* Attention users of network IPMI @ 2018-03-29 9:23 Tom Joseph 2018-03-29 13:26 ` Deepak Kodihalli 0 siblings, 1 reply; 6+ messages in thread From: Tom Joseph @ 2018-03-29 9:23 UTC (permalink / raw) To: OpenBMC Maillist Cc: Vernon Mauery, Emily Shaffer, Stewart Smith, Andrew Geissler Hello, Based on feedback from the team writing management scripts for OpenBMC. There is a suggestion to support the "-U" parameter when running the IPMI over network, to keep the script consistent across multiple BMC implementations. The support currently in OpenBMC for the IPMI user accounts is the nameless account and the -U option is not needed and only the -P option is needed. With the proposed change, "-U admin" is needed, for the session setup to succeed. "root" username was not preferred so that the user does not get confused with the linux user account. IPMITool usage with the proposed change: ipmitool -I lanplus -H x.x.x.x -U admin -P 0penBmc <cmd> https://gerrit.openbmc-project.xyz/#/c/9643/ Regards, Tom ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Attention users of network IPMI 2018-03-29 9:23 Attention users of network IPMI Tom Joseph @ 2018-03-29 13:26 ` Deepak Kodihalli 2018-03-29 16:18 ` Alexander Amelkin 2018-04-10 2:57 ` Stewart Smith 0 siblings, 2 replies; 6+ messages in thread From: Deepak Kodihalli @ 2018-03-29 13:26 UTC (permalink / raw) To: tomjose; +Cc: openbmc On 29/03/18 2:53 pm, Tom Joseph wrote: > Hello, > > Based on feedback from the team writing management scripts for OpenBMC. > There is a suggestion to > support the "-U" parameter when running the IPMI over network, to keep > the script consistent across > multiple BMC implementations. > > The support currently in OpenBMC for the IPMI user accounts is the > nameless account and the -U option > is not needed and only the -P option is needed. With the proposed > change, "-U admin" is needed, for the This would break current users based on a nameless account. So I suppose that you'd have to still support a nameless account. > session setup to succeed. "root" username was not preferred so that the > user does not get confused with the > linux user account. > > IPMITool usage with the proposed change: > > ipmitool -I lanplus -H x.x.x.x -U admin -P 0penBmc <cmd> > > https://gerrit.openbmc-project.xyz/#/c/9643/ > > Regards, > > Tom > Regards, Deepak ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Attention users of network IPMI 2018-03-29 13:26 ` Deepak Kodihalli @ 2018-03-29 16:18 ` Alexander Amelkin 2018-03-29 16:37 ` Emily Shaffer 2018-04-10 2:57 ` Stewart Smith 1 sibling, 1 reply; 6+ messages in thread From: Alexander Amelkin @ 2018-03-29 16:18 UTC (permalink / raw) To: openbmc@lists.ozlabs.org On Thu, Mar 29, 2018 at 06:56:00PM +0530, Deepak Kodihalli wrote: > On 29/03/18 2:53 pm, Tom Joseph wrote: > >Hello, > > > >Based on feedback from the team writing management scripts for OpenBMC. > >There is a suggestion to > >support the "-U" parameter when running the IPMI over network, to keep the > >script consistent across > >multiple BMC implementations. > > > >The support currently in OpenBMC for the IPMI user accounts is the > >nameless account and the -U option > >is not needed and only the -P option is needed. With the proposed change, > >"-U admin" is needed, for the > > This would break current users based on a nameless account. So I suppose > that you'd have to still support a nameless account. Sure. IPMI specification clearly states for Set User Access command that "if implemented, this command must support at least the null user". > >session setup to succeed. "root" username was not preferred so that the > >user does not get confused with the > >linux user account. > > > >IPMITool usage with the proposed change: > > > >ipmitool -I lanplus -H x.x.x.x -U admin -P 0penBmc <cmd> Just a note. IMO, the password for IPMI users must be the same as for system users, and preferably verified using pam as well. IPMI defines user privileges (user, operator, administrator, oem prooprietary privileges), and I think we need to support them. I'd do that via standard user groups. The root username may still be available with 'administrator' privilege level (user 'root' included into 'admin' group). That way we can rely on standard means for authentication and filesystem permissions, and maybe have some pam plugin for interaction with phosphor (e.g. to check whether a user is disabled). I'd also say that Get Device ID must work without password for anonymous user for ease of IPMI-enabled device discovery, but that again may break the existing setups using anonymous user with a password, and I can't find anything in IPMI v2.0 specification on authentication requirements for Get Device ID (if I was writing the spec, I'd demand absence of authentication for that command). Alexander. