Hi, I'm running the ipmi_sim, and I'm having some trouble with adding users. The short story is that if I add users through the IPMI interface (using ipmitool), I'm unable to login with them.
The reason is because in the persistence file, allowed_auths is never changed from 0. I don't see any way in the IPMI spec or in ipmitool to change this per user. This means for users which aren't in lan.conf, there's no way to authenticate. I got looking at lanserv_ipmi.c and thought a good idea might be to ignore user->allowed_auths if it's 0 and fall back on the test for allowed_auths for the privilege level. This in theory does work, but in practice, ipmitool seems to _always_ request Administrator as the privilege level in the Get Channel Auth Capabilities message (netFn 0x6, CMD 0x38). This means that effectively the auth capabilities of Administrator (allowed_auths_admin in lan.conf) are the only ones which are used in practice :/ This is of course a separate issue (and what looks to be a bug in ipmitool), but it does affect the possible solution of the issue at hand. Steps to reproduce: 1. Add the new user with admin privileges (network args removed): # ipmitool user set name 4 a2 # ipmitool user set password 4 # ipmitool user priv 4 4 # ipmitool user enable 4 # ipmitool -U a2 user list <--- this one fails 2. Open the users file (users.mc20) and observe user #4 has allowed_auths of 0. I've made a patch which will ignore the user allowed_auths if it's zero (falling back to using the privilege allowed_auths which are in the lan.conf). It's in reply to this message. Consider it RFC. Thanks! Alan. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openipmi-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openipmi-developer
