So two things: -For any IPMI device that implements IPMI 2.0: ipmitool lan print <channel number>
Look for: Cipher Suite Priv Max : XaaaaXXXXXXXXXX If the first character is not X, then anyone can get in without having accurate auth data. If IPMITOOL is somehow fanagling it to be cipher suite zero when passed weird arguments by mistake, that can explain it. You can use lan set cipher_privs on the BMC to manually fix it so the first one is disabled. IBM explicitly caps cipher suite zero to 'user' privilege by default as most everyone doesn't understand the exposure, though xCAT goes a step further and disables it outright when setting up an IPMI device for lack of any sane use for it IMHO. If you fix that and you can still produce the problem, then you have a fairly grave security issue in your service processors. The other thing is even when/if it seems to be working as expected, I would do a tcpdump/wireshark capture of your session and examine the packets from the service processor to make sure they all have integrity algorithms applied. I have had captures sent to me from some Dell system where the BMC does not apply the same integrit protection on replies even if it requires the requests be encrypted. These captures didn't get beyond the RAKP exchange so I don't know if it will start doing privacy and integrity post session-establishment (this was with an IPMI client that is more paranoid than ipmitool on security issues and thus it refused to continue the conversation when the service processor didn't provide integrity protection on packets). At the very least there is a window of opportunity for man in the middle attacks with such service processors. From: "Edward Ned Harvey" <agi...@nedharvey.com> To: <ipmitool-devel@lists.sourceforge.net> Date: 10/11/2010 09:09 PM Subject: Re: [Ipmitool-devel] lanplus encryption > From: Edward Ned Harvey [mailto:agi...@nedharvey.com] > > If I mess up my IPMICIPHER a little bit ... Just change a few > characters at the end ... > Then it still works. Yeah, this blows my mind. Even if I mess up my password... So I have both the wrong password and the wrong cipher key ... then it still works. Clearly I must be doing something wrong. Thanks.... ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Ipmitool-devel mailing list Ipmitool-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
<<inline: graycol.gif>>
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb
_______________________________________________ Ipmitool-devel mailing list Ipmitool-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
