz/openbmc_project/User/AccountPolicy.interface.yaml diff --git a/xyz/openbmc_project/User/AccountPolicy.interface.yaml b/xyz/openbmc_project/User/AccountPolicy.interface.yaml new file mode 100644 index 0000000..9397f4b --- /dev/null +++ b/xyz/openbmc_project/User/AccountPolicy.interface.yaml @@ -0,0 +1,33 @@ +description: > + Provides global user account policy related management. + +properties: + - name: MaxLoginAttemptBeforeLockout + type: uint16 + description: > + Configures the maximum permissible attempt before locking + out the user. Value of 0 indicates that account lockout + feature is disabled. + + - name: AccountUnlockTimeout + type: uint32 + description: > + Configures timeout needed (in seconds) to unlock the account + after a lockout. Value of 0 indicates that account must be + unlocked manually. + + - name: MinPasswordLength + type: byte + description: > + Configures the minimum password length. Minimum password length + specified in build time is marked as default value. This property + cannot be configured below the build time default value but can be + set to higher one for security reasons. + + - name: RememberOldPasswordTimes + type: byte + description: > + Configures the number of times old password shouldn't be allowed + when trying to update new password. Value of 0 (by default) indicates + this feature is not enforced. +# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 diff --git a/xyz/openbmc_project/User/Attributes.interface.yaml b/xyz/openbmc_project/User/Attributes.interface.yaml index 108934d..31d9939 100644 --- a/xyz/openbmc_project/User/Attributes.interface.yaml +++ b/xyz/openbmc_project/User/Attributes.interface.yaml @@ -18,4 +18,14 @@ properties: type: boolean description: > Enabled or disabled state of the user. + + - name: UserLockedForFailedAttempt + type: boolean + description: > + Locked or unlocked state of the user. After repeated failed + login attempt (configured through MaxLoginAttemptBeforeLockout), + locked out user can be unlocked manually by setting false to + this property. This property will return true if user is locked + out user. AccountUnlockTimeout property can be configured to unlock + the user after a timeout. # vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 diff --git a/xyz/openbmc_project/User/Common.errors.yaml b/xyz/openbmc_project/User/Common.errors.yaml index a1c60ab..ccca302 100644 --- a/xyz/openbmc_project/User/Common.errors.yaml +++ b/xyz/openbmc_project/User/Common.errors.yaml @@ -9,7 +9,7 @@ description: Specified Group related restriction failure for user name. # xyz.openbmc_project.User.Common.Error.UserNamePrivFail - name: UserNamePrivFail - description: Specificed privilege related restriction failure for user name. + description: Specified privilege related restriction failure for user name. # xyz.openbmc_project.User.Common.Error.NoResource - name: NoResource description: No resource available. diff --git a/xyz/openbmc_project/User/README.md b/xyz/openbmc_project/User/README.md index cbda1e3..1ce17e0 100644 --- a/xyz/openbmc_project/User/README.md +++ b/xyz/openbmc_project/User/README.md @@ -19,8 +19,18 @@ methods, properties and signals. ##### signals * UserRenamed - Signal sent out when user is renamed in the system. +#### xyz.openbmc_project.User.AccountPolicy interface +##### properties +* MaxLoginAttemptBeforeLockout - Permissible attempt before locking out the +user for failed login attempts. +* AccountUnlockTimeout - Timeout (in seconds) to unlock the account after a +lockout. +* MinPasswordLength - Minimum password length, which can be set. +* RememberOldPasswordTimes – Number of times old password shouldn’t be allowed +when updating password for the user. + ### Users Interface -User manager daemon, will create user objects for each and every user existing +User manager daemon, will create user objects for every user existing in the system under object path `/xyz/openbmc_project/user/`. Each user object can be handled through 'org.freedesktop.DBus.ObjectManager'. User object will expose following properties and methods. @@ -30,12 +40,13 @@ User object will expose following properties and methods. * UserPrivilege - Privilege of the user. * UserGroups - Groups to which the user belongs. * UserEnabled - User enabled state. +* UserLockedForFailedAttempt - Locked or unlocked state of the user account. #### xyz.openbmc_project.Object.Delete #### methods * Delete - To delete the user object in the system. ##Note -This interface doesn't provide ways to set / update password. The same has to +This interface doesn't provide ways to set / update password. The same must be set / updated through pam_chauthtok() (PAM modules). This is to avoid sending out password through D-Bus. -- cgit v1.2.1