> I'd love to hear about the vendors that do have this on or off by > default.
I know I've seen some vendors not disable it by default (and did not disable IPMI 1.5's "none" authentication), but I can't recall who. A random thought/comment. I do know many vendors do not write their own IPMI firmware, it usually comes from another company. I have this feeling that many of the defaults actually from the common "parent" of the firmware, not the vendor itself. Al On Fri, 2013-02-22 at 07:53 -0800, dan farmer wrote: > Many may know this… but it came as a bit of news to me to actually > *see* it in the wild. I came across this while working on my little > audit tool of the config stuff I'd posted here. > > The short version - everyone here probably knows that Cipher Zero is > the first Cipher in the IPMI 2.0 spec. It allows you to authenticate > to IPMI without a password - in other words, it's really no cipher at > all, or the un-cipher. It removes all security from IPMI. But who > cares, really? Surely vendors wouldn't turn this on by default, would > they? Well… it's enabled on my Dell (iDRAC 6), HP (iLO 3), and > Supermicro. That's all the systems I have access to, presumably there > are more. > > Longer version: let's see, to belabor the obvious, to execute an IPMI > command, you can use good ol' bmc-config with the proper authentication: > > $ bmc-config -D LAN_2_0 -I 0 -v -u root -p calvin -h 10.0.0.1 > --checkout|grep -i cipher_suite_id_0 > Maximum_Privilege_Cipher_Suite_Id_0 Administrator > > You know, that line of output is not good. How not good is "not good"? Well, > let's try it again... this time with "FluffyWabbit" as the password: > > $ bmc-config -D LAN_2_0 -I 0 -v -u root -p FluffyWabbit -h 10.0.0.1 > --checkout|grep -i cipher_suite_id_0 > Maximum_Privilege_Cipher_Suite_Id_0 Administrator > > I guess this is neat. Or sad. Or something. You can try other passwords to > verify FluffyWabbit isn't some vendor hardcoded backdoor ;) > > I believe that IBM, as of the M2/Nehalem generation, has essentially > abolished cipher zero through the efforts of Jarred B Johnson (kudos > to both!) I'm not sure who else still has this going on… but you might > check your own boxes. I'd love to hear about the vendors that do have > this on or off by default. > > > Disclaimer - various versions of the IPMI utilities - including bmc-config - > do not work correctly with cipher 0 and will fail; this misled me early on in > testing my own boxes. The latest version of freeipmi seems to work on all the > ones I've tested, at least; make sure you have downloaded the latest copy and > try this to verify good ol' cipher 0 is still around. > > Most commands say they support cipher zero, but ensure you have the latest > version, because bugs abound out there in the tools and/or in the BMCs. > Here's a couple of more ways to see if this is enabled: > > $ ipmitool -I lanplus -C 0 -H 10.0.0.1 -U admin -P FluffyWabbit lan > print > > $ ipmiutil lan -J 0 -N 10.0.0.1 -U admin -P FluffyBunny > > Ipmiutil has a nice printing of the results - anything in the RMCP+ line that > looks zero-ish is bad :) > > $ ipmitool -I lanplus -C 0 -H 10.0.0.1 -U root -P calvin lan print > Set in Progress : Set Complete > Auth Type Support : NONE MD2 MD5 PASSWORD > Auth Type Enable : Callback : MD2 MD5 > : User : MD2 MD5 > : Operator : MD2 MD5 > : Admin : MD2 MD5 > : OEM : > IP Address Source : Static Address > IP Address : 192.168.0.23 > Subnet Mask : 255.255.255.0 > MAC Address : 14:fe:b5:c7:df:28 > SNMP Community String : public > IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10 > Default Gateway IP : 192.168.0.1 > Default Gateway MAC : 00:00:00:00:00:00 > Backup Gateway IP : 0.0.0.0 > Backup Gateway MAC : 00:00:00:00:00:00 > 802.1q VLAN ID : Disabled > 802.1q VLAN Priority : 0 > RMCP+ Cipher Suites : 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14 > Cipher Suite Priv Max : aaaaaaaaaaaaaaa > : X=Cipher Suite Unused > : c=CALLBACK > : u=USER > : o=OPERATOR > : a=ADMIN > : O=OEM > > -- d > > ^..^ > > _______________________________________________ > Freeipmi-devel mailing list > [email protected] > https://lists.gnu.org/mailman/listinfo/freeipmi-devel -- Albert Chu [email protected] Computer Scientist High Performance Systems Division Lawrence Livermore National Laboratory _______________________________________________ Freeipmi-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/freeipmi-devel
