action #101006
closedProvide unique non-dictionary passwords for all our IPMI/HMC interfaces size:S
0%
Description
Motivation¶
bmwiedemann from SUSE-IT informed me that security scans have shown openqaworkers to be vulnerable due to the default IPMI passwords. We should provide a unique password for that purpose, potentially unique for each host.
Acceptance criteria¶
- AC1: No IPMI/BMC connection in https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/openqa/workerconf.sls references the default password anymore
Suggestions¶
Generate a password for each host withJust use the same password we have for sp.openqaw8-vmware.qa.suse.de where bmwiedemann recently set a new passwordxkcdpass
from python3-xkcdpass- Set password from each host, e.g. with
rcipmi start
ipmitool user list
ipmitool user set password 2 'FOOBAR'
Updated by okurz about 3 years ago
- Description updated (diff)
- Priority changed from Low to Normal
- Target version changed from future to Ready
bmwiedemann asked me to expedite this task
Updated by okurz about 3 years ago
I added a hint on https://progress.opensuse.org/projects/openqav3/wiki/Wiki/diff?utf8=%E2%9C%93&version=135&version_from=134&commit=View+differences to add new IPMI password for new machines
Updated by livdywan about 3 years ago
- Subject changed from Provide unique non-dictionary passwords for all our IPMI/HMC interfaces to Provide unique non-dictionary passwords for all our IPMI/HMC interfaces size:S
- Status changed from New to Workable
Updated by mkittler about 3 years ago
- Status changed from Workable to Feedback
Everything should be updated, including web hooks and documentation on https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/373.
I could not access fsp1-malbec.arch.suse.de
from the outside (before and after the update) but I could change the password locally.
Updated by okurz about 3 years ago
- Status changed from Feedback to Resolved
I could verify all that. Thx. That should be good enough
Updated by okurz about 3 years ago
- Status changed from Resolved to Feedback
Currently failing alerts for arm-1, arm-2, arm-3. Likely related
Updated by mkittler about 3 years ago
Yes, I suppose I needed to URL-encode the password.
I ran the recovery script now locally (setting DEFAULT_IPMI_PASSWORD
) and it worked. So the script is fine. I hope only the parameter passing was broken (due to the lack of URL-encoding).
Updated by mkittler about 3 years ago
I've checked with a web hook that just logs the env (see https://gitlab.suse.de/openqa/grafana-webhook-actions/-/commit/e0741e8b329b094756e15693171f5f0c35ef6e65) and could clearly reproduce the problem and that the URL-encoding helps.
Updated by mkittler about 3 years ago
- Status changed from Feedback to Resolved
Looks like the recovery works again, e.g. https://gitlab.suse.de/openqa/grafana-webhook-actions/-/jobs/742232