PAM: also_deny_root #80
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This extends the account lockout to the root user. See 5841aed Note that as configured here, the Redfish AccountService REST APIs to PATCH the AccountLockoutThreshold and AccountLockoutDuration properties do not apply to the root user. Changing the values will have no effect on the lockout policy for root. Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
|
Fixes SW478305 |
|
See also pull/79. This is closer to the traditional solution to this problem. (The problem is how to balance attackers continuously guessing passwords vs allowing legitimate users in.) However, we're looking for a better solution. That's being discussed in the review https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/27527 |
|
Do not merge this as-is. The parameter My original commit message was confusing. Here is another try: Note that the Redfish AccountService REST APIs to PATCH the |
rfrandse
added a commit
that referenced
this pull request
Oct 25, 2022
Giridhari Krishna (1): Fixing clang errors in panel_app_test (#62) Jinu Joy Thomas (3): Added default display Fix default display for power down (#138) Fix write Error displays when Hot-plugging the panel out (#153) PriyangaRamasamy (11): Generic GetPDR method (#65) Fix for Lamp test issue (#73) Clang issue:Remove brace initialiser in string (#85) Move GetPDR api to utility (#82) Better trace statement for transport key (#86) Get OS IPL mode state from PHYP (#95) Add 3 seconds interval after software reset (#113) Function 30: Make LinkLocal IP default (#119) Clang format missing for an header file (#132) Func30:Pick inventory ethernet objects at runtime (#135) Bug fix in panel PEL code (#151) Santosh Puranik (6): Executor method to trigger PHYP functions (#68) Manual mode fixes (#80) Compilation Fixes (#99) Revert "Get OS IPL mode state from PHYP (#95)" (#104) Code fix to check for HMC managed system (#125) transport: Recover From Bootloader Hang (#149) Priyanga Ramasamy (2): Dbus property to store OS IPL mode Fix:SW547181 Display static/DHCP IP if present Sunny Srivastava (19): Panel to PHYP communication via PLDM (#58) Code fix for Function02 and Function01 (#60) PEL terminating bit handle (#69) Implementation of function 25 and 26 (#71) Panel function 74 implementation (#77) Fetch existing PELs (#79) Code fix to check CE mode condition (#90) Update PELs processing implementation (#92) Code fix to handle I2C write failure (#94) Unwanted logs removed (#106) Execute function 01 at bmc ready state (#108) Update parameters for System operating mode (#110) Flow update to set current operating mode (#112) Logs added/removed (#122) Display Phyp src and hexwords (#129) Use Bios attribute for boot side (#140) Update progress code at standby PEL addition for ibm panel (#147) Panel CM in Everest (#157) GiridhariKrishna (2): Tool for simulating panel input (#97) D-bus method to display lines on lcd panel (#118) Change-Id: Ib523552fa716dc3b0ec76a6e6fadab0811abc1e4
rfrandse
added a commit
that referenced
this pull request
Oct 26, 2022
Giridhari Krishna (1): Fixing clang errors in panel_app_test (#62) Jinu Joy Thomas (3): Added default display Fix default display for power down (#138) Fix write Error displays when Hot-plugging the panel out (#153) PriyangaRamasamy (11): Generic GetPDR method (#65) Fix for Lamp test issue (#73) Clang issue:Remove brace initialiser in string (#85) Move GetPDR api to utility (#82) Better trace statement for transport key (#86) Get OS IPL mode state from PHYP (#95) Add 3 seconds interval after software reset (#113) Function 30: Make LinkLocal IP default (#119) Clang format missing for an header file (#132) Func30:Pick inventory ethernet objects at runtime (#135) Bug fix in panel PEL code (#151) Santosh Puranik (6): Executor