IPMI 2.0 Errata 4 has extended the list of supported algorithms with SHA256
(E431), resulting in more than 15 Cipher suites. The DCMI Spec lists only 17 as
new/additional value, leaving the other 2 possible values unconfirmed.
Errata 434 deals with Cipher Suite 0 and clarifies this one to be "no
password", basically an equivalent to the authtype none in RMCP/IPMI 1.5. (if
enabled for the channel, ipmitool -I lan -A NONE)
Regarding the "odd placement" of cipher suite 0 in your environment: see get
the channel cipher suites command description (section 22.15). This is a simple
list and technically does not really has to be ordered (but most BMC will
deliver it in an ordered way).
On a side note: If a BMC would implement/support/enable all possible cipher
suites (0-15 and 17), the get channel cipher suite command could not report all
of them, since the response defines only 16 bytes for the cipher suite record
data.
Holger
From: ^..^ [mailto:zenf...@gmail.com]
Sent: Wednesday, January 09, 2013 6:30 PM
To: ipmitool-devel@lists.sourceforge.net
Subject: [Ipmitool-devel] cipher suite decoding
I'm trying to understand cipher suites and ipmitool. The 2.0 spec says that
there are 15 suites plus an OEM specified one (and reserved space); ipmitool's
man page says cipher 0 is reserved in the cipher_privs option:
The format of privlist is as follows. Each character represents a
privilege level and the character position identifies the cipher suite
number. For example, the first character represents cipher suite
1 (cipher suite 0 is reserved), the second represents cipher suite 2,
and so on. privlist must be 15 characters in length.
And then gives an example; "to set the maximum privilege for cipher suite 1 to
USER and suite 2 to ADMIN, issue the following command":
ipmitool -I interface lan set channel cipher_privs uaXXXXXXXXXXXXX
Does this mean you can't set cipher suite 0? Or if you can, can you not set
the OEM one?
I see in the archives Jarred said
(http://www.mail-archive.com/ipmitool-devel@lists.sourceforge.net/msg01169.html):
You have to change your BMCs to reject cipher suite 0. FYI, IBM servers ship
with it disabled for this very reason.
ipmitool lan set 1 cipher_privs XaaaXXXXXXXXXXX
should do it.
In his example, however, it was answering a question about a conf that listed a
limited set of suites:
RMCP+ Cipher Suites : 0,1,2,3
So maybe the suites listed on the "RMCP+ Cipher Suites" correspond to the
letters in the cipher_priv string?
Or perhaps some use position 1 in the cipher_priv string as cipher 0, are the
docs or jarred right/wrong, or am I just plain confused?
And my supermicro comes along to further muddy my waters:
# ipmitool -I lanplus -H 192.168.0.69 -U ADMIN -P foobar lan print 1
[...]
RMCP+ Cipher Suites : 1,2,3,6,7,8,11,12,0
Cipher Suite Priv Max : aaaaaaaaaaaaaaa
: X=Cipher Suite Unused
: c=CALLBACK
: u=USER
: o=OPERATOR
: a=ADMIN
: O=OEM
[...]
(Note the odd placement of cipher 0 - the last in the list)
I've been unable to get it to accept cipher suite 0 (just testing, really! :)),
but they may not support it or I'm doing it wrong or I don't know if the odd
placement of Cipher 0 in their list means you have to place it in another
position, but 15 "a"s in a row didn't seem to do anything.
Thanks for any clarifications.
dan
^..^
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
