Al, Just wanted to add this response of yours to the list as well for posterity.
Thanks for your help! Best, Devon On 10/27/22 5:46 PM, Al Chu11 wrote:
Hey Devon,Ooops, I didn't reply to the list. I'll do so for people googling in the future.But I can add this to the documented list of bugs / workarounds. The error returned from the board is just really bad:#define RMCPPLUS_STATUS_NO_CIPHER_SUITE_MATCH_WITH_PROPOSED_SECURITY_ALGORITHMS 0x11 #define RMCPPLUS_STATUS_NO_CIPHER_SUITE_MATCH_WITH_PROPOSED_SECURITY_ALGORITHMS_STR \"No Cipher Suite match with proposed security algorithms." Would be better / lead us to the correct solution faster. > I do not see anything for cipher suite 17 in the above. Doh! It ends up I don't support reading 16/17 in bmc-config b/c" /* achu: Can't support this config until IPMI spec is updated. Yeah, it sucks */ "but that was a few years ago. I should probably double check if it is supported now.The story is sort of stupid, but cipher suite 16/17 were uhhh "stealthly" introduced into IPMI implementations in the wild BEFORE they mentioned it in the IPMI specification. As of a few years ago, it still wasn't documented. Only reason its in FreeIPMI is b/c a vendor who is trusted with good patches introduced it, so it was sort of added based on trust from said vendor.Glad its working! Al On 10/27/22 16:23, Bautista, Devon Thomas wrote:Al, Not sure if you meant to post on the list as well.Could you try cipher suite 17 via "-I 17". FreeIPMI defaults to cipher suite 3. Perhaps your motherboard requires users to use the newer / more secure cipher suite 17 only and the error it returns is just a bad one. May want to try "-l admin" as well in combination if it doesn't work.Adding "-I 17" did the trick: $ ipmipower -D LAN_2_0 -h host-bmc -u admin -p $PWORD -I 17 ipmipower> stat host-bmc: onI didn't even have to add "-l ADMIN", though I would think that that would be needed for other functions besides checking the power status.May be interesting to see what `bmc-config --checkout --section Rmcpplus_Conf_Privilege` on the remote machine outputs too. See if they disable a number of cipher suites.This is curious (output from remote host): $ bmc-config --checkout --section Rmcpplus_Conf_Privilege # # Section Rmcpplus_Conf_Privilege Comments ## If your system supports IPMI 2.0 and Serial-over-LAN (SOL),cipher suite IDs # may be configurable below. In the Rmcpplus_Conf_Privilege section, maximum # user privilege levels allowed for authentication under IPMI 2.0 (including # Serial-over-LAN) are set for each supported cipher suite ID. Each cipher suite# ID supports different sets of authentication, integrity, and encryption# algorithms for IPMI 2.0. Typically, the highest privilege level any username # configured should set for support under a cipher suite ID. This is typically# "Administrator". # Section Rmcpplus_Conf_Privilege## Possible values: Unused/User/Operator/Administrator/OEM_ProprietaryMaximum_Privilege_Cipher_Suite_Id_1 Unused## Possible values: Unused/User/Operator/Administrator/OEM_ProprietaryMaximum_Privilege_Cipher_Suite_Id_2 Unused## Possible values: Unused/User/Operator/Administrator/OEM_ProprietaryMaximum_Privilege_Cipher_Suite_Id_3 Unused## Possible values: Unused/User/Operator/Administrator/OEM_ProprietaryMaximum_Privilege_Cipher_Suite_Id_6 Unused## Possible values: Unused/User/Operator/Administrator/OEM_ProprietaryMaximum_Privilege_Cipher_Suite_Id_7 Unused## Possible values: Unused/User/Operator/Administrator/OEM_ProprietaryMaximum_Privilege_Cipher_Suite_Id_8 Unused## Possible values: Unused/User/Operator/Administrator/OEM_ProprietaryMaximum_Privilege_Cipher_Suite_Id_11 Unused## Possible values: Unused/User/Operator/Administrator/OEM_ProprietaryMaximum_Privilege_Cipher_Suite_Id_12 Unused## Possible values: Unused/User/Operator/Administrator/OEM_ProprietaryMaximum_Privilege_Cipher_Suite_Id_15 Unused EndSection I do not see anything for cipher suite 17 in the above.Side note: would be curious if `bmc-info -h ... -u ... -p ....