ipmi: Inquiry Regarding IPMI User Password Testing
Jerry Wan (萬祐嘉)
Jerry.Wan at quantatw.com
Thu Nov 9 19:06:36 AEDT 2023
Hi Vernon,
We recently conducted some tests on phosphor-ipmi-host and found that the user password test command doesn't appear to be compliant with the IPMI specification.
We used a 20-byte password testing command to validate a 16-byte password, and it passed the test. However, according to the IPMI specification, I think the above test combination should return a failure.(Please refer to IPMI spec 22.30-Set User Password Command, page 313)
Here is the testing procedure:
1. Change the user password with a 16-byte flag.
root at evb:~# ipmitool user set password 5 Passw0rd 16
Set User Password command successful (user 5)
2.
Use a 16-byte testing command to validate the correct password: Pass
root at evb:~# ipmitool user test 5 16 Passw0rd
Success
3.
Use a 20-byte testing command to validate the correct password: Pass <== I think this should be a Fail
root at gms:~# ipmitool user test 5 20 Passw0rd
Success
Could you please confirm if my understanding is correct?
Additionally, any insights or suggestions on this matter would be greatly appreciated.
Thank you very much.
Best Regards
Quanta Computer Inc.
software engineer
Jerry Wan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20231109/cab5479d/attachment.htm>
More information about the openbmc
mailing list