Re: [Ipmitool-devel] RAKP 2 message indicates an error : unauthorized name

[holger.lie...@ts.fujitsu.com]

MD5 is the (default and strongest) Authentication for RMCP (a.k.a. IPMI 1.5, 
a.k.a. -I lan) and not for RMCP+ (a.k.a. IPMI 2.0 a.k.a. -I lanplus) so I 
guess this command line option gets ignored as you are still trying to 
establish a RMCP+ session (-I lanplus) with the default Cipher Suite 3 - which 
seems to be disabled on your BMC.



Still not sure what you are trying to do and who has configured your BMC. 
HMAC_MD5 is weaker from a crypto point of view (Cipher Suites 6,7,8) for 
Authentication, and MD5_128 is weaker than HMAC_MD5 for Integrity (Cipher 
Suites 11,12 versus 6,7,8).

HMAC_SHA256 is stronger than HMAC_SHA1 (1,2,3) but your BMC does *only* 
support Authentication with HMAC_SHA256 (Cipher Suite 15, currently disabled) 
but no Integrity Check (missing Cipher Suite 16/17, so anyone can mess with 
your LAN packets after the session is open) and worse - no encryption when 
using HMAC_SHA256 (missing Cipher Suite 17).



Currently enabled are:

Cipher Suite 6 (no Integrity, no encryption)

Cipher Suite 11 (MD5, no encryption)

Cipher Suite 12 (MD5, AES)



Instead of going from medium to low hash strength I would recommend use long, 
strong passwords (you do have 20 bytes available) and change them 
periodically.



From: VJ [mailto:purplet...@gmail.com]
Sent: Friday, February 10, 2017 7:39 AM
To: ipmitool-devel@lists.sourceforge.net
Subject: [Ipmitool-devel] RAKP 2 message indicates an error : unauthorized 
name



Hi,

After i set authtype to MD5 Iam unable to login and get the error metioned in 
the subject.

Please help



some debug info below



(with -A M5 and without that same error)

> ipmitool -vvv -I lanplus -U Administrator -f file.txt -A MD5 -H host chassis 
> status



>> Sending IPMI command payload

>>    netfn   : 0x06

>>    command : 0x38

>>    data    : 0x8e 0x04



BUILDING A v1.5 COMMAND

>> IPMI Request Session Header

>>   Authtype   : NONE

>>   Sequence   : 0x00000000

>>   Session ID : 0x00000000

>> IPMI Request Message Header

>>   Rs Addr    : 20

>>   NetFn      : 06

>>   Rs LUN     : 0

>>   Rq Addr    : 81

>>   Rq Seq     : 00

>>   Rq Lun     : 0

>>   Command    : 38

<< IPMI Response Session Header

<<   Authtype                : NONE

<<   Payload type            : IPMI (0)

<<   Session ID              : 0x00000000

<<   Sequence                : 0x00000000

<<   IPMI Msg/Payload Length : 16

<< IPMI Response Message Header

<<   Rq Addr    : 81

<<   NetFn      : 07

<<   Rq LUN     : 0

<<   Rs Addr    : 20

<<   Rq Seq     : 00

<<   Rs Lun     : 0

<<   Command    : 38

<<   Compl Code : 0x00

>> SENDING AN OPEN SESSION REQUEST



<<OPEN SESSION RESPONSE

<<  Message tag                        : 0x00

<<  RMCP+ status                       : no errors

<<  Maximum privilege level            : admin

<<  Console Session ID                 : 0xa0a2a3a4

<<  BMC Session ID                     : 0xffb52dfb

<<  Negotiated authenticatin algorithm : hmac_sha1

<<  Negotiated integrity algorithm     : hmac_sha1_96

<<  Negotiated encryption algorithm    : aes_cbc_128



>> Console generated random number (16 bytes)

 cc 18 fe 89 2d c0 e6 3c 28 66 80 ee 0a 82 0b 59

>> SENDING A RAKP 1 MESSAGE



<<RAKP 2 MESSAGE

<<  Message tag                   : 0x00

<<  RMCP+ status                  : unauthorized name

<<  Console Session ID            : 0xa0a2a3a4

<<  BMC random number             : 0x002db5ff000000080100000801000008

<<  BMC GUID                      : 0x01000008020000080169737400000000

<<  Key exchange auth code [sha1] : 0x0000000000000000000000000000000000000000



RAKP 2 message indicates an error : unauthorized name

Error: Unable to establish IPMI v2 / RMCP+ session





# ipmitool user list 1

ID  Name           Callin  Link Auth     IPMI Msg   Channel Priv Limit

1                    false   false      true       USER

2   Administrator    false   true       true       ADMINISTRATOR







# ipmitool lan print 1

Set in Progress         : Set Complete

Auth Type Support       : NONE MD2 MD5 PASSWORD

Auth Type Enable        : Callback : MD5

                        : User     : MD5

                        : Operator : MD5

                        : Admin    : MD5

                        : OEM      :

....

IP Header               : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10

BMC ARP Control         : ARP Responses Enabled, Gratuitous ARP Disabled

Gratituous ARP Intrvl   : 0.0 seconds

Default Gateway IP      : .........

Default Gateway MAC     : 00:00:00:00:00:00

Backup Gateway IP       : 0.0.0.0

Backup Gateway MAC      : 00:00:00:00:00:00

802.1q VLAN ID          : Disabled

802.1q VLAN Priority    : 0

RMCP+ Cipher Suites     : 1,2,3,6,7,8,11,12,15

Cipher Suite Priv Max   : XXXaXXaaXXXXXXX

                        :     X=Cipher Suite Unused

                        :     c=CALLBACK

                        :     u=USER

                        :     o=OPERATOR

                        :     a=ADMIN

                        :     O=OEM

smime.p7s
Description: S/MIME cryptographic signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel