Menu
▾
▴
Re: [Ipmitool-devel] Reg issue with password having 16 bytes [ID:3184687]
|
From: Duncan I. <dun...@gm...> - 2012-05-01 11:12:22
|
Jim, it is all right. Attached is v2 which covers user name longer than 16 bytes. I've also checked the code, again, and password length restrain will work for all three methods - cli, ask-pass, file. Let me know if we're done with this one, and I'll attach patch to SF.net ticket. Funny enough, I've found a bug by testing this. Reading password from file is limited only to 16byte passwords. I've logged SF.net ticket. As for 'user set password', don't think about it now. I think limiting password length is sufficient for now. I've logged feature request already, so it is noted and won't be forgotten. I don't think this is feature that has to make it into 1.8.12. I will eventually look at it, however I have nothing to test against nor I'm optimistic about many, if any, BMCs actually supporting 20 byte passwords. --Duncan On Mon, Apr 30, 2012 at 9:41 PM, Jim Mankovich <jm...@hp...> wrote: > Duncan, > > Your validation is reasonable for password "input" verification since the > input password is only > applicable to lan/lanplus. > > You were correct when you said that I was talking about the code which sets > the password. For that > case, we simply permit folks to specify up to 20 characters independent of > the interface or IPMI > version. > > When I looked at your changes I was thinking about password "set" > verification which is why I > my comments didn't make sense with regard to your changes. > > Sorry for the all the confusion. > > > -- Jim Mankovich | jm...@hp... -- > > > On 4/30/2012 2:39 PM, Duncan Idaho wrote: >> >> I'm probably have a very thick skull. Have any of you looked at the >> patch? Because I still feel like it handles what's described in the >> ticket. >> Anyway, I obviously fail to understand and thus I'm not correct person >> to fix it. Anyone else give it a go, please ;) >> >> --Duncan >> >> On Mon, Apr 30, 2012 at 8:33 PM, Andy Cress<and...@us...> >> wrote: >>> >>> Duncan, >>> >>> From the remote client (before it connects), you would verify that the >>> -P input is<= 20 characters. >>> Then after initiating the connection (GetChanAuthCap), you could detect >>> if it is IPMI 2.0 or not, and then be able to find out if it supports >>> 20-byte passwords. >>> >>> IPMI 1.5 and prior = only 16-byte passwords can be used >>> IPMI 2.0 = many vendors implement 20-byte passwords, but not all. >>> >>> To make it (much) simpler, just validate the input once at 20 >>> characters, and let it go through after that. The user has to know the >>> correct password anyway. >>> >>> Andy >>> >>> -----Original Message----- >>> From: Duncan Idaho [mailto:dun...@gm...] >>> Sent: Monday, April 30, 2012 4:10 PM >>> To: Jim Mankovich >>> Cc: ipm...@li...; Albert Chu >>> Subject: Re: [Ipmitool-devel] Reg issue with password having 16 bytes >>> [ID:3184687] >>> >>> Jim, >>> >>> I'm sorry, but I don't follow. What? I feel like you're talking about >>> setting password now, eg. % ipmitool user set password UID PASSWORD;. >>> I thought the issue is % ipmitool -P veryLongPassword -H myhost some >>> commands here ; And that's what patch should address. I haven't tried >>> password from file and via ask-pass, come to think of it, but I have >>> tested -P parameter. >>> >>> Please, elaborate your e-mail a bit more. I'm, well, confused. >>> >>> Thanks, >>> --Duncan >>> >>> On Mon, Apr 30, 2012 at 8:01 PM, Jim Mankovich<jm...@hp...> wrote: >>>> >>>> Duncan, >>>> >>>> After I looked at this I came to the realization that I had over >>> >>> simplified >>>> >>>> the 16 vrs 20 byte >>>> password to lan vrs lanplus, when in fact it is really an IPMI 1.5 vrs >>> >>> IPMI >>>> >>>> 2.0 issue. >>>> It is also possible to set a password via the /dev/ipmi interface so >>>> qualification of >>>> password length using the interface is not sufficient to cover all the >>>> cases. >>>> >>>> I believe doing this correctly will require password length >>> >>> verification >>>> >>>> based on the current >>>> IPMI version. >>>> >>>> This patch will ca >>>> >>>> -- Jim Mankovich | jm...@hp... -- >>>> >>>> >>>> >>>> On 4/28/2012 5:41 AM, Duncan Idaho wrote: >>>>> >>>>> Jim, >>>>> >>>>> attached is proposed solution to constrain password length to 16, >>>>> resp. 20, bytes when LAN, resp. LAN+, interface is used. >>>>> >>>>> Comments are, of course, welcome from anybody. >>>>> >>>>> --Duncan >>> >>> ------------------------------------------------------------------------ >>> ------ >>> Live Security Virtual Conference >>> Exclusive live event will cover all the ways today's security and >>> threat landscape has changed and how IT managers can respond. >>> Discussions >>> will include endpoint security, mobile security and the latest in >>> malware >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>> _______________________________________________ >>> Ipmitool-devel mailing list >>> Ipm...@li... >>> https://lists.sourceforge.net/lists/listinfo/ipmitool-devel >> >> > |