Setting the password
Learn how to change and set the password for your root account and to help secure the system.
Improved BMC password policy
The baseboard management controller (BMC) root password must be set on first use for newly manufactured systems or after performing a factory reset of the system. This policy change helps to enforce that the BMC is not left in a state with a well-known password.
In firmware level OP940.01, and later, the root password is expired and must be changed before you can access the functions of the BMC. However, if you are upgrading the firmware level from a previous OpenBMC firmware level or if you are performing an operational installation, you do not have to change the password.
root
and the default password is
0penBmc
. You can use the web application, the Redfish REST APIs, or the OpenBMC
tool command to change the password. After changing the password, you can access the BMC with your
usual interface. To change the password, you must first access the account with the correct
credentials, and then use the password change function. If you attempt to access the BMC with an
expired password, you must change the password before accessing other functions. - To change your expired password by using the web interface, enter
https://<BMC_IP>
into a web browser and then enter the access credentials of the BMC. The web interface prompts you to enter a new password. - To change your expired password through a network interface, you can use Redfish APIs. For instructions, see Managing the system by using DMTF Redfish APIs.
- To change your expired password by using the OpenBMC tool, run the
openbmctool set_password
subcommand. For example,
Whereopenbmctool.py -H <BMC IP address or BMC host name> -U <username> -P <password> set_password -p <new password> Attempting login... 200 User root has been logged out
200
is the response status that indicates success.
Also, with firmware level OP940.01, the BMC factory reset function resets the BMC password back to its default value and causes the default password to expire. This function means that after you perform the factory reset, you must change the password before you can access the BMC (even if you upgraded from an older firmware level).
- Set a strong password for the root account. Strong passwords have at least 15 characters and include nonalphabetic characters. Initially, the password must not exceed 20 characters. Passwords can be changed later to a length greater than 20 characters, but IPMI access will be removed. Avoid using the root account, as the root account has more access to the BMC than an Administrator account. The root account can present a security risk if it is used incorrectly or maliciously. Use the root account only when it is required.
- Create a separate account for each entity to manage the system. For example, you can create an
Administrator account for yourself and for xCat, and create an
Operator account for your staff. You can use the web interface or Redfish
APIs to create a new account. When you create a new account, carefully consider which privilege role
to assign to the user. Always use the least privilege role that is required.
- To create a new account by using the web interface, see Local users.
- To create a new account by using the Redfish APIs, see Managing the system by using DMTF Redfish APIs.
If your BMC is using Lightweight Directory Access Protocol (LDAP), you can add users to the LDAP server.
- Log off from the root account and switch to your personal Administrator account.
To increase the security of the system, the administrator can optionally configure access to the LDAP server. For more information, see Basic commands and functionality of the OpenBMC tool.