Menu
▾
▴
Re: [Ipmitool-devel] Reg issue with password having 16 bytes [ID:3184687]
|
From: Duncan I. <dun...@gm...> - 2012-05-01 17:15:38
|
Great! Can we get back to patching ipmitool now? --Duncan On Tue, May 1, 2012 at 4:39 PM, Hank Bruning <ha...@jb...> wrote: > Jim, > It was working 5 years ago. Document the problem and submit it. > No big deal. > ha...@jb... > > > On Tue, May 1, 2012 at 12:18 PM, Jim Mankovich <jm...@hp...> wrote: >> >> Hank, >> >> I wasn't working on IPMI 5 years ago when this was all settled so I'm >> having >> to piece it together from bug reports on code someone else wrote and an >> industry standard specification. I'm just trying to help out the best I >> can. >> >> -- Jim Mankovich | jm...@hp... -- >> >> >> On 5/1/2012 5:42 AM, Hank Bruning wrote: >> >> Duncan, >> maybe you should use a different model in programming. Object Oriented vs >> Procedural. >> Make a class with a public API as below, It handles 16 and 20 bytes >> passwords with all the underling IPMI 2.0 cipher suits. >> >> >> http://www.jblade.com:8080/products/retuli/ipmiCx/doc/javadoc/com/jblade/lib/retuli/ipmi/std/session/JbIpmiRmcpSessionAccountPassword.html >> http://www.jblade.com/products/retuli/ipmiCx/RetuliIpmiCxOverview.jsf >> >> Gentleman, the discussion on passwords lengths is getting silly and >> stupid. This was settled 5 years ago independent of C++ vs Java by Intel. >> Hank Bruning >> JBlade >> >> >> On Tue, May 1, 2012 at 7:12 AM, Duncan Idaho <dun...@gm...> wrote: >>> >>> Jim, >>> >>> it is all right. Attached is v2 which covers user name longer than 16 >>> bytes. I've also checked the code, again, and password length restrain >>> will work for all three methods - cli, ask-pass, file. Let me know if >>> we're done with this one, and I'll attach patch to SF.net ticket. >>> Funny enough, I've found a bug by testing this. Reading password from >>> file is limited only to 16byte passwords. I've logged SF.net ticket. >>> >>> As for 'user set password', don't think about it now. I think limiting >>> password length is sufficient for now. I've logged feature request >>> already, so it is noted and won't be forgotten. I don't think this is >>> feature that has to make it into 1.8.12. >>> I will eventually look at it, however I have nothing to test against >>> nor I'm optimistic about many, if any, BMCs actually supporting 20 >>> byte passwords. >>> >>> --Duncan >>> >>> On Mon, Apr 30, 2012 at 9:41 PM, Jim Mankovich <jm...@hp...> wrote: >>> > Duncan, >>> > >>> > Your validation is reasonable for password "input" verification since >>> > the >>> > input password is only >>> > applicable to lan/lanplus. >>> > >>> > You were correct when you said that I was talking about the code which >>> > sets >>> > the password. For that >>> > case, we simply permit folks to specify up to 20 characters independent >>> > of >>> > the interface or IPMI >>> > version. >>> > >>> > When I looked at your changes I was thinking about password "set" >>> > verification which is why I >>> > my comments didn't make sense with regard to your changes. >>> > >>> > Sorry for the all the confusion. >>> > >>> > >>> > -- Jim Mankovich | jm...@hp... -- >>> > >>> > >>> > On 4/30/2012 2:39 PM, Duncan Idaho wrote: >>> >> >>> >> I'm probably have a very thick skull. Have any of you looked at the >>> >> patch? Because I still feel like it handles what's described in the >>> >> ticket. >>> >> Anyway, I obviously fail to understand and thus I'm not correct person >>> >> to fix it. Anyone else give it a go, please ;) >>> >> >>> >> --Duncan >>> >> >>> >> On Mon, Apr 30, 2012 at 8:33 PM, Andy Cress<and...@us...> >>> >> wrote: >>> >>> >>> >>> Duncan, >>> >>> >>> >>> From the remote client (before it connects), you would verify that >>> >>> the >>> >>> -P input is<= 20 characters. >>> >>> Then after initiating the connection (GetChanAuthCap), you could >>> >>> detect >>> >>> if it is IPMI 2.0 or not, and then be able to find out if it supports >>> >>> 20-byte passwords. >>> >>> >>> >>> IPMI 1.5 and prior = only 16-byte passwords can be used >>> >>> IPMI 2.0 = many vendors implement 20-byte passwords, but not all. >>> >>> >>> >>> To make it (much) simpler, just validate the input once at 20 >>> >>> characters, and let it go through after that. The user has to know >>> >>> the >>> >>> correct password anyway. >>> >>> >>> >>> Andy >>> >>> >>> >>> -----Original Message----- >>> >>> From: Duncan Idaho [mailto:dun...@gm...] >>> >>> Sent: Monday, April 30, 2012 4:10 PM >>> >>> To: Jim Mankovich >>> >>> Cc: ipm...@li...; Albert Chu >>> >>> Subject: Re: [Ipmitool-devel] Reg issue with password having 16 bytes >>> >>> [ID:3184687] >>> >>> >>> >>> Jim, >>> >>> >>> >>> I'm sorry, but I don't follow. What? I feel like you're talking about >>> >>> setting password now, eg. % ipmitool user set password UID PASSWORD;. >>> >>> I thought the issue is % ipmitool -P veryLongPassword -H myhost some >>> >>> commands here ; And that's what patch should address. I haven't tried >>> >>> password from file and via ask-pass, come to think of it, but I have >>> >>> tested -P parameter. >>> >>> >>> >>> Please, elaborate your e-mail a bit more. I'm, well, confused. >>> >>> >>> >>> Thanks, >>> >>> --Duncan >>> >>> >>> >>> On Mon, Apr 30, 2012 at 8:01 PM, Jim Mankovich<jm...@hp...> wrote: >>> >>>> >>> >>>> Duncan, >>> >>>> >>> >>>> After I looked at this I came to the realization that I had over >>> >>> >>> >>> simplified >>> >>>> >>> >>>> the 16 vrs 20 byte >>> >>>> password to lan vrs lanplus, when in fact it is really an IPMI 1.5 >>> >>>> vrs >>> >>> >>> >>> IPMI >>> >>>> >>> >>>> 2.0 issue. >>> >>>> It is also possible to set a password via the /dev/ipmi interface so >>> >>>> qualification of >>> >>>> password length using the interface is not sufficient to cover all >>> >>>> the >>> >>>> cases. >>> >>>> >>> >>>> I believe doing this correctly will require password length >>> >>> >>> >>> verification >>> >>>> >>> >>>> based on the current >>> >>>> IPMI version. >>> >>>> >>> >>>> This patch will ca >>> >>>> >>> >>>> -- Jim Mankovich | jm...@hp... -- >>> >>>> >>> >>>> >>> >>>> >>> >>>> On 4/28/2012 5:41 AM, Duncan Idaho wrote: >>> >>>>> >>> >>>>> Jim, >>> >>>>> >>> >>>>> attached is proposed solution to constrain password length to 16, >>> >>>>> resp. 20, bytes when LAN, resp. LAN+, interface is used. >>> >>>>> >>> >>>>> Comments are, of course, welcome from anybody. >>> >>>>> >>> >>>>> --Duncan >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> ------ >>> >>> Live Security Virtual Conference >>> >>> Exclusive live event will cover all the ways today's security and >>> >>> threat landscape has changed and how IT managers can respond. >>> >>> Discussions >>> >>> will include endpoint security, mobile security and the latest in >>> >>> malware >>> >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>> >>> _______________________________________________ >>> >>> Ipmitool-devel mailing list >>> >>> Ipm...@li... >>> >>> https://lists.sourceforge.net/lists/listinfo/ipmitool-devel >>> >> >>> >> >>> > >>> >>> >>> ------------------------------------------------------------------------------ >>> Live Security Virtual Conference >>> Exclusive live event will cover all the ways today's security and >>> threat landscape has changed and how IT managers can respond. Discussions >>> will include endpoint security, mobile security and the latest in malware >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>> _______________________________________________ >>> Ipmitool-devel mailing list >>> Ipm...@li... >>> https://lists.sourceforge.net/lists/listinfo/ipmitool-devel >>> >> > |