method to trigger PHYP functions (#68) Manual mode fixes (#80) Compilation Fixes (#99) Revert "Get OS IPL mode state from PHYP (#95)" (#104) Code fix to check for HMC managed system (#125) transport: Recover From Bootloader Hang (#149) Priyanga Ramasamy (2): Dbus property to store OS IPL mode Fix:SW547181 Display static/DHCP IP if present Sunny Srivastava (19): Panel to PHYP communication via PLDM (#58) Code fix for Function02 and Function01 (#60) PEL terminating bit handle (#69) Implementation of function 25 and 26 (#71) Panel function 74 implementation (#77) Fetch existing PELs (#79) Code fix to check CE mode condition (#90) Update PELs processing implementation (#92) Code fix to handle I2C write failure (#94) Unwanted logs removed (#106) Execute function 01 at bmc ready state (#108) Update parameters for System operating mode (#110) Flow update to set current operating mode (#112) Logs added/removed (#122) Display Phyp src and hexwords (#129) Use Bios attribute for boot side (#140) Update progress code at standby PEL addition for ibm panel (#147) Panel CM in Everest (#157) GiridhariKrishna (2): Tool for simulating panel input (#97) D-bus method to display lines on lcd panel (#118) Change-Id: Ib523552fa716dc3b0ec76a6e6fadab0811abc1e4
anoo1
pushed a commit
to anoo1/openbmc-1
that referenced
this pull request
Oct 28, 2022
Giridhari Krishna (1): Fixing clang errors in panel_app_test (ibm-openbmc#62) Jinu Joy Thomas (3): Added default display Fix default display for power down (ibm-openbmc#138) Fix write Error displays when Hot-plugging the panel out (ibm-openbmc#153) PriyangaRamasamy (11): Generic GetPDR method (ibm-openbmc#65) Fix for Lamp test issue (ibm-openbmc#73) Clang issue:Remove brace initialiser in string (ibm-openbmc#85) Move GetPDR api to utility (ibm-openbmc#82) Better trace statement for transport key (ibm-openbmc#86) Get OS IPL mode state from PHYP (ibm-openbmc#95) Add 3 seconds interval after software reset (ibm-openbmc#113) Function 30: Make LinkLocal IP default (ibm-openbmc#119) Clang format missing for an header file (ibm-openbmc#132) Func30:Pick inventory ethernet objects at runtime (ibm-openbmc#135) Bug fix in panel PEL code (ibm-openbmc#151) Santosh Puranik (6): Executor method to trigger PHYP functions (ibm-openbmc#68) Manual mode fixes (ibm-openbmc#80) Compilation Fixes (ibm-openbmc#99) Revert "Get OS IPL mode state from PHYP (ibm-openbmc#95)" (ibm-openbmc#104) Code fix to check for HMC managed system (ibm-openbmc#125) transport: Recover From Bootloader Hang (ibm-openbmc#149) Priyanga Ramasamy (2): Dbus property to store OS IPL mode Fix:SW547181 Display static/DHCP IP if present Sunny Srivastava (19): Panel to PHYP communication via PLDM (ibm-openbmc#58) Code fix for Function02 and Function01 (ibm-openbmc#60) PEL terminating bit handle (ibm-openbmc#69) Implementation of function 25 and 26 (ibm-openbmc#71) Panel function 74 implementation (ibm-openbmc#77) Fetch existing PELs (ibm-openbmc#79) Code fix to check CE mode condition (ibm-openbmc#90) Update PELs processing implementation (ibm-openbmc#92) Code fix to handle I2C write failure (ibm-openbmc#94) Unwanted logs removed (ibm-openbmc#106) Execute function 01 at bmc ready state (ibm-openbmc#108) Update parameters for System operating mode (ibm-openbmc#110) Flow update to set current operating mode (ibm-openbmc#112) Logs added/removed (ibm-openbmc#122) Display Phyp src and hexwords (ibm-openbmc#129) Use Bios attribute for boot side (ibm-openbmc#140) Update progress code at standby PEL addition for ibm panel (ibm-openbmc#147) Panel CM in Everest (ibm-openbmc#157) GiridhariKrishna (2): Tool for simulating panel input (ibm-openbmc#97) D-bus method to display lines on lcd panel (ibm-openbmc#118) Change-Id: Ib523552fa716dc3b0ec76a6e6fadab0811abc1e4
rfrandse
added a commit
