Deactivate IPMI NONE Authentication Type

From Thomas-Krenn-Wiki
Jump to: navigation, search

IPMI supports multiple authentication types to remote control servers. In addition to the hashed transmission of credentials (eg. MD5) the IPMI specification also supports the so-called NONE Authentication.[1] When enabled, anyone who knows the IPMI IP address and has access to its network, can take full control of server via IPMI (eg. power on/off the server, reboot it, add users, then access KVM over IP, access the BIOS, format discs, ...). As this is a security risc, you should always disable the NONE authentication.

Checking if NONE Authentication is activated

Under Linux you can check the list of activated authentication types with the ipmitool command. The following example shows a server with activated NONE authentication:

server:~ # ipmitool lan print 1
Set in Progress         : Set Complete
Auth Type Support       : NONE MD2 MD5 PASSWORD
Auth Type Enable        : Callback : NONE MD2 MD5 PASSWORD
                        : User     : MD5
                        : Operator : NONE MD2 MD5 PASSWORD
                        : Admin    : NONE MD2 MD5 PASSWORD
                        : OEM      : NONE MD2 MD5 PASSWORD
IP Address Source       : Static Address
[...]

Deactivate NONE Authentication

You can deactivate the NONE authentication type by allowing only MD5 as authentication type:

server:~ # ipmitool lan set 1 auth Callback MD5
server:~ # ipmitool lan set 1 auth User MD5
server:~ # ipmitool lan set 1 auth Operator MD5
server:~ # ipmitool lan set 1 auth Admin MD5
server:~ # ipmitool lan set 1 auth OEM MD5

NONE Authentication deactivated

Afterwards, the NONE authentication type is deactivated:

server:~ # ipmitool lan print 1
Set in Progress         : Set Complete
Auth Type Support       : NONE MD2 MD5 PASSWORD 
Auth Type Enable        : Callback : MD5 
                        : User     : MD5
                        : Operator : MD5 
                        : Admin    : MD5
                        : OEM      : MD5
IP Address Source       : Static Address
[...]

References

  1. IPMI v2.0 rev. 1.1 specification Kapitel 1.7.26 Channel Model, Authentication, Sessions, and Users (Seite 21): The specification supports different algorithms for the signature - these are referred to as Authentication Types. Authentication Types include ‘none’, ‘straight password’, the MD2 and MD5 message-digest algorithms, etc.

Additional information


Foto Werner Fischer.jpg

Author: Werner Fischer

Werner Fischer, working in the Web Operations & Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.


Related articles

FreeIPMI
FreeIPMI ipmimonitoring
GPL Notes for IPMI Firmware Images