Project

General

Profile

Actions

action #101006

closed

Provide unique non-dictionary passwords for all our IPMI/HMC interfaces size:S

Added by okurz over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
2021-10-14
Due date:
% Done:

0%

Estimated time:

Description

Motivation

bmwiedemann from SUSE-IT informed me that security scans have shown openqaworkers to be vulnerable due to the default IPMI passwords. We should provide a unique password for that purpose, potentially unique for each host.

Acceptance criteria

Suggestions

  • Generate a password for each host with xkcdpass from python3-xkcdpass Just use the same password we have for sp.openqaw8-vmware.qa.suse.de where bmwiedemann recently set a new password
  • Set password from each host, e.g. with
rcipmi start 
ipmitool user list
ipmitool user set password 2 'FOOBAR'
Actions #1

Updated by okurz over 2 years ago

  • Description updated (diff)
  • Priority changed from Low to Normal
  • Target version changed from future to Ready

bmwiedemann asked me to expedite this task

Actions #3

Updated by livdywan over 2 years ago

  • Subject changed from Provide unique non-dictionary passwords for all our IPMI/HMC interfaces to Provide unique non-dictionary passwords for all our IPMI/HMC interfaces size:S
  • Status changed from New to Workable
Actions #4

Updated by mkittler over 2 years ago

  • Assignee set to mkittler
Actions #5

Updated by mkittler over 2 years ago

  • Status changed from Workable to Feedback

Everything should be updated, including web hooks and documentation on https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/373.

I could not access fsp1-malbec.arch.suse.de from the outside (before and after the update) but I could change the password locally.

Actions #6

Updated by okurz over 2 years ago

  • Status changed from Feedback to Resolved

I could verify all that. Thx. That should be good enough

Actions #7

Updated by okurz over 2 years ago

  • Status changed from Resolved to Feedback

Currently failing alerts for arm-1, arm-2, arm-3. Likely related

Actions #8

Updated by mkittler over 2 years ago

Yes, I suppose I needed to URL-encode the password.


I ran the recovery script now locally (setting DEFAULT_IPMI_PASSWORD) and it worked. So the script is fine. I hope only the parameter passing was broken (due to the lack of URL-encoding).

Actions #9

Updated by mkittler over 2 years ago

I've checked with a web hook that just logs the env (see https://gitlab.suse.de/openqa/grafana-webhook-actions/-/commit/e0741e8b329b094756e15693171f5f0c35ef6e65) and could clearly reproduce the problem and that the URL-encoding helps.

Actions #10

Updated by mkittler over 2 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF