Attention users of network IPMI

Attention users of network IPMI

[Tom Joseph]

Hello,

Based on  feedback from the team writing management scripts for OpenBMC. 
There is a suggestion to
support the "-U" parameter when running the IPMI over network, to keep 
the script consistent across
multiple BMC implementations.

The support currently in  OpenBMC for the IPMI user accounts is the 
nameless account and the -U option
is not needed and only the -P option is needed. With the proposed 
change, "-U admin" is needed, for the
session setup to succeed. "root"  username was not preferred so that the 
user does not get confused with the
linux user account.

IPMITool usage with the proposed change:

ipmitool -I lanplus -H x.x.x.x -U admin -P 0penBmc <cmd>

https://gerrit.openbmc-project.xyz/#/c/9643/

Regards,

Tom

Re: Attention users of network IPMI

[Deepak Kodihalli]

On 29/03/18 2:53 pm, Tom Joseph wrote:
> Hello,
> 
> Based on  feedback from the team writing management scripts for OpenBMC. 
> There is a suggestion to
> support the "-U" parameter when running the IPMI over network, to keep 
> the script consistent across
> multiple BMC implementations.
> 
> The support currently in  OpenBMC for the IPMI user accounts is the 
> nameless account and the -U option
> is not needed and only the -P option is needed. With the proposed 
> change, "-U admin" is needed, for the

This would break current users based on a nameless account. So I suppose 
that you'd have to still support a nameless account.

> session setup to succeed. "root"  username was not preferred so that the 
> user does not get confused with the
> linux user account.
> 
> IPMITool usage with the proposed change:
> 
> ipmitool -I lanplus -H x.x.x.x -U admin -P 0penBmc <cmd>
> 
> https://gerrit.openbmc-project.xyz/#/c/9643/
> 
> Regards,
> 
> Tom
> 

Regards,
Deepak

Re: Attention users of network IPMI

[Alexander Amelkin]

On Thu, Mar 29, 2018 at 06:56:00PM +0530, Deepak Kodihalli wrote:
> On 29/03/18 2:53 pm, Tom Joseph wrote:
> >Hello,
> >
> >Based on  feedback from the team writing management scripts for OpenBMC.
> >There is a suggestion to
> >support the "-U" parameter when running the IPMI over network, to keep the
> >script consistent across
> >multiple BMC implementations.
> >
> >The support currently in  OpenBMC for the IPMI user accounts is the
> >nameless account and the -U option
> >is not needed and only the -P option is needed. With the proposed change,
> >"-U admin" is needed, for the
> 
> This would break current users based on a nameless account. So I suppose
> that you'd have to still support a nameless account.

Sure. IPMI specification clearly states for Set User Access command that
"if implemented, this command must support at least the null user".

> >session setup to succeed. "root"  username was not preferred so that the
> >user does not get confused with the
> >linux user account.
> >
> >IPMITool usage with the proposed change:
> >
> >ipmitool -I lanplus -H x.x.x.x -U admin -P 0penBmc <cmd>

Just a note. IMO, the password for IPMI users must be the same as for
system users, and preferably verified using pam as well.

IPMI defines user privileges (user, operator, administrator, oem
prooprietary privileges), and I think we need to support them. I'd do that via
standard user groups.  The root username may still be available with
'administrator' privilege level (user 'root' included into 'admin' group).
That way we can rely on standard means for authentication and filesystem
permissions, and maybe have some pam plugin for interaction with phosphor
(e.g. to check whether a user is disabled).

I'd also say that Get Device ID must work without password for anonymous
user for ease of IPMI-enabled device discovery, but that again may break
the existing setups using anonymous user with a password, and I can't find
anything in IPMI v2.0 specification on authentication requirements for Get
Device ID (if I was writing the spec, I'd demand absence of authentication
for that command).

Alexander.

Re: Attention users of network IPMI

[Emily Shaffer]

[-- Attachment #1: Type: text/plain, Size: 2455 bytes --]

On Thu, Mar 29, 2018 at 9:19 AM Alexander Amelkin <a.amelkin@yadro.com>
wrote:

> On Thu, Mar 29, 2018 at 06:56:00PM +0530, Deepak Kodihalli wrote:
> > On 29/03/18 2:53 pm, Tom Joseph wrote:
> > >Hello,
> > >
> > >Based on  feedback from the team writing management scripts for OpenBMC.
> > >There is a suggestion to
> > >support the "-U" parameter when running the IPMI over network, to keep
> the
> > >script consistent across
> > >multiple BMC implementations.
> > >
> > >The support currently in  OpenBMC for the IPMI user accounts is the
> > >nameless account and the -U option
> > >is not needed and only the -P option is needed. With the proposed
> change,
> > >"-U admin" is needed, for the
> >
> > This would break current users based on a nameless account. So I suppose
> > that you'd have to still support a nameless account.
>
> Sure. IPMI specification clearly states for Set User Access command that
> "if implemented, this command must support at least the null user".
>
> > >session setup to succeed. "root"  username was not preferred so that the
> > >user does not get confused with the
> > >linux user account.
> > >
> > >IPMITool usage with the proposed change:
> > >
> > >ipmitool -I lanplus -H x.x.x.x -U admin -P 0penBmc <cmd>
>
> Just a note. IMO, the password for IPMI users must be the same as for
> system users, and preferably verified using pam as well.
>

Seconded - I'd probably suggest PAM as a bare minimum..


>
> IPMI defines user privileges (user, operator, administrator, oem
> prooprietary privileges), and I think we need to support them. I'd do that
> via
> standard user groups.  The root username may still be available with
> 'administrator' privilege level (user 'root' included into 'admin' group).
> That way we can rely on standard means for authentication and filesystem
> permissions, and maybe have some pam plugin for interaction with phosphor
> (e.g. to check whether a user is disabled).
>

I thought Intel (Ed?) was working on something related to this.  Could
someone comment?


>
> I'd also say that Get Device ID must work without password for anonymous
> user for ease of IPMI-enabled device discovery, but that again may break
> the existing setups using anonymous user with a password, and I can't find
> anything in IPMI v2.0 specification on authentication requirements for Get
> Device ID (if I was writing the spec, I'd demand absence of authentication
> for that command).
>
> Alexander.
>

[-- Attachment #2: Type: text/html, Size: 3376 bytes --]

Re: Attention users of network IPMI

[Brad Bishop]

> On Mar 29, 2018, at 12:37 PM, Emily Shaffer <emilyshaffer@google.com> wrote:
> On Thu, Mar 29, 2018 at 9:19 AM Alexander Amelkin <a.amelkin@yadro.com> wrote:
> IPMI defines user privileges (user, operator, administrator, oem
> prooprietary privileges), and I think we need to support them. I'd do that via
> standard user groups.  The root username may still be available with
> 'administrator' privilege level (user 'root' included into 'admin' group).
> That way we can rely on standard means for authentication and filesystem
> permissions, and maybe have some pam plugin for interaction with phosphor
> (e.g. to check whether a user is disabled).
> 
> I thought Intel (Ed?) was working on something related to this.  Could someone comment?

There is this:

https://gerrit.openbmc-project.xyz/#/c/8440/

and these:
https://lists.ozlabs.org/pipermail/openbmc/2018-February/010742.html
https://lists.ozlabs.org/pipermail/openbmc/2018-January/thread.html#10344
https://lists.ozlabs.org/pipermail/openbmc/2017-December/thread.html#10054

None of this has seen much activity lately.  I’d encourage everyone to
leave feedback in the proposal made by Richard and/or to carry that
proposal forward.

Re: Attention users of network IPMI

[Stewart Smith]

Deepak Kodihalli <dkodihal@linux.vnet.ibm.com> writes:
> On 29/03/18 2:53 pm, Tom Joseph wrote:
>> Hello,
>> 
>> Based on  feedback from the team writing management scripts for OpenBMC. 
>> There is a suggestion to
>> support the "-U" parameter when running the IPMI over network, to keep 
>> the script consistent across
>> multiple BMC implementations.
>> 
>> The support currently in  OpenBMC for the IPMI user accounts is the 
>> nameless account and the -U option
>> is not needed and only the -P option is needed. With the proposed 
>> change, "-U admin" is needed, for the
>
> This would break current users based on a nameless account. So I suppose 
> that you'd have to still support a nameless account.

For current OpenPOWER systems, it's only IBM FSP machines and OpenBMC
that have a nameless account. Both SuperMicro and AMI BMCs require
usernames, so any scripts targetting OpenPOWER systems need to deal with
both situations.

But maintaining backwards compatibility with existing openbmc ipmi
implementations is also a good thing.

-- 
Stewart Smith
OPAL Architect, IBM.