Re: [Panicsel-developers] IPMI password

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Dear Andy,

thank you very much for your reply and interest in this problem.

Hugo forwarded me the message, so please let me explain in more
details what we mean.

We have > 1000 nodes where we would like to enable IPMI. The exact
number of nodes in production fluctuates a lot as nodes have to be
repaired/reinstalled/replaced.
Because of that we use pull scenario, where each node fetches configuration
it needs from a central place.

My idea with IPMI would be:

 - 1 configuration server (= central place) would generate a key pair
   (= public and private key)
 - this server would publish the public key to all client
 - this server would also encrypt the IPMI password with the private key

 - many clients (where we want to have IPMI enabled) would then fetch
   the public key
 - all these clients would then use this public key to decrypt the IPMI
   password and use it locally

The reason for this machinery is that:
 - IPMI password can not be typed on such a big number of nodes
 - IPMI password must not be sniffed on the network (otherwise intruder
   could get full control of all nodes)
 - IPMI password should not be stored on the node as they occasionally
   get hacked

Now - I do not know much about IPMI (Hugo is our local expert), but would
the above scenario be feasible ?

Obviously, we can build all this ourselves, but it would be nice if IPMI
tools would allow some options to specify:
 - where the encrypted password is
 - where the decryption (public) key is

Last, but not least:
 - option where every machine would have a unique password is not possible
   because of the number of nodes and arguments above
 - in addition I think it would be a nightmare to manage it

What do you think ?

Best regards,

                            Vlado

--

_|________________________________________________________
 |         |
 |  Vlado  |  Vla...@ce...
 |  Bahyl  |  CERN-IT/FIO, CH-1211 Geneva 23, Switzerland
 |         |  (+41) 22 767 1884

> -----Original Message-----
> From: Cress, Andrew R [mailto:and...@in...] 
> Sent: Tuesday, June 29, 2004 5:47 PM
> To: Hugo Monteiro Cacote; pan...@li...
> Subject: RE: [Panicsel-developers] IPMI password
> 
> 
> Hugo,
> 
> Hmmm.  I really hadn't thought that this would be needed.
> 
> What I had thought would be enough to conceal the passwords and centrally administer the passwords would be to use ssh keys for root access, then run pefconfig -P $psw on each system via ssh.  In order to set the IPMI password via pefconfig, root access is required.  The passwords could be encrypted on the central system, and protected there, so that they wouldn't be stored in a visible form, and would only be visible from the ssh command line in progress. 
> 
> Are you worried about visibility over the LAN, or from a shell command history, is that the issue? I guess that an option could be added to pefconfig to pass an encrypted password, but how do you propose that the key be passed in?
> 
> Andy
> 
> -----Original Message-----
> From: pan...@li... [mailto:pan...@li...] On Behalf Of Hugo CACOTE
> Sent: Tuesday, June 29, 2004 2:43 AM
> To: pan...@li...
> Subject: [Panicsel-developers] IPMI password
> 
> 
> 
> Dear all,
> 
> Is there any way to configure a BMC's IPMI password without using the 
> plain text password?
> 
> I would like to distribute the passwords the IPMI on all the machines (du 
> e to the number of machines going to each machine and configure this 
> information doesn't seems feasible) from a central point. Is there any kind 
> of private key mechanism in the current version of panicsel (pefconfig) or 
> in the next versions??
> 
> 
> Thank you,
> Hugo Caçote 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com _______________________________________________
> Panicsel-developers mailing list Pan...@li...
> https://lists.sourceforge.net/lists/listinfo/panicsel-developers