Attention users of network IPMI
Alexander Amelkin
a.amelkin at yadro.com
Fri Mar 30 03:18:19 AEDT 2018
On Thu, Mar 29, 2018 at 06:56:00PM +0530, Deepak Kodihalli wrote:
> On 29/03/18 2:53 pm, Tom Joseph wrote:
> >Hello,
> >
> >Based on feedback from the team writing management scripts for OpenBMC.
> >There is a suggestion to
> >support the "-U" parameter when running the IPMI over network, to keep the
> >script consistent across
> >multiple BMC implementations.
> >
> >The support currently in OpenBMC for the IPMI user accounts is the
> >nameless account and the -U option
> >is not needed and only the -P option is needed. With the proposed change,
> >"-U admin" is needed, for the
>
> This would break current users based on a nameless account. So I suppose
> that you'd have to still support a nameless account.
Sure. IPMI specification clearly states for Set User Access command that
"if implemented, this command must support at least the null user".
> >session setup to succeed. "root" username was not preferred so that the
> >user does not get confused with the
> >linux user account.
> >
> >IPMITool usage with the proposed change:
> >
> >ipmitool -I lanplus -H x.x.x.x -U admin -P 0penBmc <cmd>
Just a note. IMO, the password for IPMI users must be the same as for
system users, and preferably verified using pam as well.
IPMI defines user privileges (user, operator, administrator, oem
prooprietary privileges), and I think we need to support them. I'd do that via
standard user groups. The root username may still be available with
'administrator' privilege level (user 'root' included into 'admin' group).
That way we can rely on standard means for authentication and filesystem
permissions, and maybe have some pam plugin for interaction with phosphor
(e.g. to check whether a user is disabled).
I'd also say that Get Device ID must work without password for anonymous
user for ease of IPMI-enabled device discovery, but that again may break
the existing setups using anonymous user with a password, and I can't find
anything in IPMI v2.0 specification on authentication requirements for Get
Device ID (if I was writing the spec, I'd demand absence of authentication
for that command).
Alexander.
More information about the openbmc
mailing list