Project

General

Profile

action #101006

Provide unique non-dictionary passwords for all our IPMI/HMC interfaces size:S

Added by okurz 4 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
Start date:
2021-10-14
Due date:
% Done:

0%

Estimated time:

Description

Motivation

bmwiedemann from SUSE-IT informed me that security scans have shown openqaworkers to be vulnerable due to the default IPMI passwords. We should provide a unique password for that purpose, potentially unique for each host.

Acceptance criteria

Suggestions

  • Generate a password for each host with xkcdpass from python3-xkcdpass Just use the same password we have for sp.openqaw8-vmware.qa.suse.de where bmwiedemann recently set a new password
  • Set password from each host, e.g. with
rcipmi start 
ipmitool user list
ipmitool user set password 2 'FOOBAR'

History

#1 Updated by okurz about 2 months ago

  • Description updated (diff)
  • Priority changed from Low to Normal
  • Target version changed from future to Ready

bmwiedemann asked me to expedite this task

#3 Updated by cdywan about 2 months ago

  • Subject changed from Provide unique non-dictionary passwords for all our IPMI/HMC interfaces to Provide unique non-dictionary passwords for all our IPMI/HMC interfaces size:S
  • Status changed from New to Workable

#4 Updated by mkittler about 2 months ago

  • Assignee set to mkittler

#5 Updated by mkittler about 2 months ago

  • Status changed from Workable to Feedback

Everything should be updated, including web hooks and documentation on https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/373.

I could not access fsp1-malbec.arch.suse.de from the outside (before and after the update) but I could change the password locally.

#6 Updated by okurz about 2 months ago

  • Status changed from Feedback to Resolved

I could verify all that. Thx. That should be good enough

#7 Updated by okurz about 2 months ago

  • Status changed from Resolved to Feedback

Currently failing alerts for arm-1, arm-2, arm-3. Likely related

#8 Updated by mkittler about 2 months ago

Yes, I suppose I needed to URL-encode the password.


I ran the recovery script now locally (setting DEFAULT_IPMI_PASSWORD) and it worked. So the script is fine. I hope only the parameter passing was broken (due to the lack of URL-encoding).

#9 Updated by mkittler about 2 months ago

I've checked with a web hook that just logs the env (see https://gitlab.suse.de/openqa/grafana-webhook-actions/-/commit/e0741e8b329b094756e15693171f5f0c35ef6e65) and could clearly reproduce the problem and that the URL-encoding helps.

#10 Updated by mkittler about 2 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF