ipmi cipher suite C17 support

Hello all,

I would like to point out a problem that I encountered personally during the implementation. After unsuccessful enlisting several servers, I noticed that maas doesn’t support some cipher suites for ipmi connections.

By default it uses C3 while some hardware vendors consider only C17 (ipmitool’s -C17 option) as a secure protocol. I think that this problem may gradually affect even more servers because ipmi security is recently in focus for most of hardware providers.

We can workaround this by turning on the appropriate cipher suite on the host, but when provisioning a large number of machines it can be problematic and not very elegant.

Maybe it’s worth to implement this in maas.

Thanks,
Artur

I’m actually working on adding support for IPMI encryption for MAAS 2.9. MAAS will be able to detect if an IPMI BMC key is being used, select a secure cipher to communicate with the BMC, and disable insecure ciphers.

1 Like

I just released MAAS 2.9.0 beta3 which adds support to specify the IPMI cipher suite id, K_g key, and IPMI user privilege level.

MAAS still defaults to C3 as not all machines support C17. I am working on a branch for beta4 that will allow MAAS to automatically discover the highest supported IPMI cipher suite id and K_g key automatically.

Hi,

I’ve just switched my installation to 2.9 beta channel to test. Great work!

Thank you!

Thanks! I just released beta4 which adds the ability to automatically detect the IPMI most secure cipher suite id the BMC supports as well as if an K_g BMC key was set. If you recommission your machine 17 should be automatically selected.

Hi Lee,

just recommissioned one of my machines.

before recommission it was:

{
    "power_pass": "hidden",
    "power_user": "maas",
    "power_driver": "LAN_2_0",
    "power_address": "xxx.xxx.xxx.xxx",
    "power_boot_type": "efi"
}

after recommission:

{
“k_g”: “”,
“power_pass”: “hidden”,
“power_user”: “maas”,
“power_driver”: “LAN_2_0”,
“power_address”: “xxx.xxx.xxx.xxx”,
“cipher_suite_id”: “3”,
“power_boot_type”: “efi”,
“privilege_level”: “ADMIN”
}

and at this moment I lost control of the host…

Had to manually change:

maas $PROFILE machine update $SystemID power_parameters_cipher_suite_id=“17”

to regain it back.

I also noticed that I still have C3 enabled on the channel:

RMCP+ Cipher Suites : 1,2,3,6,7,8,11,12,15,16,17
Cipher Suite Priv Max : XXXaXXXXXXaXXXX

In MAAS 2.9 I moved BMC configuration to a new commissioning script, 30-maas-01-bmc-config. This script lists the available IPMI cipher suites ids, enables the most secure cipher suite, and disables any insecure cipher suite. From that output it looks like 17 isn’t being detected so 3 is being enabled and used.

Could you post the following:

  1. The output of the commissioning script 30-maas-01-bmc-config
  2. The output of the command bmc-config --checkout -S Rmcpplus_Conf_Privilege

It seems that C17 is not detected… below requested outputs:

30-maas-01-bmc-config

INFO: Loading IPMI kernel modules...
INFO: Checking for HP Moonshot...
INFO: Checking for IPMI...
INFO: IPMI detected!
INFO: Verifying BMC is accessible over the network...
INFO: Configuring IPMI cipher suite ids...
INFO: MAAS will use IPMI cipher suite id "3" for BMC communication
WARNING: No K_g BMC key found or configured, communication with BMC will not use a session key!
INFO: Found existing IPMI user "maas"!
INFO: Configuring IPMI BMC user "maas"...
INFO: IPMI user number - User2
INFO: IPMI user privilege level - Administrator
INFO: IPMI Version - LAN_2_0
INFO: IPMI boot type - efi

ubuntu@alive-rat:~$ sudo  bmc-config --checkout -S Rmcpplus_Conf_Privilege
#
# Section Rmcpplus_Conf_Privilege Comments 
#
# If your system supports IPMI 2.0 and Serial-over-LAN (SOL),cipher suite IDs 
# may be configurable below. In the Rmcpplus_Conf_Privilege section, maximum 
# user privilege levels allowed for authentication under IPMI 2.0 (including 
# Serial-over-LAN) are set for each supported cipher suite ID. Each cipher suite 
# ID supports different sets of authentication, integrity, and encryption 
# algorithms for IPMI 2.0. Typically, the highest privilege level any username 
# configured should set for support under a cipher suite ID. This is typically 
# "Administrator". 
#
Section Rmcpplus_Conf_Privilege
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_1           Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_2           Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_3           Administrator
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_6           Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_7           Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_8           Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_11          Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_12          Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_15          Unused
EndSection

C17 and C3 were enabled on host - but maas was not able to detect/change power state

ipmitool -H 10.77.0.171 -U maas -P xl3KcyUC1WHtuk -I lanplus -C17 lan print 1 | grep Cipher
RMCP+ Cipher Suites     : 1,2,3,6,7,8,11,12,15,16,17
Cipher Suite Priv Max   : XXXaXXXXXXaXXXX

I have disabled C3 leaving C17 as only cipher set on host.

ipmitool -H xxx.xxx.xxx.xxx -U maas -P xl3KcyUC1WHtuk -I lanplus -C17 lan set 1 cipher_privs XXXXXXXXXXaXXXX

Manually changed power configuration and recommissioned machine.

after that

30-maas-01-bmc-config

INFO: Loading IPMI kernel modules...
INFO: Checking for HP Moonshot...
INFO: Checking for IPMI...
INFO: IPMI detected!
INFO: Verifying BMC is accessible over the network...
INFO: Configuring IPMI cipher suite ids...
INFO: MAAS will use IPMI cipher suite id "3" for BMC communication
WARNING: No K_g BMC key found or configured, communication with BMC will not use a session key!
INFO: Found existing IPMI user "maas"!
INFO: Configuring IPMI BMC user "maas"...
INFO: IPMI user number - User2
INFO: IPMI user privilege level - Administrator
INFO: IPMI Version - LAN_2_0
INFO: IPMI boot type - efi

and

ubuntu@alive-rat:~$ sudo  bmc-config --checkout -S Rmcpplus_Conf_Privilege
#
# Section Rmcpplus_Conf_Privilege Comments 
#
# If your system supports IPMI 2.0 and Serial-over-LAN (SOL),cipher suite IDs 
# may be configurable below. In the Rmcpplus_Conf_Privilege section, maximum 
# user privilege levels allowed for authentication under IPMI 2.0 (including 
# Serial-over-LAN) are set for each supported cipher suite ID. Each cipher suite 
# ID supports different sets of authentication, integrity, and encryption 
# algorithms for IPMI 2.0. Typically, the highest privilege level any username 
# configured should set for support under a cipher suite ID. This is typically 
# "Administrator". 
#
Section Rmcpplus_Conf_Privilege
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_1           Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_2           Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_3           Administrator
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_6           Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_7           Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_8           Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_11          Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_12          Unused
	## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
	Maximum_Privilege_Cipher_Suite_Id_15          Unused
EndSection

and again maas is not able to control host power, but this time c3 was not enabled.

ipmitool -H xxx.xxx.xxx.xxx -U maas -P xl3KcyUC1WHtuk -I lanplus -C17 lan print 1 | grep Cipher
RMCP+ Cipher Suites     : 1,2,3,6,7,8,11,12,15,16,17
Cipher Suite Priv Max   : XXXXXXXXXXaXXXX
                        :     X=Cipher Suite Unused