Encryption not supported for BMC IPMI password in passwd table

[nihal-ranjan]

trafficstars

HI,

We're trying the MTMS discovery method to discover new nodes and add them to our cluster. Fow MTMS we need to enable IPMI and need to have it stored in the passwd table. I'm able to encrypt the password for IPMI, but after encryption rsetboot and rpower commands stop working and this is needed for new node discovery. Leaving the password unencrypted might raise a security exception on our side. Is there any workaround for this? Or am i missing something?

Thanks, Nihal Ranjan

[besawn]

Edit: upon further investigation, this comment is not accurate. This only worked because I had inadvertently set the bmcpassword in my node object, so the encrypted password from the passwd table was not being used.

How are you setting the encrypted password?

~~The example from here: https://xcat-docs.readthedocs.io/en/stable/guides/admin-guides/manage_clusters/ppc64le/configure/password.html is working for me on my test system:~~

# chtab key=ipmi passwd.password=`openssl passwd -1 YOUR_PASSWORD`

# tabdump passwd | grep ipmi
"ipmi","IPMIUSER","$1$ryQq6C45$ZeGgZa3cP.fEQ7HpKk1iM1",,,,

# rpower all stat
compute02: off
compute03: off
compute01: on

https://xcat-docs.readthedocs.io/en/stable/guides/admin-guides/references/man5/passwd.5.html

password

The default password for this type of component. On Linux, a crypted form could be provided. Hashes starting with $1$, $5$ and $6$ (md5, sha256 and sha512 respectively) are supported.

Does your hashed password string begin with $1$, $5$, or $6$?

[nihal-ranjan]

Hi,

Tried the same, but it doesn't seem to work for us. We're using Dell Poweredge servers, if that can be the reason it's not working?

# chtab key=ipmi passwd.username=administrator passwd.password=`openssl passwd -1 abcd123`

# tabdump passwd | grep ipmi
"ipmi","administrator","$1$1fGxkeDm$8WH/tag4rwnmUiA5Hs.d7.",,,,

# bmcdiscover --range 181.59.0.11-250 -z > test.stanzas
Warning: [testcp]: No bmc found.

# rpower all stat
node03: [testcp]: Error: ERROR: Unauthorized name
node02: [testcp]: Error: ERROR: Unauthorized name
node01: [testcp]: Error: ERROR: Unauthorized name
node04: [testcp]: Error: ERROR: Unauthorized name

[gurevichmark]

@nihal-ranjan Is bmcdiscover and rpower working correctly if the password not encrypted ?

[nihal-ranjan]

Yes it is working properly without encryption

[gurevichmark]

@nihal-ranjan Can you show the output of the lsdef for one of the nodes that fails rpower when the pw is encrypted ?

[nihal-ranjan]

Well actually bmcdiscover is not working when using encrypted password. So i'm not getting any nodes discovered.

# bmcdiscover --range 181.59.0.11-250 -z > test.stanzas
Warning: [testcp]: No bmc found.

So i tried using un-encrypted password to do a bmcdiscover to get all the nodes, and then later i'm encrypting the password again. But after encryption, rpower or rsetboot are not working.

This is for one of the nodes i discovered without password encryption.

[root@testcp ~ ]# lsdef node01
Object name: node01
    bmc=181.59.0.19
    chain=runcmd=bmcsetup
    cons=ipmi
    groups=all
    mgt=ipmi
    mtm=DELL:PowerEdge R740xd
    postbootscripts=otherpkgs
    postscripts=syslog,remoteshell,syncfiles
    serial=DK7XXXX
[root@testcp ~ ]#

[gurevichmark]

Have you tried using SHA256 or SHA512 passwords generated with openssl passwd -5 or openssl passwd -6 ?

[nihal-ranjan]

Same thing happening with SHA256 and SHA512.

[besawn]

@nihal-ranjan Upon further investigation, setting encrypted passwords in the passwd table only works when setting the system password used for diskless and diskfull provisioning. There is currently no way to encrypt the BMC IPMI password in the passwd table. We will update the documentation to be more accurate in describing what passwords in the passwd table can be encrypted.