So, for reference, there has been some adapting in the confluent out of band discovery to follow the password situation.
In theory, in-band bmcsetup should be fine. An ipmi over kcs password change should count, and doesn't check old password. However it rejects by default: -Too simple passwords -Passwords shorter than 10 characters -More than one password change in 24 hours Out of band, confluent knows how to negotiate the first password change. It also has the bmc settings with password policies: # nodeconfig d1 bmc d1: bmc.ipv4_address: 172.30.83.1/16 d1: bmc.ipv4_method: Static d1: bmc.ipv4_gateway: d1: bmc.hostname: d1: bmc.password_change_interval: 0 d1: bmc.password_complexity: 1 d1: bmc.password_expiration: 90 d1: bmc.password_lockout_period: 60 d1: bmc.password_login_failures: 5 d1: bmc.password_min_length: 10 d1: bmc.password_reuse_count: 5 d1: bmc.presence_assert: Disable d1: bmc.smm: Enable d1: bmc.smm_ip: 172.30.230.3 I have a python script to remotely unexpire passwords: https://github.com/lenovo/confluent/blob/master/misc/fixexpiry.py [https://avatars.githubusercontent.com/u/13356730?s=400&v=4]<https://github.com/lenovo/confluent/blob/master/misc/fixexpiry.py> lenovo/confluent<https://github.com/lenovo/confluent/blob/master/misc/fixexpiry.py> xCAT confluent - replacement of conserver and eventually xcatd - lenovo/confluent github.com ________________________________ From: mark.berg...@uphs.upenn.edu <mark.berg...@uphs.upenn.edu> Sent: Thursday, February 11, 2021 8:23 PM To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> Subject: Re: [xcat-user] 回复: [External] running bmc setup and the USERID password In the message dated: Fri, 12 Feb 2021 00:48:10 +0000, The pithy ruminations from peter CZ1 Peng on [[xcat-user] =?utf-8?b?5Zue5aSNOiBbRXh0ZXJuYWxdICAgcnVubmluZyBi?= =?utf-8?q?mc_setup_and_the_USERID_password?=] were: => Hi ,Damir The new policy implementation due to California PASSWORD Law => requirement ,so if you want to keep the default USERID/PASSW0RD ,so IMM => settings should be update (please be note that if you load default IMM, => the settings would be default as below ) => => => => IMM.ComplexPassword=Enabled => IMM.FirstAccessPwChange=Enabled => IMM.PasswordReuse=5 Passwords => IMM.PasswordAge=90 => IMM.MinPasswordLen=10 => IMM.DefPasswordExp=Enabled => IMM.ComplexPassword=Enabled Yes, we got bitten by that as well -- did an automated password change, then 90days later they were all expired. :( Does the "-n" option to bncdiscover also reset the complexity & password expiration rules? Thanks, Mark => => => => => => => => Best wishes, => => Peter CZ Peng 彭成柱 Global Engineering - Complex Solutions => TE Lenovo systems Technology (Shenzhen) Co., Ltd 1/F,3# Tower => , Great Wall Technology Building, Nanshan District science => and Technology Park, Shenzhen, China Phone: +86 181 2997 7350 => peng...@lenovo.com<mailto:peng...@lenovo.com> => _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
