Attention users of network IPMI

Emily Shaffer emilyshaffer at google.com
Fri Mar 30 03:37:24 AEDT 2018


On Thu, Mar 29, 2018 at 9:19 AM Alexander Amelkin <a.amelkin at yadro.com>
wrote:

> On Thu, Mar 29, 2018 at 06:56:00PM +0530, Deepak Kodihalli wrote:
> > On 29/03/18 2:53 pm, Tom Joseph wrote:
> > >Hello,
> > >
> > >Based on  feedback from the team writing management scripts for OpenBMC.
> > >There is a suggestion to
> > >support the "-U" parameter when running the IPMI over network, to keep
> the
> > >script consistent across
> > >multiple BMC implementations.
> > >
> > >The support currently in  OpenBMC for the IPMI user accounts is the
> > >nameless account and the -U option
> > >is not needed and only the -P option is needed. With the proposed
> change,
> > >"-U admin" is needed, for the
> >
> > This would break current users based on a nameless account. So I suppose
> > that you'd have to still support a nameless account.
>
> Sure. IPMI specification clearly states for Set User Access command that
> "if implemented, this command must support at least the null user".
>
> > >session setup to succeed. "root"  username was not preferred so that the
> > >user does not get confused with the
> > >linux user account.
> > >
> > >IPMITool usage with the proposed change:
> > >
> > >ipmitool -I lanplus -H x.x.x.x -U admin -P 0penBmc <cmd>
>
> Just a note. IMO, the password for IPMI users must be the same as for
> system users, and preferably verified using pam as well.
>

Seconded - I'd probably suggest PAM as a bare minimum..


>
> IPMI defines user privileges (user, operator, administrator, oem
> prooprietary privileges), and I think we need to support them. I'd do that
> via
> standard user groups.  The root username may still be available with
> 'administrator' privilege level (user 'root' included into 'admin' group).
> That way we can rely on standard means for authentication and filesystem
> permissions, and maybe have some pam plugin for interaction with phosphor
> (e.g. to check whether a user is disabled).
>

I thought Intel (Ed?) was working on something related to this.  Could
someone comment?


>
> I'd also say that Get Device ID must work without password for anonymous
> user for ease of IPMI-enabled device discovery, but that again may break
> the existing setups using anonymous user with a password, and I can't find
> anything in IPMI v2.0 specification on authentication requirements for Get
> Device ID (if I was writing the spec, I'd demand absence of authentication
> for that command).
>
> Alexander.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20180329/bbc9d34b/attachment-0001.html>


More information about the openbmc mailing list