Date: Wed, 28 Mar 2018 10:58:36 -0400 From: "James B. Byrne" <byrnejb@harte-lyne.ca> To: "Paul Mather" <freebsd-lists@gromit.dlib.vt.edu> Cc: freebsd-questions@freebsd.org Subject: Re: ipmitool and SuperMicro SYS-5027R-WRF Message-ID: <078b2ac398fbd0aaf3f071c2c50c1984.squirrel@webmail.harte-lyne.ca> In-Reply-To: <EE1D798F-D093-4DC3-9168-D9C583C38BAA@gromit.dlib.vt.edu> References: <mailman.95.1522152002.64790.freebsd-questions@freebsd.org> <EE1D798F-D093-4DC3-9168-D9C583C38BAA@gromit.dlib.vt.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, March 27, 2018 09:58, Paul Mather wrote:
>
>
> Actually, graphical console redirection still works for me. I have to
> download the .jnlp file and then use "javaws /path/to/file.jnlp" via a
> terminal window to fire up the graphical console viewer. This works
> for me most recently using Java 9 and Java 10 on a macOS client.
> Note, the stricter security settings of the later Java runtimes mean
> you have to whitelist the IPMI URLs otherwise the viewer will refuse
> to run because the application is self-signed.
>
> Note, I can also see/access BIOS settings via SOL when using ipmitool,
> too. (That's why I set the preference to serial console.)
>
> I hope this helps.
>
> Cheers,
>
> Paul.
We have made some progress overnight thanks to several suggestions and
clues, and the rediscovery of a security brief named "Sold Down the
River" which details the security issues inherent in BMC.
It turns out that UDP port 623 was blocked by our firewall, which is
why we could not get a connection with ipmitool. Removing that
impediment simply revealed that we could connect but not log on. This
problem appears to be caused by the excessive (to SM) lengths of our
passwords.
The evidence for this comes from empirical observation. We created a
new test user with administrative capabilities on the SuperMicro using
the web interface. The web i/f works for anything that does not
require java. We then gave this test user an eight character
password. With this user we can now login using ipmitool:
ipmitool -H "$IHOST" -U "$IUSER" -I lanplus sol info 1
Password:
Set in progress : set-complete
Enabled : true
Force Encryption : false
Force Authentication : false
Privilege Level : USER
Character Accumulate Level (ms) : 0
Character Send Threshold : 0
Retry Count : 0
Retry Interval (ms) : 0
Volatile Bit Rate (kbps) : 115.2
Non-Volatile Bit Rate (kbps) : 115.2
Payload Channel : 1 (0x01)
Payload Port : 623
Using the exiting admin account and password gives us this result:
ipmitool -H "$IHOST" -U "$IUSER" -I lanplus sol info 1
Password:
Error: Unable to establish IPMI v2 / RMCP+ session
Strangely, the web i/f has no problem with long passwords. Otherwise
we would not be able to log on there either.
Nonetheless, despite being able to connect and log on, we still cannot
get a working remote console:
# ipmitool -H "$IHOST" -U "$IUSER" -I lanplus sol activate
Password:
[SOL Session operational. Use ~? for help]
At this point the local client terminal session becomes non-responsive
and as of writing this no means of regaining control of the session
has been discovered.
Our /boot/loader.conf contains this:
geli_ada1p4_keyfile0_load="YES"
geli_ada1p4_keyfile0_type="ada1p4:geli_keyfile0"
geli_ada1p4_keyfile0_name="/boot/encryption.key"
geli_ada2p4_keyfile0_load="YES"
geli_ada2p4_keyfile0_type="ada2p4:geli_keyfile0"
geli_ada2p4_keyfile0_name="/boot/encryption.key"
geli_ada3p4_keyfile0_load="YES"
geli_ada3p4_keyfile0_type="ada3p4:geli_keyfile0"
geli_ada3p4_keyfile0_name="/boot/encryption.key"
aesni_load="YES"
geom_eli_load="YES"
geom_eli_passphrase_prompt="YES"
vfs.root.mountfrom="zfs:zroot/ROOT/default"
kern.geom.label.gptid.enable="0"
zpool_cache_load="YES"
zpool_cache_type="/boot/zfs/zpool.cache"
zpool_cache_name="/boot/zfs/zpool.cache"
zfs_load="YES"
vmn_load="YES"
nmdm_load="YES"
if_bridge_load="YES"
if_tap_load="YES"
# Testing settings for IPMI Serial Over LAN console
boot_multicons="YES"
I infer that we are missing some necessary settings here.
These are recommended as necessary:
comconsole_speed=115200
comconsole_port=0x2F8
console="comconsole,vidconsole"
However, I do not know what the value for comconsole_port=0x2F8 means,
or how it is obtained. I would like an explanation of what this
setting does and how I would determine the correct value for our
system if different.
Thanks,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?078b2ac398fbd0aaf3f071c2c50c1984.squirrel>