diff options
| author | Ayushi Smriti <smriti.ayushi@intel.com> | 2019-05-15 11:59:09 +0000 |
|---|---|---|
| committer | smriti.ayushi <smriti.ayushi@linux.intel.com> | 2019-06-09 07:34:01 +0000 |
| commit | 02650d53027326ed9b24a58b23596a74e5456654 (patch) | |
| tree | dd13b303b303242bfddf25a4773392923ce08889 /user_channel/user_mgmt.cpp | |
| parent | ea1c401c4bac43d6070bf7d515df08f8bf57c0a2 (diff) | |
| download | phosphor-host-ipmid-02650d53027326ed9b24a58b23596a74e5456654.tar.gz phosphor-host-ipmid-02650d53027326ed9b24a58b23596a74e5456654.zip | |
User-mgmt: Add IPMI user pam authenticate check API
PAM user authentication check must be performed, before any RMCP+
session establishment, as this will be able to check whether user
is already locked out, due to failed attempt.
This patch introduces the pam user check API, which will be used by
netipmid daemon.
Tested:
Verified the API call check and making sure it works.
Real testing is performed by including the same in
phosphor-ipmi-net for RMCP+ session establishment both
for user locked for failed attempt and normal case.
Commands used-
Created new user using ipmitool
ipmitool user set name 2 testuser
ipmitool user enable 2
ipmitool user set password 2 pas1tes2
ipmitool user priv 2 4 3
ipmitool user list 3 //New user entry can be seen listed
ipmitool channel getaccess 3 2 //For getting channel access
ipmitool channel setaccess 3 2 ipmi=on priviledge=4
Normal Case:
ipmitool -I lanplus -U testuser -P pas1tes2 -H <bmc ip> raw 6 1
//Command
23 00 00 00 02 bf 57 01 00 7b 00 00 00 00 00 //Response
Negative Case:
busctl set-property xyz.openbmc_project.User.Manager
/xyz/openbmc_project/user xyz.openbmc_project.User.AccountPolicy
MaxLoginAttemptBeforeLockout q 3
Tried 3 failed login attempts from webpage, and then tried to
establish IPMI RMCP+ as expected, session establishment failed.
wait for the timeout or unlock the user using-
busctl set-property xyz.openbmc_project.User.Manager
/xyz/openbmc_project/user/sayushi xyz.openbmc_project.User.Attributes
UserLockedForFailedAttempt b false
busctl get-property xyz.openbmc_project.User.Manager
/xyz/openbmc_project/user/sayushi xyz.openbmc_project.User.Attributes
UserLockedForFailedAttempt b false //Command
b false //Response
After this RMCP+ session will be established as usual.
Change-Id: I5ee2dc0848944a12f682f0775930091d32508bde
Signed-off-by: Ayushi Smriti <smriti.ayushi@linux.intel.com>
Diffstat (limited to 'user_channel/user_mgmt.cpp')
| -rw-r--r-- | user_channel/user_mgmt.cpp | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/user_channel/user_mgmt.cpp b/user_channel/user_mgmt.cpp index a1d2443..9b40f6c 100644 --- a/user_channel/user_mgmt.cpp +++ b/user_channel/user_mgmt.cpp @@ -715,6 +715,47 @@ bool pamUpdatePasswd(const char* username, const char* password) return true; } +bool pamUserCheckAuthenticate(std::string_view username, + std::string_view password) +{ + const struct pam_conv localConversation = { + pamFunctionConversation, const_cast<char*>(password.data())}; + + pam_handle_t* localAuthHandle = NULL; // this gets set by pam_start + + if (pam_start("dropbear", username.data(), &localConversation, + &localAuthHandle) != PAM_SUCCESS) + { + log<level::ERR>("User Authentication Failure"); + return false; + } + + int retval = pam_authenticate(localAuthHandle, + PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); + + if (retval != PAM_SUCCESS) + { + log<level::DEBUG>("pam_authenticate returned failure", + entry("ERROR=%d", retval)); + + pam_end(localAuthHandle, retval); + return false; + } + + if (pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK) != + PAM_SUCCESS) + { + pam_end(localAuthHandle, PAM_SUCCESS); + return false; + } + + if (pam_end(localAuthHandle, PAM_SUCCESS) != PAM_SUCCESS) + { + return false; + } + return true; +} + ipmi_ret_t UserAccess::setSpecialUserPassword(const std::string& userName, const std::string& userPassword) { |