` works / doesn't work as well. Just to make sure its not a bug specific to ipmipower.Looks like it is not specific to ipmipower: $ bmc-info -D LAN_2_0 -h host-bmc -u admin -p $PWORD ipmi_ctx_open_outofband_2_0: BMC busy $ bmc-info -D LAN_2_0 -h host-bmc -u admin -p $PWORD -I 17 Device ID : 34 Device Revision : 1 Device SDRs : unsupported Firmware Revision : 2.89 Device Available : yes (normal operation) IPMI Version : 2.0 Sensor Device : supported SDR Repository Device : supported SEL Device : supported FRU Inventory Device : supported IPMB Event Receiver : supported IPMB Event Generator : unsupported Bridge : unsupported Chassis Device : supported Manufacturer ID : Intel Corporation (343) Product ID : 152 Auxiliary Firmware Revision Information : 7E3B728Bh Device GUID : ba922c2e-9b0e-8347-5586-d7428bea0474 System GUID : 123d8901-bfa4-c79b-eb11-51dd801ff599 Channel Information Channel Number : 0 Medium Type : IPMB (I2C) Protocol Type : IPMB-1.0 Active Session Count : 0 Session Support : session-lessVendor ID : Intelligent Platform Management Interface forum (7154)Channel Number : 1 Medium Type : 802.3 LAN Protocol Type : IPMB-1.0 Active Session Count : 15 Session Support : multi-sessionVendor ID : Intelligent Platform Management Interface forum (7154)Channel Number : 2 Medium Type : 802.3 LAN Protocol Type : IPMB-1.0 Active Session Count : 0 Session Support : multi-sessionVendor ID : Intelligent Platform Management Interface forum (7154)Channel Number : 3 Medium Type : 802.3 LAN Protocol Type : IPMB-1.0 Active Session Count : 0 Session Support : multi-sessionVendor ID : Intelligent Platform Management Interface forum (7154)Channel Number : 5 Medium Type : OEM Protocol Type : IPMB-1.0 Active Session Count : 0 Session Support : session-lessVendor ID : Intelligent Platform Management Interface forum (7154)Channel Number : 6 Medium Type : IPMB (I2C) Protocol Type : IPMB-1.0 Active Session Count : 0 Session Support : session-lessVendor ID : Intelligent Platform Management Interface forum (7154)Channel Number : 7 Medium Type : System Interface (KCS, SMIC, or BT) Protocol Type : KCS Active Session Count : 0 Session Support : session-lessVendor ID : Intelligent Platform Management Interface forum (7154)Channel Number : 8 Medium Type : OEM Protocol Type : IPMB-1.0 Active Session Count : 0 Session Support : session-lessVendor ID : Intelligent Platform Management Interface forum (7154)Channel Number : 9 Medium Type : IPMB (I2C) Protocol Type : IPMB-1.0 Active Session Count : 0 Session Support : session-lessVendor ID : Intelligent Platform Management Interface forum (7154)Channel Number : 10 Medium Type : IPMB (I2C) Protocol Type : IPMB-1.0 Active Session Count : 0 Session Support : session-lessVendor ID : Intelligent Platform Management Interface forum (7154)Channel Number : 208 Medium Type : unknown Protocol Type : unknown Active Session Count : 49 Session Support : unknown Vendor ID : 722393994 Channel Number : 157 Medium Type : OEM Protocol Type : Reserved Active Session Count : 0 Session Support : unknown Vendor ID : Corp. Hostarica (22059) Channel Number : 157 Medium Type : OEM Protocol Type : Reserved Active Session Count : 0 Session Support : unknown Vendor ID : consistec Engineering & Consulting GmbH (32669) Thank you, Al! Regards, Devon On 10/27/22 4:41 PM, Al Chu11 wrote:Ahhh it did remind me of something.Using best available cipher suite 17Could you try cipher suite 17 via "-I 17". FreeIPMI defaults to cipher suite 3. Perhaps your motherboard requires users to use the newer / more secure cipher suite 17 only and the error it returns is just a bad one. May want to try "-l admin" as well in combination if it doesn't work.May be interesting to see what `bmc-config --checkout --section Rmcpplus_Conf_Privilege` on the remote machine outputs too. See if they disable a number of cipher suites.Side note: would be curious if `bmc-info -h ... -u ... -p ....` works / doesn't work as well. Just to make sure its not a bug specific to ipmipower.Al
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipmi-users mailing list Freeipmi-users@gnu.org https://lists.gnu.org/mailman/listinfo/freeipmi-users