that referenced
this pull request
Feb 13, 2023
Patrick Williams (4): ramoops: avoid deleting root prettier: re-format beautysh: re-format python: fix flake8 warnings and format with black Ed Tanous (1): Remove double inheritance on faultlog entry Aravind T (1): Merge pull request #80 from chiragsibm/1050 Chirag Sharma (8): openpower: Adding opdreport script opdreport: Adding missing contents in header opdreport: Adding info.yaml file in host dumps opdreport: Adding failure details for sbe dump in info.yaml dreport:IBM: Added custom package script opdreport: Changing dumpheader file name dreport: Adding default value to model & serial number dreport: switch to zstd compression from Jcf Change-Id: I703aa1ef73dc17eb7238e9be3126060cede1e55a
rfrandse
added a commit
that referenced
this pull request
Mar 28, 2024
Asmitha Karunanithi (1): Avoid resetting ip when dhcp is enabled (#80) Change-Id: I43312bf0288f800e12b30e04fccc443f4cb2afd1
rfrandse
added a commit
that referenced
this pull request
Mar 28, 2024
cmjishnu (1): DHCP Parameters for IPv6 (#80) Change-Id: I64e60c0b6b2a75937345815675b62d9e66fa6773
rfrandse
added a commit
that referenced
this pull request
Mar 28, 2024
Noah Brewer (1): ACF interface added Thang Tran (1): Power.Cap: add properties to control Power Limit Asmitha Karunanithi (1): Add a new intf "GeneratedBy" Delphine CC Chiu (1): Power-interface: Revise released signal with pressing duration sagisin (1): Create Validate interface for inband code update (#73) Dhruvaraj Subhashchandran (2): Add SBE dump type to dump create parameters Add Self Boot Engine(SBE) dump interface Ravi Teja (1): Add Network Static Route D-bus Interface Logananth Sundararaj (1): Add support for HotPluggable zamiseck (1): Add Error to Software Version Interface (#43) ArchanaKakani (1): Create Assemble Code Update Image method (#79) Alpana07 (1): VPD Error interface UnknownSystemType supported (#32) Ninad Palsule (1): Add a new dbus interface to get list of consoles Hieu Huynh (1): bootprogress: add OEM value for ProgressStages enumerations nkantesh (1): Add a new dbus interface for VSBK record (#75) cmjishnu (1): DHCP Parameters for IPv6 (#80) Chris Cain (1): Control.Power.Throttle: Add throttle Interface (#81) Deepak Kodihalli (1): Dual-boot: BIOS attribute for choosing OS Sui Chen (1): Add ObjectManager path requirement for Voltage Regulator interfaces Chau Ly (1): Chassis.Intrusion: Add Rearm property Jayashree Dhanapal (2): Add a new chassisType for Redfish Add a new interface for ThermalDirection Adriana Kobylak (1): treewide: use more specific object_path type (#64) Tim Lee (1): add Enabled properties and remove unused methods nmiEnable gikrish1-in (1): ibm: Add new interface "PSPD" Andrew Jeffery (1): meson: Add dependency override for phosphor-dbus-interfaces Patrick Williams (3): gen: update due to sdbusplus-gen-meson change meta: add compatible strings for BMCs regenerate-meson: re-run with latest from sdbusplus Andrew Geissler (4): Dual-boot: update meson build file to support dual-boot Changes required to get CI to pass ibm-downstream: regenerate-meson: re-run with latest from sdbusplus Revert "power-recovery: add PowerRestoreDelay to RestorePolicy" Sunny Srivastava (1): IBM: Api to collect single FRU VPD Pavithra Barithaya (1): Add additional variant types for Notify D-Bus method Michael Shen (1): Cpu: Convert `Step` default value to maxint Ramesh Iyyar (4): HardwareIsolation: Added the "CreateWithEntityPath" method Logging: Event: Added the event_indicator association Logging: Event: Added the error_log association Logging: Event: Added the Severity property Dhruvaraj S (1): com-ibm-dump: Add initial value to response code (#57) Sunitha Harish (1): Capacity-On-Demand: License manager DBus Myung Bae (1): Add association between FabricAdapter and Port Pavithra B (1): PCIeLink and PCIeTopology DBus Interfaces (#66) Krzysztof Grobelny (1): updated telemetry service API Ben Tyner (1): Power mode state lock support (#61) Matt Spinler (1): ibm: Add new properties to Logging.PEL.Entry interface (#77) Change-Id: Idbad9af3754be712a894e29e316a4c77badd770c
