Re: [Ipmitool-devel] Reg issue with password having 16 bytes [ID:3184687]

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Duncan,

    This patch looks good to me.

Thanks,

-- Jim Mankovich | jm...@hp... --


On 5/1/2012 5:12 AM, Duncan Idaho wrote:
> Jim,
>
> it is all right. Attached is v2 which covers user name longer than 16
> bytes. I've also checked the code, again, and password length restrain
> will work for all three methods - cli, ask-pass, file. Let me know if
> we're done with this one, and I'll attach patch to SF.net ticket.
> Funny enough, I've found a bug by testing this. Reading password from
> file is limited only to 16byte passwords. I've logged SF.net ticket.
>
> As for 'user set password', don't think about it now. I think limiting
> password length is sufficient for now. I've logged feature request
> already, so it is noted and won't be forgotten. I don't think this is
> feature that has to make it into 1.8.12.
> I will eventually look at it, however I have nothing to test against
> nor I'm optimistic about many, if any, BMCs actually supporting 20
> byte passwords.
>
> --Duncan
>
> On Mon, Apr 30, 2012 at 9:41 PM, Jim Mankovich<jm...@hp...>  wrote:
>> Duncan,
>>
>> Your validation is reasonable for password "input" verification since the
>> input password is only
>> applicable to lan/lanplus.
>>
>> You were correct when you said that I was talking about the code which sets
>> the password.  For that
>> case, we simply permit folks to specify up to 20 characters independent of
>> the interface or IPMI
>> version.
>>
>> When I looked at your changes I was thinking about password "set"
>> verification which is why I
>> my comments didn't make sense with regard to your changes.
>>
>> Sorry for the all the confusion.
>>
>>
>> -- Jim Mankovich | jm...@hp... --
>>
>>
>> On 4/30/2012 2:39 PM, Duncan Idaho wrote:
>>> I'm probably have a very thick skull. Have any of you looked at the
>>> patch? Because I still feel like it handles what's described in the
>>> ticket.
>>> Anyway, I obviously fail to understand and thus I'm not correct person
>>> to fix it. Anyone else give it a go, please ;)
>>>
>>> --Duncan
>>>
>>> On Mon, Apr 30, 2012 at 8:33 PM, Andy Cress<and...@us...>
>>>   wrote:
>>>> Duncan,
>>>>
>>>>   From the remote client (before it connects), you would verify that the
>>>> -P input is<= 20 characters.
>>>> Then after initiating the connection (GetChanAuthCap), you could detect
>>>> if it is IPMI 2.0 or not, and then be able to find out if it supports
>>>> 20-byte passwords.
>>>>
>>>> IPMI 1.5 and prior = only 16-byte passwords can be used
>>>> IPMI 2.0 = many vendors implement 20-byte passwords, but not all.
>>>>
>>>> To make it (much) simpler, just validate the input once at 20
>>>> characters, and let it go through after that.  The user has to know the
>>>> correct password anyway.
>>>>
>>>> Andy
>>>>
>>>> -----Original Message-----
>>>> From: Duncan Idaho [mailto:dun...@gm...]
>>>> Sent: Monday, April 30, 2012 4:10 PM
>>>> To: Jim Mankovich
>>>> Cc: ipm...@li...; Albert Chu
>>>> Subject: Re: [Ipmitool-devel] Reg issue with password having 16 bytes
>>>> [ID:3184687]
>>>>
>>>> Jim,
>>>>
>>>> I'm sorry, but I don't follow. What? I feel like you're talking about
>>>> setting password now, eg. % ipmitool user set password UID PASSWORD;.
>>>> I thought the issue is % ipmitool -P veryLongPassword -H myhost some
>>>> commands here ; And that's what patch should address. I haven't tried
>>>> password from file and via ask-pass, come to think of it, but I have
>>>> tested -P parameter.
>>>>
>>>> Please, elaborate your e-mail a bit more. I'm, well, confused.
>>>>
>>>> Thanks,
>>>> --Duncan
>>>>
>>>> On Mon, Apr 30, 2012 at 8:01 PM, Jim Mankovich<jm...@hp...>    wrote:
>>>>> Duncan,
>>>>>
>>>>> After I looked at this I came to the realization that I had over
>>>> simplified
>>>>> the 16 vrs 20 byte
>>>>> password to lan vrs lanplus, when in fact it is really an IPMI 1.5 vrs
>>>> IPMI
>>>>> 2.0 issue.
>>>>> It is also possible to set a password via the /dev/ipmi interface so
>>>>> qualification of
>>>>> password length using the interface is not sufficient to cover all the
>>>>> cases.
>>>>>
>>>>> I believe doing this correctly will require password length
>>>> verification
>>>>> based on the current
>>>>> IPMI version.
>>>>>
>>>>> This patch will ca
>>>>>
>>>>> -- Jim Mankovich | jm...@hp... --
>>>>>
>>>>>
>>>>>
>>>>> On 4/28/2012 5:41 AM, Duncan Idaho wrote:
>>>>>> Jim,
>>>>>>
>>>>>> attached is proposed solution to constrain password length to 16,
>>>>>> resp. 20, bytes when LAN, resp. LAN+, interface is used.
>>>>>>
>>>>>> Comments are, of course, welcome from anybody.
>>>>>>
>>>>>> --Duncan
>>>> ------------------------------------------------------------------------
>>>> ------
>>>> Live Security Virtual Conference
>>>> Exclusive live event will cover all the ways today's security and
>>>> threat landscape has changed and how IT managers can respond.
>>>> Discussions
>>>> will include endpoint security, mobile security and the latest in
>>>> malware
>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>> _______________________________________________
>>>> Ipmitool-devel mailing list
>>>> Ipm...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
>>>