Hi Hank,
On Fri, 2011-01-21 at 14:02 -0800, Hank Bruning wrote:
> if your are using IPMI 2.0 RMCP sessions then you must use an OEM way
> to find which privilege level is assigned to an IPMI cipher suite.
> Often cipher suite 0 can not be used for Administrator or User roles.
> What you are asking is outside the spec. In my opinion the spec is
> faulty that a privilege level (admin, user, callback, etc)can not be
> queried for which cipher suites that are supported. This is a major
> fail for the IPMI spec.
> Our Retuli product implements a proprietary way to do this. It's not
> widely used.
Maybe I'm missing something from the conversation, but it isn't true
that an OEM way is required to find which privilege level is assigned to
a cipher suite. In Table 23-4 of the IPMI spec there is support for
this w/ "RMCP+ Messaging Cipher Suite Privilege Levels". I'm unsure if
this is supported in ipmitool, but it is in FreeIPMI.
> /usr/sbin/bmc-config --checkout --section=Rmcpplus_Conf_Privilege
Section Rmcpplus_Conf_Privilege
## Possible values:
Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_0 Unused
## Possible values:
Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_1 Unused
## Possible values:
Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_2 Unused
<snip>
In the above examples, the cipher suites are currently disabled, but
they can be configured to whatever you want. I've tested this on
atleast 4 or 5 different vendor implementations of IPMI.
Al
> Please ping Dell or Intel on you request. It's not new but more voices
> heard might move an iceburg
>
> h...@jblade.com
> IPMI Architecture Group
> JBlade
>
>
> On 01/21/2011 10:10 AM, Szabo, Steve G wrote:
> >
> > Anyone know which privilege is required when accessing ProLiant
> > BL460c G6?
> >
> >
> >
> >
> > $ ipmitool -vv -I lanplus -U someguy -H somehost -P somepass channel
> > info
> >
> > IPMI LAN host somehost port 623
> >
> > >> Sending IPMI command payload
> > >> netfn : 0x06
> > >> command : 0x38
> > >> data : 0x8e 0x04
> >
> > >> SENDING AN OPEN SESSION REQUEST
> >
> > <<OPEN SESSION RESPONSE
> > << Message tag : 0x00
> > << RMCP+ status : no errors
> > << Maximum privilege level : admin
> > << Console Session ID : 0xa0a2a3a4
> > << BMC Session ID : 0x0086219a
> > << Negotiated authenticatin algorithm : hmac_sha1
> > << Negotiated integrity algorithm : hmac_sha1_96
> > << Negotiated encryption algorithm : aes_cbc_128
> >
> > >> Console generated random number (16 bytes)
> > 42 21 af 9e be 27 90 14 c0 08 82 00 4d 86 88 65
> > >> SENDING A RAKP 1 MESSAGE
> >
> > <<RAKP 2 MESSAGE
> > << Message tag : 0x00
> > << RMCP+ status : no errors
> > << Console Session ID : 0xa0a2a3a4
> > << BMC random number :
> > 0x3de07bce4ebad1deb8365f560bb22463
> > << BMC GUID :
> > 0x3530373737394d585130313030334454
> > << Key exchange auth code [sha1] :
> > 0xf102da4902ea7e1e68a2d44882b2c57fcfa70236
> >
> > session integrity key input (40 bytes)
> > 42 21 af 9e be 27 90 14 c0 08 82 00 4d 86 88 65
> > 3d e0 7b ce 4e ba d1 de b8 36 5f 56 0b b2 24 63
> > 14 06 73 79 73 6f 70 73
> > Generated session integrity key (20 bytes)
> > ab 09 95 ee 2f 3d 08 25 20 7f 52 40 52 22 ab 4f
> > 9c e9 17 1a
> > Generated K1 (20 bytes)
> > 52 ad 59 e4 f9 14 89 ed 68 97 cc bd 5d 86 4f 0b
> > 0c 8f f9 b8
> > Generated K2 (20 bytes)
> > 8b 9e f8 b4 d7 00 f4 68 c2 34 57 fd e4 16 21 1c
> > ac 8b d1 99
> > >> SENDING A RAKP 3 MESSAGE
> >
> > <<RAKP 4 MESSAGE
> > << Message tag : 0x00
> > << RMCP+ status : no errors
> > << Console Session ID : 0xa0a2a3a4
> > << Key exchange auth code [sha1] : 0x6d9720c5ac3de5e28e47fedc
> >
> > IPMIv2 / RMCP+ SESSION OPENED SUCCESSFULLY
> >
> >
> > >> Sending IPMI command payload
> > >> netfn : 0x06
> > >> command : 0x3b
> > >> data : 0x04
> >
> > Set Session Privilege Level to ADMINISTRATOR failed: Unknown (0x81)
> > Error: Unable to establish IPMI v2 / RMCP+ session
> > Unable to Get Channel Info
> >
> > Cheers
> > -------------------------------------------------------------------------
> >
> >
> > NOTICE: Confidential message which may be privileged. Unauthorized
> > use/disclosure prohibited. If received in error, please go to
> > www.td.com/legal for instructions.
> > AVIS : Message confidentiel dont le contenu peut être privilégié.
> > Utilisation/divulgation interdites sans permission. Si reçu par
> > erreur, prière d'aller au www.td.com/francais/avis_juridique pour
> > des instructions.
> >
> >
> > ------------------------------------------------------------------------------
> > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> > Finally, a world-class log management solution at an even better price-free!
> > Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> > February 28th, so secure your free ArcSight Logger TODAY!
> > http://p.sf.net/sfu/arcsight-sfd2d
> >
> > _______________________________________________
> > Ipmitool-devel mailing list
> > Ipmitool-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
>
--
Albert Chu
ch...@llnl.gov
Computer Scientist
High Performance Systems Division
Lawrence Livermore National Laboratory
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
