IPMI account/password got displayed when command failed

Question

IPMI account/password got displayed when command failed

tjyang opened this issue 4 years ago · 5 comments

I am using this perl script, thanks for the work.

WHAT: There is security risk of exposing IMM/iDRAC's credential when underneath ipmi commands failed.
Currently, no option to disable this password displaying.
WHY : from existing code logic, $returncode !=0 will display IPMI account and password from command output and on web page.
HOW:
- Adding one extra option like --nocmdout to not displaying command output so one can ensure no password displayed when in production.
- I can submit a PR if there is interest but I only do causal perl programming.

Answer 1 · 2021-07-13T08:32:39.000Z

Hi
you should use "-f server.cfg"
in the file, you should specify the following:
$ cat server.cfg
username nagios
password abcd...!
privilege-level operator
$

Answer 2 · 2021-07-13T11:18:31.000Z

@selcukKaraca , Thanks for the suggestion. But "-f" is more work(IMHO) given that this will generate more "server.cfg" files to maintain with, for site that hosts with much different accounts/passwords.

Answer 3 · 2021-07-13T14:38:39.000Z

as a solution I have implemented a wrapper script. I use nagios for monitoring. there is a table (ipmi_table.cfg) which includes the following fields
OS_IP ILO_IP AUTH_FILE OPTIONS

my wrapper script looks at this table, find necessary arguments and construct perfect check_ipmi_sensors command.
like this one:

# cat check_ipmi_wrapper.sh 
#this script constructs check-ipmi-sensor command using hostname parameter.
#it does this by looking up from a table ipmi_table.cfg
# written by mehmet selcuk karaca

FOUND=FALSE
IPMI_TABLE=/path/to/ipmi_table.cfg
HOST_IP=$2
#nagios unknown exit value
UNKNOWN=3

while read LINE
do
  IP=$(echo $LINE | cut -f 1 -d " ")
  #we have found IP (given as parameter) in the table. Now get other required arguments
  if [ $IP = $HOST_IP ]; then
     ILO=$(echo $LINE | cut -f 2 -d " ")
     AUTH_FILE=$(echo $LINE | cut -f 3 -d " ")
     AUTH_FILE=/path/to/$AUTH_FILE
     OPTIONS=$(echo $LINE | cut -f 4- -d " ")
     FOUND=TRUE
     break
  fi
done <$IPMI_TABLE

if [ $FOUND = "TRUE" ]; then
    /path/to/check_ipmi_sensor -H $ILO -f $AUTH_FILE $OPTIONS -v
else
   echo "$HOST_IP could not be found in $IPMI_TABLE please add IP and related info to the table."
   exit $UNKNOWN
fi

Answer 4 · 2021-07-13T18:42:03.000Z

@selcukKaraca , are you interested to see how I resolve this issue by modifying perl code directly by adding --nocmdout argument ?

Answer 5 · 2021-10-18T17:08:28.000Z

Resolved by 82ebecc
Password is now masked in debug output if command failed.