Date: Wed, 2 Mar 2011 19:46:35 -0500 From: Maxim Khitrov <max@mxcrypt.com> To: Nerius Landys <nlandys@gmail.com> Cc: David Brodbeck <gull@gull.us>, freebsd-questions@freebsd.org Subject: Re: Finish upgrading remote server without physically being there? Message-ID: <AANLkTinxrxpp%2B8Ytm29cGD8K3aZF0tdfCo9npubeNnSh@mail.gmail.com> In-Reply-To: <AANLkTimFGN72u1NVc74=c0DS-eNQHj-iSCAKFz51rZGj@mail.gmail.com> References: <AANLkTin39JjTsts2WwgDUV2QfZL745D0P3DqTkko8TFq@mail.gmail.com> <4D6E6B16.7010508@my.gd> <AANLkTin7sHXsLwBBUmHinDaB3FLOH25_CDy4v82gKFjw@mail.gmail.com> <AANLkTikq1-CKnwHRahTE%2BTa5KLP=8qpUG8WzBrpP=d8n@mail.gmail.com> <AANLkTikFNnV-V82Ucncy_cM0VwiNif6r8DHB9DfMDNvC@mail.gmail.com> <AANLkTi=5YXqgyy_%2BSMdYof3Y3neaatoC7C0sb-tdhxkX@mail.gmail.com> <AANLkTikj7-wXv3vErm6oOOXvPZEPCaqVEjnHWfycin7z@mail.gmail.com> <AANLkTimFGN72u1NVc74=c0DS-eNQHj-iSCAKFz51rZGj@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 2, 2011 at 7:10 PM, Nerius Landys <nlandys@gmail.com> wrote: >> I just got a new Supermicro Atom board a few days ago (X7SPA-HF-D525). >> It has a Nuvoton BMC chip that is attached to LAN1 and provides IPMI >> and KVM-over-IP functionality. The chip gets its own IP address >> (separate from em0 in FreeBSD) and is powered whenever the power cord >> is plugged-in. >> >> As a result, you have some really useful functionality such as power >> control (turn the server on/off remotely), access to sensors (MB & CPU >> temperatures, voltages, chassis intrusion), text console, and KVM >> console. >> >> KVM console is accessed using a Java application that has to be >> installed on the client. It's pretty much identical to having a >> physical monitor and keyboard attached, in that you can control the >> system from the moment that it turns on, including going into BIOS. >> The only glitch I found so far is that the connection freezes for a >> few seconds while FreeBSD initializes em0 during boot. After that >> everything is fine. > > That's really neat. =C2=A0How do you configure the LAN on that chip? =C2= =A0For > example, how do you specify the IP address, gateway, netmask, etc? =C2=A0= Is > this done in the BIOS? =C2=A0So you would normally have at least 2 IPs fo= r > the server - one for em0 and one for the special chip? =C2=A0Is this a > separate ethernet jack? =C2=A0Also, what about being more vulnerable - I > mean, it's an added way of compromising your system, right? =C2=A0Getting > in through the KVM-over-IP? The initial IP configuration is done through the BIOS. After that, you can using the IPMI View application to change the network settings remotely. The physical Ethernet jack is the same as em0, so yes, it has two separate IPs assigned to it, though the OS is only aware of one. There are some other implementations (e.g. Dell's iDRAC 6 enterprise) where the management interface is physically separate. On this Supermicro board, the interface supports VLAN tagging, so you can use that to achieve some separation. Otherwise, you're right about vulnerability. You have username/password authentication and the session is encrypted using aes-cbc-128 cipher. Even with this, I wouldn't feel comfortable exposing this port to the outside world. As it happens, this system will be my new firewall, so em0 will be my lan and em1 is wan. - Max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinxrxpp%2B8Ytm29cGD8K3aZF0tdfCo9npubeNnSh>