Re: [Ipmitool-devel] IPMI lanplus connection using -C0 does not requirepassword

Wed, 15 Apr 2009 07:33:27 -0700 

In IPMI 2, that is not true.  Cipher suite 0 has no password hash or
plaintext.

Cipher suite 0, per spec, allows access to anyone who knows your usernames.
I can't imagine the point of it, but that's what it is.


                                                                       
  From:       "Andy Cress" <andy.cr...@us.kontron.com>                 
                                                                       
  To:         "Fred Tyler" <fred...@gmail.com>, 
<ipmitool-devel@lists.sourceforge.net>
                                                                       
  Date:       04/14/2009 08:26 PM                                      
                                                                       
  Subject:    Re: [Ipmitool-devel] IPMI lanplus connection using -C0 does not   
requirepassword
                                                                       






Fred,

It sounds like you have the default (null) user enabled with no password
for the lan channel.
You would want to disable the null user (user 1) for that channel.  Or,
you could add a password to that user if you prefer.  Even with Cipher
Suite 0, the password would be MD5 hashed.
 ipmitool user list 1
would show the users for channel 1, if your ipmi lan is on channel 1.
 ipmitool user disable 1
would disable user 1, the null user.

Andy

-----Original Message-----
From: Fred Tyler [mailto:fred...@gmail.com]
Sent: Tuesday, April 14, 2009 7:54 PM
To: ipmitool-devel@lists.sourceforge.net
Subject: [Ipmitool-devel] IPMI lanplus connection using -C0 does not
requirepassword

Hi, I don't know how this has happened, but I can run ipmitool
commands on a remote machine without a password if I specify -C0 on
the command line.

Here's the lan configuration of the server running IPMI:

==============================

r...@server$ ipmitool lan print 6
Set in Progress         : Set Complete
Auth Type Support       : NONE MD2 MD5 PASSWORD
Auth Type Enable        : Callback : NONE MD2 MD5 PASSWORD
                        : User     : NONE MD2 MD5 PASSWORD
                        : Operator : NONE MD2 MD5 PASSWORD
                        : Admin    : NONE MD2 MD5 PASSWORD
                        : OEM      : NONE MD2 MD5 PASSWORD
IP Address Source       : Static Address
IP Address              : 192.168.1.21
Subnet Mask             : 255.255.255.0
MAC Address             : 00:a0:d1:e2:b5:fe
SNMP Community String   : public
IP Header               : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control         : ARP Responses Enabled, Gratuitous ARP Disabled
Gratituous ARP Intrvl   : 2.0 seconds
Default Gateway IP      : 192.168.1.1
Default Gateway MAC     : 00:1c:bf:25:b7:70
Backup Gateway IP       : 0.0.0.0
Backup Gateway MAC      : 00:00:00:00:00:00
802.1q VLAN ID          : Disabled
802.1q VLAN Priority    : 0
RMCP+ Cipher Suites     : 0,1,2,3
Cipher Suite Priv Max   : Not Available

=====================================


When I do not specify "-C", and I enter a blank password, I get an
"Unable to establish IPMI v2 RMCP+ session" error.

However, here is the output of the IPMI command where I specify -C0 on
the command line and enter a blank password:

======================================

$ ipmitool -C0 -I lanplus -H 192.168.1.21 chassis status
Password:
System Power         : on
Power Overload       : false
Power Interlock      : inactive
Main Power Fault     : false
Power Control Fault  : false
Power Restore Policy : always-off
Last Power Event     : ac-failed
Chassis Intrusion    : inactive
Front-Panel Lockout  : inactive
Drive Fault          : false
Cooling/Fan Fault    : false

=======================================


Obviously this is undesirable, as anyone could connect to the machine
and power it off, reboot it, etc.

How can I fix this?

------------------------------------------------------------------------
------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel

The information contained in this document is CONFIDENTIAL and property of
Kontron. Any unauthorized review, use, disclosure or distribution is
prohibited without express written consent of Kontron. If you are not the
intended recipient, please contact the sender and destroy all copies of the
original message and enclosed attachments.


------------------------------------------------------------------------------

This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel

<<inline: graycol.gif>>

<<inline: ecblank.gif>>

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel

Reply via email to