rfrandse
added a commit
that referenced
this pull request
Mar 28, 2024
Gopichand Paturi (1): OCMB target type renamed to "OCMB" devenrao (3): get and put scom support for odyssey ocmb with sbefifo backend add get/put scom cfam support for ody ocmb with kernel backend cater for odyssey ocmb chipop for dump and ffdc Swarnendu Roy Chowdhury (1): Addition of unit test cases for Switching Backend functionality Aravind T (3): Merge pull request #76 from Swarnendu-R-C/backend_switching Merge pull request #81 from gcpin/master Merge pull request #80 from devenrao/ody Swarnendu-R-C (1): Correcting formatting issues Change-Id: I85bd08e371c73e0539ad5883fab19076c06ff2a0
rfrandse
added a commit
that referenced
this pull request
Mar 28, 2024
George Liu (1): Fix server firmware start policy (#77) Steffi Antony (11): Disabled search and filter option in PCIe topology (#164) Toggle button moving twice (#169) Enablement TCE Table Pre-Allocation for Dynamic Drawer Add (#181) Updated Status in Inventory and LEDs page (#190) Updated Status in Inventory and LEDs page (#191) Added an additional message for hostname (#185) Handled DHCP network configurations (#193) Updated validation for Bonnell system (#199) Handled 2 post request CSR generation (#200) Updated availability info on IBMi service functions page (#202) Disabled Power cap fields (#203) Nabil Ananthamangalath (3): Implemented Redfish message ID checks using Regex (#170) Implemented SRC details in Progress Logs page (#178) Fixed improperly formatted CSR data (#192) sandeepasingh116 (8): Fix login page logo issue (#81) Fix network page modal issue (#76) Fix network page toast msg bug (#78) Add warning message to date time page (#80) Fix logo issue (#82) Add IPv6 table (#85) Fix the ipv6 address validator regex (#88) Add 1LA settings (#93) Gunnar Mills (4): Fix popup-box authenticate on session disconnect (#106) Bump the Notice Text to 1050 (#113) Move webui-vue to use Context (#120) Match PLDM: correct Gard to Guard (#158) Nikhil Ashoka (54): Labels now updating in Concurrent maintenance page (#63) Refresh only once and title translation (#65) Pagination fixed in Dumps (#64) Fixed Remote port location (#79) Fabric Adapters showing right info in the respective tabs (#75) Checking IP address and filtering (#83) Fixed Health and Status values for I/O expansion chassis (#91) VET Capabilties names updated (#92) Performance improved for Sensors page (#89) Logging out after hostname update (#94) Performance improved for Pcie-topology page (#87) "Secure LDAP" value is retained (#96) Toast message added to Power supplies LEDs (#97) Changed the default value of Health in Inventory page (#95) Resource dump is now submitted in any state (#99) Dumps initiate fixed (#101) Informational logs not shown for the admin (#102) Delay to retrieve data when new address is added (#103) Updated the helptext of RTAD (#100) Filter values for Sensors and PCIe topology taken from translation file (#108) 1LA: Runtime Processor Diagnostics Updated (#112) Fixed Download Event Logs and Informational Logs (#115) Fixed PCIe Slots reload issue on toggle (#117) Added toast messages for Immediate test requests and Scheduled (#119) Updated the payload for ACF certificates (#121) Added toast message for LEDs in PCIe topology (#126) Updated toast message for System attention LED (#129) Added delay in getting the tables in Network page (#124) Added delay to get the updated NTP date and time (#132) Updated delete ACF certificate request body (#135) Implemented IPv6 