On 03/28/2017 04:17 PM, Alan Ott wrote: > Per-user allowed_auths are stored in the persistence file, but there's > no way to change them from their defaults, which is 0 (no allowed auths) > for users which are not in lan.conf (ie: for users which are added using > the IPMI interface). Ignoring user allowed_auths when they are 0 will > cause ipmi_sim to use the per-privilege allowed_auths for the user's > privilege level instead.
Well, this was pretty hard. I'm not sure where the per-user allowed_auths came from, I don't see any evidence that there is anything like that in the spec. The only thing that it says is that the auth in the Get Session Challenge and Activate Session commands must match, but there's no real way to do that because the point of this is to avoid DOS attacks, and so you can't really save info for the other command. So my proposal would be to just delete the per-user allowed_auths. Does that make sense? Thanks, -corey > Signed-off-by: Alan Ott <[email protected]> > --- > lanserv/lanserv_ipmi.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/lanserv/lanserv_ipmi.c b/lanserv/lanserv_ipmi.c > index 67bf74a..d6eeb1f 100644 > --- a/lanserv/lanserv_ipmi.c > +++ b/lanserv/lanserv_ipmi.c > @@ -665,7 +665,7 @@ handle_get_session_challenge(lanserv_data_t *lan, msg_t > *msg) > return; > } > > - if (!(user->allowed_auths & (1 << authtype))) { > + if (user->allowed_auths && !(user->allowed_auths & (1 << authtype))) { > lan->sysinfo->log(lan->sysinfo, SESSION_CHALLENGE_FAILED, msg, > "Session challenge failed: Invalid authorization type"); > return_err(lan, msg, NULL, IPMI_INVALID_DATA_FIELD_CC); > @@ -895,14 +895,14 @@ handle_temp_session(lanserv_data_t *lan, msg_t *msg) > "Activate session failed: Invalid user idx: 0x%x", user_idx); > return; > } > - if (! (user->allowed_auths & (1 << auth))) { > + if (user->allowed_auths && ! (user->allowed_auths & (1 << auth))) { > lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg, > "Activate session failed: Requested auth %d was invalid for" > " user 0x%x", > auth, user_idx); > return; > } > - if (! (user->allowed_auths & (1 << msg->authtype))) { > + if (user->allowed_auths && ! (user->allowed_auths & (1 << > msg->authtype))) { > lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg, > "Activate session failed: Message auth %d was invalid for" > " user 0x%x", ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openipmi-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openipmi-developer