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Attention users of network IPMI 2018-03-29 16:18 ` Alexander Amelkin @ 2018-03-29 16:37 ` Emily Shaffer 2018-03-29 17:27 ` Brad Bishop 0 siblings, 1 reply; 6+ messages in thread From: Emily Shaffer @ 2018-03-29 16:37 UTC (permalink / raw) To: Alexander Amelkin; +Cc: openbmc@lists.ozlabs.org [-- Attachment #1: Type: text/plain, Size: 2455 bytes --] On Thu, Mar 29, 2018 at 9:19 AM Alexander Amelkin <a.amelkin@yadro.com> wrote: > On Thu, Mar 29, 2018 at 06:56:00PM +0530, Deepak Kodihalli wrote: > > On 29/03/18 2:53 pm, Tom Joseph wrote: > > >Hello, > > > > > >Based on feedback from the team writing management scripts for OpenBMC. > > >There is a suggestion to > > >support the "-U" parameter when running the IPMI over network, to keep > the > > >script consistent across > > >multiple BMC implementations. > > > > > >The support currently in OpenBMC for the IPMI user accounts is the > > >nameless account and the -U option > > >is not needed and only the -P option is needed. With the proposed > change, > > >"-U admin" is needed, for the > > > > This would break current users based on a nameless account. So I suppose > > that you'd have to still support a nameless account. > > Sure. IPMI specification clearly states for Set User Access command that > "if implemented, this command must support at least the null user". > > > >session setup to succeed. "root" username was not preferred so that the > > >user does not get confused with the > > >linux user account. > > > > > >IPMITool usage with the proposed change: > > > > > >ipmitool -I lanplus -H x.x.x.x -U admin -P 0penBmc <cmd> > > Just a note. IMO, the password for IPMI users must be the same as for > system users, and preferably verified using pam as well. > Seconded - I'd probably suggest PAM as a bare minimum.. > > IPMI defines user privileges (user, operator, administrator, oem > prooprietary privileges), and I think we need to support them. I'd do that > via > standard user groups. The root username may still be available with > 'administrator' privilege level (user 'root' included into 'admin' group). > That way we can rely on standard means for authentication and filesystem > permissions, and maybe have some pam plugin for interaction with phosphor > (e.g. to check whether a user is disabled). > I thought Intel (Ed?) was working on something related to this. Could someone comment? > > I'd also say that Get Device ID must work without password for anonymous > user for ease of IPMI-enabled device discovery, but that again may break > the existing setups using anonymous user with a password, and I can't find > anything in IPMI v2.0 specification on authentication requirements for Get > Device ID (if I was writing the spec, I'd demand absence of authentication > for that command). > > Alexander. > [-- Attachment #2: Type: text/html, Size: 3376 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Attention users of network IPMI 2018-03-29 16:37 ` Emily Shaffer @ 2018-03-29 17:27 ` Brad Bishop 0 siblings, 0 replies; 6+ messages in thread From: Brad Bishop @ 2018-03-29 17:27 UTC (permalink / raw) To: Emily Shaffer; +Cc: Alexander Amelkin, openbmc@lists.ozlabs.org > On Mar 29, 2018, at 12:37 PM, Emily Shaffer <emilyshaffer@google.com> wrote: > On Thu, Mar 29, 2018 at 9:19 AM Alexander Amelkin <a.amelkin@yadro.com> wrote: > IPMI defines user privileges (user, operator, administrator, oem > prooprietary privileges), and I think we need to support them. I'd do that via > standard user groups. The root username may still be available with > 'administrator' privilege level (user 'root' included into 'admin' group). > That way we can rely on standard means for authentication and filesystem > permissions, and maybe have some pam plugin for interaction with phosphor > (e.g. to check whether a user is disabled). > > I thought Intel (Ed?) was working on something related to this. Could someone comment? There is this: https://gerrit.openbmc-project.xyz/#/c/8440/ and these: https://lists.ozlabs.org/pipermail/openbmc/2018-February/010742.html https://lists.ozlabs.org/pipermail/openbmc/2018-January/thread.html#10344 https://lists.ozlabs.org/pipermail/openbmc/2017-December/thread.html#10054 None of this has seen much activity lately. I’d encourage everyone to leave feedback in the proposal made by Richard and/or to carry that proposal forward. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Attention users of network IPMI 2018-03-29 13:26 ` Deepak Kodihalli 2018-03-29 16:18 ` Alexander Amelkin @ 2018-04-10 2:57 ` Stewart Smith 1 sibling, 0 replies; 6+ messages in thread From: Stewart Smith @ 2018-04-10 2:57 UTC (permalink / raw) To: Deepak Kodihalli, tomjose; +Cc: openbmc Deepak Kodihalli <dkodihal@linux.vnet.ibm.com> writes: > On 29/03/18 2:53 pm, Tom Joseph wrote: >> Hello, >> >> Based on feedback from the team writing management scripts for OpenBMC. >> There is a suggestion to >> support the "-U" parameter when running the IPMI over network, to keep >> the script consistent across >> multiple BMC implementations. >> >> The support currently in OpenBMC for the IPMI user accounts is the >> nameless account and the -U option >> is not needed and only the -P option is needed. With the proposed >> change, "-U admin" is needed, for the > > This would break current users based on a nameless account. So I suppose > that you'd have to still support a nameless account. For current OpenPOWER systems, it's only IBM FSP machines and OpenBMC that have a nameless account. Both SuperMicro and AMI BMCs require usernames, so any scripts targetting OpenPOWER systems need to deal with both situations. But maintaining backwards compatibility with existing openbmc ipmi implementations is also a good thing. -- Stewart Smith OPAL Architect, IBM. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-04-10 2:57 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-03-29 9:23 Attention users of network IPMI Tom Joseph 2018-03-29 13:26 ` Deepak Kodihalli 2018-03-29 16:18 ` Alexander Amelkin 2018-03-29 16:37 ` Emily Shaffer 2018-03-29 17:27 ` Brad Bishop 2018-04-10 2:57 ` Stewart Smith
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.