[Ipmitool-devel] cipher suite decoding

[^..^ <ze...@gm...>]

I'm trying to understand cipher suites and ipmitool.   The 2.0 spec says that there are 15 suites plus an OEM specified one (and reserved space); ipmitool's man page says cipher 0 is reserved in the cipher_privs option:

The format of privlist is as follows. Each character represents a
privilege level and the character position identifies the cipher suite  
number. For example, the first character represents cipher suite  
1 (cipher suite 0 is reserved), the second represents cipher suite 2, 
and so on. privlist must be 15 characters in length.

And then gives an example; "to set the maximum privilege for cipher suite 1 to USER and suite 2 to ADMIN, issue  the  following command":

	ipmitool -I interface lan set channel cipher_privs uaXXXXXXXXXXXXX

Does this mean you can't set cipher suite 0?  Or if you can, can you not set the OEM one?

I see in the archives Jarred said (http://www.mail-archive.com/ipm...@li.../msg01169.html):

You have to change your BMCs to reject cipher suite 0.  FYI, IBM servers ship with it disabled for this very reason.

   	ipmitool lan set 1 cipher_privs XaaaXXXXXXXXXXX

should do it.

In his example, however, it was answering a question about a conf that listed a limited set of suites:

	RMCP+ Cipher Suites : 0,1,2,3

So maybe the suites listed on the "RMCP+ Cipher Suites" correspond to the letters in the cipher_priv string?

Or perhaps some use position 1 in the cipher_priv string as cipher 0, are the docs or jarred right/wrong, or am I just plain confused?  


And my supermicro comes along to further muddy my waters:

    # ipmitool -I lanplus -H 192.168.0.69 -U ADMIN -P foobar lan print 1
    [...]
    RMCP+ Cipher Suites     : 1,2,3,6,7,8,11,12,0
    Cipher Suite Priv Max   : aaaaaaaaaaaaaaa
                            :     X=Cipher Suite Unused
                            :     c=CALLBACK
                            :     u=USER
                            :     o=OPERATOR
                            :     a=ADMIN
                            :     O=OEM
    […]

(Note the odd placement of cipher 0 - the last in the list)

I've been unable to get it to accept cipher suite 0 (just testing, really! :)), but they may not support it or I'm doing it wrong or I don't know if the odd placement of Cipher 0 in their list means you have to place it in another position, but 15 "a"s in a row didn't seem to do anything.

Thanks for any clarifications.

dan

^..^