Change default password on Cumulus switch

[mattaezell]

Security policy requires us to change the password for the cumulus user to be non-default.

I propose a generic postscript solution that can change passwords in /etc/shadow on systems running linux (compute nodes, Cumulus switches, OpenBMC, etc). This would also be useful for us after installation, since we have to change our passwords from time to time. We probably want all the passwords salted+hashed in the passwd table and copied over on-demand similar to the getipmi script in Genesis (we probably don't want the hashed passwords left in mypostscript).

I'm willing to work on implementation if the xCAT developers agree this is the best way to handle this.

[immarvin]

hi @mattaezell , so you want to create a postscript to update/create password field in /etc/shadow, this script can be invoked as postscript during os provision or updatenode -P on the provisioned node. In this script, the plain text of the password or the salted+hashed cipher text of password will be transferred to the target node with the "allowcred.awk+openssl" tunnel instead of an environment variable in "mypostscript" , am I right?

I have several questions on your proposal:

1. what is the user interface of the script? seems it will request some fields in the passed table instead of take the passwd as an argument, how does it determine which row in passwd table to request? they are several types of key in passwd table on different purpose, which of them will your postscript support?

[root@c910f03c05k21 xcat-core]# tabdump -d passwd
key:		The type of component this user/pw is for.  Valid values: blade (management module), ipmi (BMC), system (nodes), omapi (DHCP), hmc, ivm, cec, frame, switch.

2. if you would like to use the "allowcred.awk+openssl" way to transfer the passwd, you might need to implement a new xCAT request like "getbmcconfig" to process the passwd request.

[mattaezell]

Hi @immarvin. Yes, I think are correct with my intentions.

1. Yes, the passwords should be stored in the table. For regular nodes, it should use the system key from the passwd table, just like it's used when generating images. For a cumulus switch, we could use either key=switch or key=cumulus. We have a couple options on how to handle root and cumulus: a) only support changing one password (by default I think root doesn't have a password), so just set cumulus and let users use SSH keys or sudo; b) set root and cumulus to the same password; or c) support multiple usernames and password with syntax like the nics table
   The switch table also has sshusername and sshpassword fields which could be used first with the passwd table as a fallback.
2. Understood

[immarvin]

hi @mattaezell , any update on this?thx

[mattaezell]

@immarvin Unfortunately, I haven't had the time to work on this yet.

[immarvin]

ok, since we are working on the release process for 2.13.7, I will move the target to next release, is it ok?

[mattaezell]

Sure, but I will try to get this in place before we provision our Summit switches.