Re: [Ipmitool-devel] IPMI lanplus connection using -C0 does not requirepassword

Wed, 15 Apr 2009 07:34:50 -0700 

On Wed, Apr 15, 2009 at 10:12 AM, Andy Cress <andy.cr...@us.kontron.com> wrote:
>
> I'm not sure if this is the cause, but I do see a security hole in your IPMI 
> LAN configuration, under LAN Parameter 2 (Auth Type Enables):
>>                        : User     : NONE MD2 MD5 PASSWORD
>>                        : Operator : NONE MD2 MD5 PASSWORD
>>                        : Admin    : NONE MD2 MD5 PASSWORD
>>                        : OEM      : NONE MD2 MD5 PASSWORD
> That should omit the "NONE" bit in this case for all 4 bytes.  (i.e. 0x17 -> 
> 0x16)
> Can you try changing that in the server IPMI LAN configuration?
>

Well, I got rid of the NONE in front of 4 of them, but it won't let me
set the auth level for OEM. I get the following error:

$ ipmitool lan set 2 auth OEM md5,password
Invalid authentication level: OEM

So, this leaves me with the following:

===========================

$ ipmitool lan print 2
Password:
Set in Progress         : Set Complete
Auth Type Support       : NONE MD5 PASSWORD
Auth Type Enable        : Callback : MD5 PASSWORD
                        : User     : MD5 PASSWORD
                        : Operator : MD5 PASSWORD
                        : Admin    : MD5 PASSWORD
                        : OEM      : NONE MD5 PASSWORD
IP Address Source       : Static Address
IP Address              : 192.168.1.31
Subnet Mask             : 255.255.255.0
MAC Address             : 00:a0:d1:e8:63:ab
SNMP Community String   : public
Default Gateway IP      : 192.168.1.1
802.1q VLAN ID          : Disabled
802.1q VLAN Priority    : 0
RMCP+ Cipher Suites     : 0,1,2,3
Cipher Suite Priv Max   : aaaaXXXXXXXXXXX
                        :     X=Cipher Suite Unused
                        :     c=CALLBACK
                        :     u=USER
                        :     o=OPERATOR
                        :     a=ADMIN
                        :     O=OEM

===========================

And just to see what the user list looks like:

$ ipmitool user list 2
ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
1                    true    false      true       ADMINISTRATOR
2   Operator         true    true       true       OPERATOR
3   admin            true    true       true       ADMINISTRATOR
4   OEM              true    true       true       OEM

==========================

And I've set the passwords for both user #1 and channel #2

$ ipmitool user set password 1 XYZ
$ ipmitool lan set 2 password XYZ

============================

But still, I can connect using -C0:

$ ipmitool -C0 -I lanplus -H 192.168.1.31 chassis power status
Password:
Chassis Power is on


BTW, thanks for taking the time to look at this.

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel

Reply via email to