So the firmware team decided to stop allowing cipher suite 2 (Also forbids IPMI
1.5). It's the same line of thought that causes them to disable http and only
allow https (and further, https has disabled a lot of ciphers) and same reason
telnet server is disabled and only ssh allowed (also with some older ssh
ciphers removed). If you don't have those formerly (for you current) optional
rpms, then xCAT used IPMI 2.0, cipher suite 2 to speak to BMCs (or IPMI 1.5 if
2.0 wasn't supported). If those rpms are there, then it was able to do cipher
suite 3. For some systems, a firmware update will remove support for older
ciphers, some systems never shipped with a version that allowed cipher suite 2.
Random rambling on the state of the security of this stuff for the curious:
Fun fact, IPMI cipher suite 3 and better is not vulnerable to quantum computing
based attacks, even in theory at the moment. Ditto for SNMPv3 at 'authPriv'
level of protection..
Cipher Suite2 provided full protection for your username/password and provided
full integrity assurance, but on the wire you would be able to see the payload
("what is server power state? It is on") as it was authenticated and integrity
assured, but no privacy cipher. Cipher suite 3 added AES to provide encryption
as well as integrity and authentication via HMAC-SHA1 (now not only protected
against tampering and impersonation, but eavesdropper doesn't know what the
conversation is, though they could make educated guesses based on traffic
analysis, like with all protocols).
For any curious, one thing with IPMI is that the password is really a shared
secret, and the BMC goes first with 'proof'. Therefore anyone with ability to
send and receive udp ports to an IPMI device can send a message and will
receive a random set of data and an HMAC using the password as as the key.
This is roughly equivalent to getting a copy of /etc/shadow of your password
and as such someone can ask for the equivalent of /etc/shadow for a user they
know the name of. This is not necessarily fatal as if you select a strong
password (e.g. 20 random characters), your password even in /etc/shadow form
will never fall to an attacker. SNMPv3 has a similar situation, but the client
goes first, so attacker would have to either capture traffic or spoof the ip of
an SNMP endpoint. Of course on the other hand using TLS with cert verification
disabled is also vulnerable to the latter sort of attack and in fact is
actually weaker, as at least in SNMP and IPMI the password is never actually
sent on the wire, only a derivation of it, versus TLS schemes that assume it's
ok to ship the password.
For those curious about security, HMAC-SHA1 may raise eyebrows and in fact
there are newer cipher suites with SHA256/SHA384. However when used in an
HMAC, SHA1 is still considered ok, as collision/preimage isn't the risk in
HMAC, so SHA1 has no known weaknesses relevant to HMAC.
-----Original Message-----
From: Rogie Pamintuan <rbpamint...@gmail.com>
Sent: Thursday, June 14, 2018 10:06 AM
To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Subject: Re: [xcat-user] [External] No cipher suite match with proposed
security algorithms
Great. A BIG thanks Jarrod.
I will have to test those 2 rpms since the cluster is in Production.
before we wrap up this issue. I want to know where exactly the changes
happened. Is it in BMC level? or BMC for Lenovo machines? or directly with
xCAT? when we hit the cipher issue.
Thanks Again.
> On Jun 14, 2018, at 8:47 AM, Rogie Pamintuan <rbpamint...@gmail.com> wrote:
>
> Morning Jarrod,
>
> Just to confirm > Installing the two rpms you’ve referenced will resolve the
> issue on xcat2.8.2? I dont expect any side effect, right? Let me know if
> there is a simplier solution. Thanks!
>
>> On Jun 13, 2018, at 10:01 AM, Rogie Pamintuan <rbpamint...@gmail.com> wrote:
>>
>> Morning Jarrod. Thanks for looking at this issue.
>>
>> I look at my environment, I don’t have the two rpms installed.
>>
>> ]# lsxcatd -v
>> Version 2.8.2 (built Fri Oct 25 04:29:40 EDT 2013) # rpm -qa | grep
>> -i perl-Crypt
>> perl-Crypt-SSLeay-0.57-16.el6.x86_64
>>
>> Thank you.
>>
>>
>>> On Jun 13, 2018, at 8:50 AM, Jarrod Johnson <jjohns...@lenovo.com> wrote:
>>>
>>> Can you check if you have the two rpms installed I referenced? If
>>> they are installed (CBC and Rijndael) then 2.8.2 should be able to
>>> communicate using the stricter security cipher.
>>> -----Original Message-----
>>> From: Rogie Pamintuan <rbpamint...@gmail.com>
>>> Reply-To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
>>> To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
>>> Subject: Re: [xcat-user] [External] No cipher suite match with
>>> proposed security algorithms
>>> Date: Tue, 12 Jun 2018 17:43:23 -0400
>>>
>>> Hi Jarrod,
>>> I have xCAT v2.8.2 (comes with PHPC) which works on my existing
>>> idataflex nodes. When u say we disabled weaker ciphers in the XCC
>>> (BMC/IMM), how easy it is to enable? Any workaround? Thanks.
>>>
>>> On Jun 12, 2018, at 4:23 PM, Jarrod Johnson <jjohns...@lenovo.com>
>>> wrote:
>>>
>>>> What version of xCAT? Do you have perl-Crypt-Rijndael and perl-
>>>> Crypt-CBC installed?
>>>> We disabled the weaker ciphers in the XCC (BMC/IMM), which means
>>>> you now *must* have AES support to speak to the BMC, whereas at one
>>>> point it was optional.
>>>>
>>>> From: Rogie Pamintuan <rbpamint...@gmail.com>
>>>> Sent: Tuesday, June 12, 2018 4:09 PM
>>>> To: xcat-user@lists.sourceforge.net
>>>> Subject: [External] [xcat-user] No cipher suite match with proposed
>>>> security algorithms
>>>>
>>>> Hi There,
>>>>
>>>> I’m having issue adding new nodes running on Lenovo 7x02 SR630 HW.
>>>> No problem with existing nodes running on idataflex HW.
>>>>
>>>> Here goes the error:
>>>>
>>>> # rinv compute000
>>>> compute000: Error: No cipher suite match with proposed security
>>>> algorithms
>>>> compute000: Error: No cipher suite match with proposed security
>>>> algorithms
>>>> compute000: Error: No cipher suite match with proposed security
>>>> algorithms
>>>> compute000: Error: No cipher suite match with proposed security
>>>> algorithms
>>>> compute000: Error: No cipher suite match with proposed security
>>>> algorithms
>>>>
>>>> Other r* commands (i.e rpower, rvitals etc) showing the same issue.
>>>>
>>>> I have updated the HW firmware level for my Lenovo machines but
>>>> still having the same issue.
>>>>
>>>> I saw similar issue here before but I can’t see the answer or update.
>>>> Link as follow:
>>>>
>>>> https://sourceforge.net/p/xcat/mailman/message/32241804/
>>>>
>>>> Any help will be greatly appreciated. Thank you!
>>>> -------------------------------------------------------------------
>>>> -----------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> xCAT-user mailing list
>>>> xCAT-user@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/xcat-user
>>>
>>> --------------------------------------------------------------------
>>> -
>>> ---------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> xCAT-user mailing list
>>> xCAT-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/xcat-user
>>> --------------------------------------------------------------------
>>> ---------- Check out the vibrant tech community on one of the
>>> world's most engaging tech sites, Slashdot.org!
>>> http://sdm.link/slashdot
>>> _______________________________________________
>>> xCAT-user mailing list
>>> xCAT-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/xcat-user
>>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech
sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
