need to update 30-maas-01-bmc-config script for ipmi cipher suite id

andydelhierro · 8 May 2025 04:00

So, most companies are not using anything but cipher suite 17, and having a default of 3 is very insecure.

Below is the simple change I need to make to default to 17 so the Lenovo servers I am working on have IPMI enabled. I think this should be a setting in the IPMI settings so we can pick the cipher suite we want to use.

How can I pass the correct cipher or update the default to 17? I will assume this is in the database stored in base64. I’ll take a look at it later tomorrow.

parser.add_argument(
    "--ipmi-cipher-suite-id",
    choices=("3", "8", "12", "17"),
    default="3",
    help="The IPMI cipher suite ID to use when connecting via ipmitool",
)

troyanov · 8 May 2025 06:37

Hey @andydelhierro

The default value comes from src/provisioningserver/drivers/power/ipmi.py

make_setting_field(
    "cipher_suite_id",
    "Cipher Suite ID",
    field_type="choice",
    choices=IPMI_CIPHER_SUITE_ID_CHOICES,
    # freeipmi-tools defaults to 3, not all IPMI BMCs support 17.
    default="3",
),

If you want to update some existing values and for some reason don’t want to use API for this, you should check for power_parameters under public.maasserver_bmc table in maas database.

 {"power_user": "", "power_driver": "LAN_2_0", "power_address": "127.0.0.1", "power_off_mode": "hard", "cipher_suite_id": "3", "power_boot_type": "auto", "privilege_level": "OPERATOR", "workaround_flags": ["opensesspriv"]}

The update statement can be something like this (but we do not encourage changing database values directly):

update maasserver_bmc 
set power_parameters = jsonb_set(power_parameters, '{cipher_suite_id}', '"17"'::jsonb, false);

andydelhierro · 8 May 2025 16:01

@troyanov I would be more than willing to use the API to update it if that change sticks. I want the change to be permitted.

troyanov · 8 May 2025 20:29

Hm, I might be missing something. How do you set your power parameters?

You can use CLI to update configuration:
maas admin machine update bsex3q power_parameters_cipher_suite_id=17

At what point it is not preserved and sets to default value?

andydelhierro · 8 May 2025 21:11

So I tried this code you provided, but it did not work.

update maasserver_bmc
set power_parameters = jsonb_set(power_parameters, ‘{cipher_suite_id}’, ‘“17”’::jsonb, false);

I need a way to set all discoveries to be at 17.

andydelhierro · 8 May 2025 21:14

So this works for machine bsex3q. I need this to work for all discovered machines on the very first boot up. Doing this more than 100 times after they are discovered is a pain. We just want IPMI to work from the first discovery.

troyanov · 8 May 2025 21:31

Ah, I see what you mean. In that case maybe changing parameters will help

select parameters from public.maasserver_script where name = '30-maas-01-bmc-config';

I didn’t check myself, but in theory replacing {input} to "17" should work

"maas_auto_ipmi_cipher_suite_id": {"max": 2, "type": "string", "argument_format": "--ipmi-cipher-suite-id={input}"

andydelhierro · 9 May 2025 18:58

This worked for me as long as you replace {input} with 17.

I think this feature would be in Settings >> IPMI settings, with a pull-down option for the default cipher suite to use.

If need be, I can open a feature request for this.

Andy

troyanov · 9 May 2025 19:37

I think thats a good idea in general, so if you can create a post under Features it would be great.

andydelhierro · 9 May 2025 22:14

done

system · 11 May 2025 22:14

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.