Setting the password

Learn how to change and set the password for your root account and to help secure the system.

Improved BMC password policy

The baseboard management controller (BMC) root password must be set on first use for newly manufactured systems or after performing a factory reset of the system. This policy change helps to enforce that the BMC is not left in a state with a well-known password.

In firmware level OP940.01, and later, the root password is expired and must be changed before you can access the functions of the BMC. However, if you are upgrading the firmware level from a previous OpenBMC firmware level or if you are performing an operational installation, you do not have to change the password.

The default user ID is root and the default password is 0penBmc. You can use the web application, the Redfish REST APIs, or the OpenBMC tool command to change the password. After changing the password, you can access the BMC with your usual interface. To change the password, you must first access the account with the correct credentials, and then use the password change function. If you attempt to access the BMC with an expired password, you must change the password before accessing other functions.
  • To change your expired password by using the web interface, enter https://<BMC_IP> into a web browser and then enter the access credentials of the BMC. The web interface prompts you to enter a new password.
  • To change your expired password through a network interface, you can use Redfish APIs. For instructions, see Managing the system by using DMTF Redfish APIs.
  • To change your expired password by using the OpenBMC tool, run the openbmctool set_password subcommand. For example,
    openbmctool.py -H <BMC IP address or BMC host name> -U <username> -P <password> set_password -p <new password>
    Attempting login...
    200
    User root has been logged out
    Where 200 is the response status that indicates success.
Note: The system might take up to 5 minutes to update the new password on the BMC. If you have trouble accessing your account, wait for 5 minutes and try again.

Also, with firmware level OP940.01, the BMC factory reset function resets the BMC password back to its default value and causes the default password to expire. This function means that after you perform the factory reset, you must change the password before you can access the BMC (even if you upgraded from an older firmware level).

To increase account security of the system, the administrator must complete the following steps:
  1. Set a strong password for the root account. Strong passwords have at least 15 characters and include nonalphabetic characters. Initially, the password must not exceed 20 characters. Passwords can be changed later to a length greater than 20 characters, but IPMI access will be removed. Avoid using the root account, as the root account has more access to the BMC than an Administrator account. The root account can present a security risk if it is used incorrectly or maliciously. Use the root account only when it is required.
  2. Create a separate account for each entity to manage the system. For example, you can create an Administrator account for yourself and for xCat, and create an Operator account for your staff. You can use the web interface or Redfish APIs to create a new account. When you create a new account, carefully consider which privilege role to assign to the user. Always use the least privilege role that is required.

    If your BMC is using Lightweight Directory Access Protocol (LDAP), you can add users to the LDAP server.

  3. Log off from the root account and switch to your personal Administrator account.

To increase the security of the system, the administrator can optionally configure access to the LDAP server. For more information, see Basic commands and functionality of the OpenBMC tool.