static default gateways (#141) Removed Alert and added info icons in system parameters page (#137) Implemented new logic for I/O slots (#138) Filtering out System Anchor from VET capabilities (#144) Filtering the IP address in HMC and user sessions (#146) Parent Link ID new GUI logic (#145) Added delay to get the updated SLAAC address (#150) Able to change expired password (#152) Detailed error message for Resource Dump if system not PHYP in stndby (#151) Adding delay to Delete and disabling tables (#155) Linux KVM implementation (#157) Load Navigation Items after checking model type (#160) Added HMC managed check for System Memory Reserved for KVM Guest Management (#162) Updated Linux KVM implementation (#168) Disabled AMM for Bonnell (#166) Updated Upstream fabric adapters in PCIe topology (#172) Updated System Memory Reserved for KVM Guest Management (#173) Implement IBM i Service Functions (#161) Fixed translation file issue (#183) - Renamed "IBM i alternate load source" to "IBM i alternate restart device" (#189) 1KW: Network settings implementation (#186) Added Info tooltip in Inventory and LEDs (#205) Upgraded the Axios verison (#206) Removed default Alert message (#208) vedangimittal (6): Disabled horizontal scroll on Notices page (#165) Removed expand option under PCIe slots (#171) “Service Login Certificate” updated using translation file (#182) Frequency cap value validation (#188) Updated select dump type tool tip message (#198) Updated the IBM i options description (#201) Renuka9527 (27): Fixed User unable to delete the firmware file if name is long on firmware page (#107) Fixed search functionality for all the fields in Inventory and LED page (#109) Fixed success toast in inventory led's (#111) Added condition check for the Expired access key error and fetching from translations (#105) Fixed operations menu items when opened in anothersession (#110) Fixed deconfiguration record header (#104) Added a confirm box on enabling the Unauthenticated ACF upload enablement (#116) Fixed success message on delete all error logs operation (#118) Fixed hypervisor console when power is off to disconnected (#123) updated HMC and user sessions warning message (#128) Fixed error message for read only use password change (#130) Fixed error message expired access key (#131) Removed privilege change option for read only users (#133) Added Success Toast with reload message for HTTP certificate (#134) Added 30 secs delay for Updating Network IPMI (out-of-band IPMI) protocol (#127) Updated Privilege options in User Management page (#140) Added condition check for manual and normal modes for displaying prompt (#142) disabled the server power options on save and enabling on succesfull save (#148) Removed pel id and replaced with event id (#154) Added latest notices file (#156) Blinking issue of health button while clicking on Event Logs submenu form other menus. (#153) Added condition check for the system operating mode (#179) reverted the translation change from store and added to table row with certificate check (#184) Audit Logs Page Implementation (#174) Disabled the selection till save is success for bios setting (#180) Removed Downloading the Empty Audit log files when download API is failing from GUI. (#195) Added LocationIndicatorActive check in Inventory page (#187) Change-Id: If69ae53bc29eaadebcd09291e45c0d27fb7f9e29
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This extends the account lockout to the root user.
See 5841aed
Note that as configured here, the Redfish AccountService REST APIs to PATCH the
AccountLockoutThreshold and AccountLockoutDuration properties do not apply to
the root user. Changing the values will have no effect on the lockout policy
for root. That is the intention.
Signed-off-by: Joseph Reynolds joseph-reynolds@charter.net