As I'm looking at the code now, I think I can hammer out permsgauth
support in the tools pretty quick. Gimme a day or so.
On Thu, 2007-04-19 at 15:51 -0700, Al Chu wrote:
> Hi Levi,
> On Thu, 2007-04-19 at 13:21 -0600, Levi Pearson wrote:
> > I'd like to work with the core developers so that any fixes and new
> > features we make are acceptable to you, so we don't have to maintain a
> > separate branch.
> Sounds good. Glad to have additional support from others.
> > With ipmiconsole, I discovered that the internal handling of the Kg key
> > is done with string manipulation functions, and that there is also an
> > off-by-one error.
> I thought I had caught every corner case. But perhaps not :-) Just
> point me in the right direction, I'd be glad to get it fixed.
> > I'd like the ability to enter the key in hexadecimal
> > and have it treated as a 20-byte binary field instead of a string, which
> > matches how the key is handled in the Dell utilities.
> I faced a similar issue/dilemma early on. Honestly, I went with strings
> b/c it was easier. Perhaps a patch for bmc-config, ipmipower, and
> ipmiconsole would be best. Not sure how to do it for bmc-config.
> Perhaps two options. One for strings and one for hex?? Hmmm...
> comments anyone else?
> > I'd also like to integrate libfreeipmi with conman, and I'd appreciate
> > hearing if anything has been done in that direction yet.
> Chris Dunlap (author of Conman) sits down the hall from me. There is
> support w/ ipmiconsole (in a soon to be released Conman), where Conman
> runs it in a separate process. Conman 2.0 is planned for integration
> with libipmiconsole (which uses libfreeipmi). I'm unsure of the
> timeline. How about starting a thread in the conman mailing list, and
> we can discuss it more in there along w/ Chris.
> > With the exception of ipmipower and ipmiconsole, the FreeIPMI utilities
> > have issues dealing with having Per-Message Authentication and
> > User-Level Authentication disabled.
> I could have swore it did. But looking through the code in FreeIPMI 2.0
> and 3.0, it doesn't seem to be there.
> > nor does there seem to be an option to change it in bmc-config yet.
> It should be supported for you guys. The fields to configure it are:
> Volatile_Enable_User_Level_Auth Yes
> Volatile_Enable_Per_Message_Auth Yes
> and there are non-volatile equivalents too.
> Do you not see these when you run bmc-config --checkout? It's possible
> Dell did not make them readable/writeable.
> Do you have to run ipmipower with the --check-unexpected-authcode
> option? I'm wondering if these Dells have the same problems that led me
> to write that workaround.
> > I've done some investigation into the best place to put checks for those
> > options. Right now, it seems like the best way would be to have
> > ipmi_cmd_get_channel_authentication_capabilities set some flags or new
> > struct members in the ipmi_device_t that is passed to it. Then,
> > ipmi_lan_open_session could change the authentication type in the
> > ipmi_device_t to NONE after it finishes authenticating the session (if
> > the appropriate flags are set, of course, and barring the need for the
> > workaround present in ipmipower). Any thoughts on this?
> I admit I haven't looked at this code in quite some time, so I could be
> wrong on the best approach. I thikn the best way is to add two things
> into the ipmi_device_t.
> 1) flag indicating per_msg_auth set/unset
> 2) a "state" variable indicating what state the lan session is in. (i.e.
> get auth caps, get session challenge, activate session, set session
> privilege, fully activated session, close session). This could be a set
> of enums in ipmi-udm-device.h.
> Then, within _ipmi_lan_cmd_send(), depending on the flags and state, use
> a different authentication type/password/etc as needed.
> Then in ipmi_lan_cmd(), based on the flags and state, adjust the check
> authentication field appropriately.
> Sound good?
> I might be able to find time to do it soon. But given I haven't looked
> at this in awhile, you might be ahead of me in finishing it :-)
> Since I would consider this a bug rather than a feature, I think it
> should go into the 0.3.X line and released in 0.3.3 as a bug fix. Same
> with the new options for a hex based input.
> > We'd also like some more extensive PEF configuration options in
> > bmc-config, but I haven't looked into that with any detail yet.
> Bala is currently working on an ipmi-pef tool for PEF configuration. It
> was supposed to be done quite some time ago, but other projects of his
> have taken him away from it. He thinks he'll be able to work on it full
> time starting Friday. Perhaps if workload can be split, and you have
> time, you guys could collaborate on it? I'll let Bala speak on the
> mailing list concerning that.
> > Anyway, thanks for the excellent software, and let me know what you
> > think about my ideas above.
> > --Levi
> > _______________________________________________
> > Freeipmi-devel mailing list
> > Freeipmiemail@example.com
> > http://lists.gnu.org/mailman/listinfo/freeipmi-devel
High Performance Systems Division
Lawrence Livermore National Laboratory
Freeipmi-devel mailing list