Fred, I'm not sure if this is the cause, but I do see a security hole in your IPMI LAN configuration, under LAN Parameter 2 (Auth Type Enables): > : User : NONE MD2 MD5 PASSWORD > : Operator : NONE MD2 MD5 PASSWORD > : Admin : NONE MD2 MD5 PASSWORD > : OEM : NONE MD2 MD5 PASSWORD That should omit the "NONE" bit in this case for all 4 bytes. (i.e. 0x17 -> 0x16) Can you try changing that in the server IPMI LAN configuration?
Andy -----Original Message----- From: Fred Tyler [mailto:fred...@gmail.com] Sent: Tuesday, April 14, 2009 8:36 PM To: Andy Cress; Ipmitool-devel@lists.sourceforge.net Subject: Re: [Ipmitool-devel] IPMI lanplus connection using -C0 does not requirepassword > It sounds like you have the default (null) user enabled with no password > for the lan channel. > You would want to disable the null user (user 1) for that channel. Or, > you could add a password to that user if you prefer. Even with Cipher > Suite 0, the password would be MD5 hashed. > ipmitool user list 1 > would show the users for channel 1, if your ipmi lan is on channel 1. > ipmitool user disable 1 > would disable user 1, the null user. I have tried assigning user #1 and also the lan channel password using the following commands: (This is a different machine where the lan channel is 2): $ ipmitool user set password 1 XYZ $ ipmitool lan set 2 password XYZ But still if I run the command with -C0 and a blank password, it works: $ ipmitool -C0 -I lanplus -H 192.168.1.21 chassis power status Password: Chassis Power is on If I run it without -C at all (which the man page says defaults to -C3), or with "-C1" or "-C2" or "-C3", then it requires that I type the correct password. But with "-C0" it allows me to enter a blank password. What am I missing? > -----Original Message----- > From: Fred Tyler [mailto:fred...@gmail.com] > Sent: Tuesday, April 14, 2009 7:54 PM > To: ipmitool-devel@lists.sourceforge.net > Subject: [Ipmitool-devel] IPMI lanplus connection using -C0 does not > requirepassword > > Hi, I don't know how this has happened, but I can run ipmitool > commands on a remote machine without a password if I specify -C0 on > the command line. > > Here's the lan configuration of the server running IPMI: > > ============================== > > r...@server$ ipmitool lan print 6 > Set in Progress : Set Complete > Auth Type Support : NONE MD2 MD5 PASSWORD > Auth Type Enable : Callback : NONE MD2 MD5 PASSWORD > : User : NONE MD2 MD5 PASSWORD > : Operator : NONE MD2 MD5 PASSWORD > : Admin : NONE MD2 MD5 PASSWORD > : OEM : NONE MD2 MD5 PASSWORD > IP Address Source : Static Address > IP Address : 192.168.1.21 > Subnet Mask : 255.255.255.0 > MAC Address : 00:a0:d1:e2:b5:fe > SNMP Community String : public > IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10 > BMC ARP Control : ARP Responses Enabled, Gratuitous ARP Disabled > Gratituous ARP Intrvl : 2.0 seconds > Default Gateway IP : 192.168.1.1 > Default Gateway MAC : 00:1c:bf:25:b7:70 > Backup Gateway IP : 0.0.0.0 > Backup Gateway MAC : 00:00:00:00:00:00 > 802.1q VLAN ID : Disabled > 802.1q VLAN Priority : 0 > RMCP+ Cipher Suites : 0,1,2,3 > Cipher Suite Priv Max : Not Available > > ===================================== > > > When I do not specify "-C", and I enter a blank password, I get an > "Unable to establish IPMI v2 RMCP+ session" error. > > However, here is the output of the IPMI command where I specify -C0 on > the command line and enter a blank password: > > ====================================== > > $ ipmitool -C0 -I lanplus -H 192.168.1.21 chassis status > Password: > System Power : on > Power Overload : false > Power Interlock : inactive > Main Power Fault : false > Power Control Fault : false > Power Restore Policy : always-off > Last Power Event : ac-failed > Chassis Intrusion : inactive > Front-Panel Lockout : inactive > Drive Fault : false > Cooling/Fan Fault : false > > ======================================= > > > Obviously this is undesirable, as anyone could connect to the machine > and power it off, reboot it, etc. > > How can I fix this? > > ------------------------------------------------------------------------ > ------ > This SF.net email is sponsored by: > High Quality Requirements in a Collaborative Environment. > Download a free trial of Rational Requirements Composer Now! > http://p.sf.net/sfu/www-ibm-com > _______________________________________________ > Ipmitool-devel mailing list > Ipmitool-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/ipmitool-devel > > The information contained in this document is CONFIDENTIAL and property of > Kontron. Any unauthorized review, use, disclosure or distribution is > prohibited without express written consent of Kontron. If you are not the > intended recipient, please contact the sender and destroy all copies of the > original message and enclosed attachments. > > The information contained in this document is CONFIDENTIAL and property of Kontron. Any unauthorized review, use, disclosure or distribution is prohibited without express written consent of Kontron. If you are not the intended recipient, please contact the sender and destroy all copies of the original message and enclosed attachments. ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Ipmitool-devel mailing list Ipmitool-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
