Date: Wed, 28 Mar 2018 10:58:36 -0400 From: "James B. Byrne" <byrnejb@harte-lyne.ca> To: "Paul Mather" <freebsd-lists@gromit.dlib.vt.edu> Cc: freebsd-questions@freebsd.org Subject: Re: ipmitool and SuperMicro SYS-5027R-WRF Message-ID: <078b2ac398fbd0aaf3f071c2c50c1984.squirrel@webmail.harte-lyne.ca> In-Reply-To: <EE1D798F-D093-4DC3-9168-D9C583C38BAA@gromit.dlib.vt.edu> References: <mailman.95.1522152002.64790.freebsd-questions@freebsd.org> <EE1D798F-D093-4DC3-9168-D9C583C38BAA@gromit.dlib.vt.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, March 27, 2018 09:58, Paul Mather wrote: > > > Actually, graphical console redirection still works for me. I have to > download the .jnlp file and then use "javaws /path/to/file.jnlp" via a > terminal window to fire up the graphical console viewer. This works > for me most recently using Java 9 and Java 10 on a macOS client. > Note, the stricter security settings of the later Java runtimes mean > you have to whitelist the IPMI URLs otherwise the viewer will refuse > to run because the application is self-signed. > > Note, I can also see/access BIOS settings via SOL when using ipmitool, > too. (That's why I set the preference to serial console.) > > I hope this helps. > > Cheers, > > Paul. We have made some progress overnight thanks to several suggestions and clues, and the rediscovery of a security brief named "Sold Down the River" which details the security issues inherent in BMC. It turns out that UDP port 623 was blocked by our firewall, which is why we could not get a connection with ipmitool. Removing that impediment simply revealed that we could connect but not log on. This problem appears to be caused by the excessive (to SM) lengths of our passwords. The evidence for this comes from empirical observation. We created a new test user with administrative capabilities on the SuperMicro using the web interface. The web i/f works for anything that does not require java. We then gave this test user an eight character password. With this user we can now login using ipmitool: ipmitool -H "$IHOST" -U "$IUSER" -I lanplus sol info 1 Password: Set in progress : set-complete Enabled : true Force Encryption : false Force Authentication : false Privilege Level : USER Character Accumulate Level (ms) : 0 Character Send Threshold : 0 Retry Count : 0 Retry Interval (ms) : 0 Volatile Bit Rate (kbps) : 115.2 Non-Volatile Bit Rate (kbps) : 115.2 Payload Channel : 1 (0x01) Payload Port : 623 Using the exiting admin account and password gives us this result: ipmitool -H "$IHOST" -U "$IUSER" -I lanplus sol info 1 Password: Error: Unable to establish IPMI v2 / RMCP+ session Strangely, the web i/f has no problem with long passwords. Otherwise we would not be able to log on there either. Nonetheless, despite being able to connect and log on, we still cannot get a working remote console: # ipmitool -H "$IHOST" -U "$IUSER" -I lanplus sol activate Password: [SOL Session operational. Use ~? for help] At this point the local client terminal session becomes non-responsive and as of writing this no means of regaining control of the session has been discovered. Our /boot/loader.conf contains this: geli_ada1p4_keyfile0_load="YES" geli_ada1p4_keyfile0_type="ada1p4:geli_keyfile0" geli_ada1p4_keyfile0_name="/boot/encryption.key" geli_ada2p4_keyfile0_load="YES" geli_ada2p4_keyfile0_type="ada2p4:geli_keyfile0" geli_ada2p4_keyfile0_name="/boot/encryption.key" geli_ada3p4_keyfile0_load="YES" geli_ada3p4_keyfile0_type="ada3p4:geli_keyfile0" geli_ada3p4_keyfile0_name="/boot/encryption.key" aesni_load="YES" geom_eli_load="YES" geom_eli_passphrase_prompt="YES" vfs.root.mountfrom="zfs:zroot/ROOT/default" kern.geom.label.gptid.enable="0" zpool_cache_load="YES" zpool_cache_type="/boot/zfs/zpool.cache" zpool_cache_name="/boot/zfs/zpool.cache" zfs_load="YES" vmn_load="YES" nmdm_load="YES" if_bridge_load="YES" if_tap_load="YES" # Testing settings for IPMI Serial Over LAN console boot_multicons="YES" I infer that we are missing some necessary settings here. These are recommended as necessary: comconsole_speed=115200 comconsole_port=0x2F8 console="comconsole,vidconsole" However, I do not know what the value for comconsole_port=0x2F8 means, or how it is obtained. I would like an explanation of what this setting does and how I would determine the correct value for our system if different. Thanks, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?078b2ac398fbd0aaf3f071c2c50c1984.squirrel>