| Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback |
| Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition | ||
|
|
||
 |
||||||||||||
Solution Type Problem Resolution Sure Solution 1007716.1 : Sun Cobalt[TM] LX50: Passwords not used to authenticate user for remote access control
PreviouslyPublishedAs 210690 Symptoms Symptoms The password is set under LAN Access Mode through the System Setup Utility (SSU)/Platform Event Manager (PEM). To manage the system, for example, power the system off, one would use the following command: # IPMI_PASSWORD=<password> ipmitool -I lan -H <hostname_or_IP> -E chassis power off Chassis Power Control: Down/Off # However, when a remote system with IPMItool installed is used to manage a system, while not specifying the password, changes are still made: # ipmitool -I lan -H <hostname_or_IP> -E chassis power on Unable to read password from environment. Chassis Power Control: Up/On # Resolution Resolution The issue is the SSU does not set the correct authentication types for IPMI. This leaves the system open for remote control without supplying a password simply by using authtype NONE. This happens when the password is set through the SSU, either through booting from the Service Partition or from the Diagnostic CD that accompanied the server. Ideally, it is recommended not to use the SSU, but rather to use the /usr/share/ipmitool/bmclanconf script that comes with ipmitool, which prevents this from happening. If the SSU was used in the setup of IPMI, then the authtypes need to be reset with IPMItool: 1. Determine the correct lan channel. Since the "eth0" device can be either channel 6 or 7 depending on how the PCI devices are probed. To do this, log into the remote system and query "channel info" from over the lan interface. It should return the current channel #. #ipmitool -I lan -H <hostname_or_IP> -E channel info Channel 0x7 info: Channel Medium Type : 802.3 LAN Channel Protocol Type : IPMB-1.0 Session Support : session-based Active Session Count : 1 Protocol Vendor ID : 7154 Volatile(active) Settings Alerting : disabled Per-message Auth : enabled User Level Auth : disabled Access Mode : always available Non-Volatile Settings Alerting : disabled Per-message Auth : enabled User Level Auth : disabled Access Mode : always available 2. Remove the NONE authtype option from all the different privilege levels, by doing the following #IPMI_PASSWORD=<password> ipmitool -I lan -H <hostname_or_IP> -E lan set 7 auth admin md2,md5 #IPMI_PASSWORD=<password> ipmitool -I lan -H <hostname_or_IP> -E lan set 7 auth user md2,md5 #IPMI_PASSWORD=<password> ipmitool -I lan -H <hostname_or_IP> -E lan set 7 auth operator md2,md5 #IPMI_PASSWORD=<password> ipmitool -I lan -H <hostname_or_IP> -E lan set 7 auth callback md2,md5 This will remove the NONE authtype option all the different privilege levels. Remote access control should now require a password. Product Sun LX50 Server Internal Comments This is a known issue with the Intel SSU. No current fix available from Intel. IPMI, IPMItool, remote, control, SSU, LAN Acess Mode, PEM, password Previously Published As 80597 Change History 2009-11-11 User Name: 79977 Action: Removed reference to V65x v60x Date: 2005-03-21 User Name: 71396 Action: Approved Comment: Performed final review of article. Updated trademaking. Publishing. Version: 4 Date: 2005-03-14 User Name: 71396 Action: Accept Comment: Version: 0 Date: 2005-03-14 User Name: 32650 Action: Approved Comment: useful info to document, thanks Version: 0 Date: 2005-03-08 User Name: 32650 Action: Accept Comment: Version: 0 Date: 2005-03-08 User Name: 123022 Action: Approved Comment: Updated some wording used, also added path for bmclanconf script. Version: 0 Date: 2005-03-08 User Name: 75329 Action: Rejected Comment: Raymond ask for it to be sent back to him... Version: 0 Date: 2005-03-06 User Name: 75329 Action: Accept Comment: Version: 0 Date: 2005-03-04 User Name: 123022 Action: Approved Comment: IPMI ignoring password set on systems. Security related issue. Version: 0 Date: 2005-03-04 User Name: 123022 Action: Created Comment: Version: 0 Product_uuid 3ec6b261-c75c-437c-85d9-2a441f74adc8|Sun LX50 Server Attachments This solution has no attachment |
||||||||||||
|
||||||||||||