You have to change your BMCs to reject cipher suite 0. FYI, IBM servers ship with it disabled for this very reason.
ipmitool lan set 1 cipher_privs XaaaXXXXXXXXXXX
should do it.
From: Fred Tyler <fred...@gmail.com>
To: ipmitool-devel@lists.sourceforge.net
Date: 04/14/2009 07:58 PM
Subject: [Ipmitool-devel] IPMI lanplus connection using -C0 does not
require password
Hi, I don't know how this has happened, but I can run ipmitool
commands on a remote machine without a password if I specify -C0 on
the command line.
Here's the lan configuration of the server running IPMI:
==============================
r...@server$ ipmitool lan print 6
Set in Progress : Set Complete
Auth Type Support : NONE MD2 MD5 PASSWORD
Auth Type Enable : Callback : NONE MD2 MD5 PASSWORD
: User : NONE MD2 MD5 PASSWORD
: Operator : NONE MD2 MD5 PASSWORD
: Admin : NONE MD2 MD5 PASSWORD
: OEM : NONE MD2 MD5 PASSWORD
IP Address Source : Static Address
IP Address : 192.168.1.21
Subnet Mask : 255.255.255.0
MAC Address : 00:a0:d1:e2:b5:fe
SNMP Community String : public
IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control : ARP Responses Enabled, Gratuitous ARP Disabled
Gratituous ARP Intrvl : 2.0 seconds
Default Gateway IP : 192.168.1.1
Default Gateway MAC : 00:1c:bf:25:b7:70
Backup Gateway IP : 0.0.0.0
Backup Gateway MAC : 00:00:00:00:00:00
802.1q VLAN ID : Disabled
802.1q VLAN Priority : 0
RMCP+ Cipher Suites : 0,1,2,3
Cipher Suite Priv Max : Not Available
=====================================
When I do not specify "-C", and I enter a blank password, I get an
"Unable to establish IPMI v2 RMCP+ session" error.
However, here is the output of the IPMI command where I specify -C0 on
the command line and enter a blank password:
======================================
$ ipmitool -C0 -I lanplus -H 192.168.1.21 chassis status
Password:
System Power : on
Power Overload : false
Power Interlock : inactive
Main Power Fault : false
Power Control Fault : false
Power Restore Policy : always-off
Last Power Event : ac-failed
Chassis Intrusion : inactive
Front-Panel Lockout : inactive
Drive Fault : false
Cooling/Fan Fault : false
=======================================
Obviously this is undesirable, as anyone could connect to the machine
and power it off, reboot it, etc.
How can I fix this?
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
<<inline: graycol.gif>>
<<inline: ecblank.gif>>
------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Ipmitool-devel mailing list Ipmitool-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
