RE: [Panicsel-developers] IPMI password
Brought to you by:
arcress
Menu
▾
▴
RE: [Panicsel-developers] IPMI password
|
From: Cress, A. R <and...@in...> - 2004-07-06 14:39:32
|
Vlado, That looks fine. In fact, since gnupg is already set up as standalone = utilities, it would be easy to script with the current version of = pefconfig as well. Andy -----Original Message----- From: Vlado Bahyl [mailto:Vla...@ce...]=20 Sent: Monday, July 05, 2004 3:49 AM To: Cress, Andrew R Cc: pan...@li... Subject: Re: [Panicsel-developers] IPMI password Dear Andy, thank you very much for considering our problem. What I in fact had in my mind was more software from = http://www.gnupg.org/ but as I am not really IPMI expert, I leave it to you to find out how to solve the problems described in my earlier e-mail. Cheers, Vlado -- _|________________________________________________________ | | | Vlado | Vla...@ce... | Bahyl | CERN-IT/FIO, CH-1211 Geneva 23, Switzerland | | (+41) 22 767 1884 According to Cress, Andrew R: > Vlado, >=20 > OK, so it sounds like OpenSSL.org's library would be a good choice, = with RSA or DSA. That could be integrated into pefconfig and tmconfig, = with some work. >=20 > I'll put this on the TODO list and schedule some time to implement it. = In the meantime, if you have/see any other utilities that do = encrypt/decrypt that you think would be good usage models, let me know. >=20 > Andy >=20 > -----Original Message----- > From: Vlado Bahyl [mailto:Vla...@ce...]=20 > Sent: Wednesday, June 30, 2004 7:25 AM > To: Cress, Andrew R > Cc: pan...@li...; Hugo Monteiro Cacote; = Tim Smith > Subject: Re: [Panicsel-developers] IPMI password >=20 >=20 > Dear Andy, >=20 > thank you very much for your reply and interest in this problem. >=20 > Hugo forwarded me the message, so please let me explain in more > details what we mean. >=20 > We have > 1000 nodes where we would like to enable IPMI. The exact > number of nodes in production fluctuates a lot as nodes have to be > repaired/reinstalled/replaced. > Because of that we use pull scenario, where each node fetches = configuration > it needs from a central place. >=20 > My idea with IPMI would be: >=20 > - 1 configuration server (=3D central place) would generate a key = pair > (=3D public and private key) > - this server would publish the public key to all client > - this server would also encrypt the IPMI password with the private = key >=20 > - many clients (where we want to have IPMI enabled) would then fetch > the public key > - all these clients would then use this public key to decrypt the = IPMI > password and use it locally >=20 > The reason for this machinery is that: > - IPMI password can not be typed on such a big number of nodes > - IPMI password must not be sniffed on the network (otherwise = intruder > could get full control of all nodes) > - IPMI password should not be stored on the node as they occasionally > get hacked >=20 > Now - I do not know much about IPMI (Hugo is our local expert), but = would > the above scenario be feasible ? >=20 > Obviously, we can build all this ourselves, but it would be nice if = IPMI > tools would allow some options to specify: > - where the encrypted password is > - where the decryption (public) key is >=20 > Last, but not least: > - option where every machine would have a unique password is not = possible > because of the number of nodes and arguments above > - in addition I think it would be a nightmare to manage it >=20 > What do you think ? >=20 > Best regards, >=20 > Vlado >=20 > -- >=20 > _|________________________________________________________ > | | > | Vlado | Vla...@ce... > | Bahyl | CERN-IT/FIO, CH-1211 Geneva 23, Switzerland > | | (+41) 22 767 1884 >=20 >=20 > > -----Original Message----- > > From: Cress, Andrew R [mailto:and...@in...]=20 > > Sent: Tuesday, June 29, 2004 5:47 PM > > To: Hugo Monteiro Cacote; pan...@li... > > Subject: RE: [Panicsel-developers] IPMI password > >=20 > >=20 > > Hugo, > >=20 > > Hmmm. I really hadn't thought that this would be needed. > >=20 > > What I had thought would be enough to conceal the passwords and = centrally administer the passwords would be to use ssh keys for root = access, then run pefconfig -P $psw on each system via ssh. In order to = set the IPMI password via pefconfig, root access is required. The = passwords could be encrypted on the central system, and protected there, = so that they wouldn't be stored in a visible form, and would only be = visible from the ssh command line in progress.=20 > >=20 > > Are you worried about visibility over the LAN, or from a shell = command history, is that the issue? I guess that an option could be = added to pefconfig to pass an encrypted password, but how do you propose = that the key be passed in? > >=20 > > Andy > >=20 > > -----Original Message----- > > From: pan...@li... = [mailto:pan...@li...] On Behalf Of = Hugo CACOTE > > Sent: Tuesday, June 29, 2004 2:43 AM > > To: pan...@li... > > Subject: [Panicsel-developers] IPMI password > >=20 > >=20 > >=20 > > Dear all, > >=20 > > Is there any way to configure a BMC's IPMI password without using = the=20 > > plain text password? > >=20 > > I would like to distribute the passwords the IPMI on all the = machines (du=20 > > e to the number of machines going to each machine and configure this = > > information doesn't seems feasible) from a central point. Is there = any kind=20 > > of private key mechanism in the current version of panicsel = (pefconfig) or=20 > > in the next versions?? > >=20 > >=20 > > Thank you, > > Hugo Ca=E7ote=20 > >=20 > >=20 > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. = Attend Black Hat Briefings & Training, Las Vegas July 24-29 -=20 > > digital self defense, top technical experts, no vendor pitches,=20 > > unmatched networking opportunities. Visit www.blackhat.com = _______________________________________________ > > Panicsel-developers mailing list = Pan...@li... > > https://lists.sourceforge.net/lists/listinfo/panicsel-developers |
