Deactivate IPMI NONE Authentication Type
IPMI supports multiple authentication types to remote control servers. In addition to the hashed transmission of credentials (eg. MD5) the IPMI specification also supports the so-called NONE Authentication.[1] When enabled, anyone who knows the IPMI IP address and has access to its network, can take full control of server via IPMI (eg. power on/off the server, reboot it, add users, then access KVM over IP, access the BIOS, format discs, ...). As this is a security risc, you should always disable the NONE authentication.
Checking if NONE Authentication is activated
Under Linux you can check the list of activated authentication types with the ipmitool command. The following example shows a server with activated NONE authentication:
server:~ # ipmitool lan print 1 Set in Progress : Set Complete Auth Type Support : NONE MD2 MD5 PASSWORD Auth Type Enable : Callback : NONE MD2 MD5 PASSWORD : User : MD5 : Operator : NONE MD2 MD5 PASSWORD : Admin : NONE MD2 MD5 PASSWORD : OEM : NONE MD2 MD5 PASSWORD IP Address Source : Static Address [...]
Deactivate NONE Authentication
You can deactivate the NONE authentication type by allowing only MD5 as authentication type:
server:~ # ipmitool lan set 1 auth Callback MD5 server:~ # ipmitool lan set 1 auth User MD5 server:~ # ipmitool lan set 1 auth Operator MD5 server:~ # ipmitool lan set 1 auth Admin MD5 server:~ # ipmitool lan set 1 auth OEM MD5
NONE Authentication deactivated
Afterwards, the NONE authentication type is deactivated:
server:~ # ipmitool lan print 1 Set in Progress : Set Complete Auth Type Support : NONE MD2 MD5 PASSWORD Auth Type Enable : Callback : MD5 : User : MD5 : Operator : MD5 : Admin : MD5 : OEM : MD5 IP Address Source : Static Address [...]
References
- ↑ IPMI v2.0 rev. 1.1 specification Kapitel 1.7.26 Channel Model, Authentication, Sessions, and Users (Seite 21): The specification supports different algorithms for the signature - these are referred to as Authentication Types. Authentication Types include ‘none’, ‘straight password’, the MD2 and MD5 message-digest algorithms, etc.
Additional information
- (IPMI-plugin-user) Error in open session response message : no matching cipher suite (lists.thomas-krenn.com, 29.09.2010): And here is an additional remark: your server's IPMI allows "NONE" as authentication for Callback, Operator, Admin and OEM user rights - so everybody on your network can switch off your server etc. only by knowing the IPMI ip address.
Author: Werner Fischer Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.
|