Linux command – ipmitool user

關於 IPMI 的基礎概念請參考 https://benjr.tw/11240

預設的 IPMI 只會有一個 administrator 使用者.

[root@local ~]# ipmitool -I lanplus -H 172.16.0.172 -U admin -P admin user 
User Commands:
                   summary      [<channel number>]
                   list         [<channel number>]
                   set name     <user id> <username>
                   set password <user id> [<password>]
                   disable      <user id>
                   enable       <user id>
                   priv         <user id> <privilege level> [<channel number>]
                   test         <user id> <16|20> [<password]>

[root@local ~]# ipmitool -I lanplus -H 172.16.0.172 -U admin -P admin user list
ID  Name       Callin  Link Auth  IPMI Msg   Channel Priv Limit
2   admi       true    false      true       ADMINISTRATOR

透過參數 user set name / password 來新增一個使用者 ben.

[root@local ~]# ipmitool -I lanplus -H 172.16.0.172 -U admin -P admin user set name 3 ben
[root@local ~]# ipmitool -I lanplus -H 172.16.0.172 -U admin -P admin user set password 3
Password for user 3:
Password for user 3:

[root@local ~]# ipmitool -I lanplus -H 172.16.0.172 -U admin -P admin user list
ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
2   admin           true    false      true       ADMINISTRATOR
3   ben              true    false      false      CALLBACK

權限需要透過參數 channel 再設定.

[root@local ~]# ipmitool -I lanplus -H 172.16.0.172 -U admin -P admin channel
Channel Commands: authcap   <channel number> <max privilege>
                  getaccess <channel number> [user id]
                  setaccess <channel number> <user id> [callin=on|off] [ipmi=on|off] [link=on|off] [privilege=level]
                  info      [channel number]
                  getciphers <ipmi | sol> [channel]

                  setkg hex|plain <key> [channel]

Possible privilege levels are:
   1   Callback level
   2   User level
   3   Operator level
   4   Administrator level
   5   OEM Proprietary level
  15   No access

[root@local ~]# ipmitool -I lanplus -H 172.16.0.172 -U admin -P admin channel getaccess 1 3
Maximum User IDs     : 13
Enabled User IDs     : 3

User ID              : 3
User Name            : ben
Fixed Name           : No
Access Available     : call-in / callback
Link Authentication  : disabled
IPMI Messaging       : disabled
Privilege Level      : CALLBACK

須針對 callin , Link Auth , IPMI Msg , Channel Priv Limit 來設定,這幾個參數的說明請參考 https://www.intel.cn/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf 第 22.26 Set User Access Command

call-in
??

Link Authentication
Used to enable whether this user’s name and password information will be used for link authentication, e.g. PPP CHAP.

IPMI Messaging
Used to enable/disable whether this user’s name and password information will be used for IPMI Messaging. In this case, “IPMI Messaging” refers to the ability to execute generic IPMI commands that are not associated with a particular payload type.

Privilege Level
Table 6- 5, Channel Privilege Levels.
1. Callback level
This may be considered the lowest privilege level. Only commands necessary to support initiating a Callback are allowed.
2. User level
Only ‘benign’ commands are allowed. These are primarily commands that read data structures and retrieve status. Commands that can be used to alter BMC configuration, write data to the BMC or other management controllers, or perform system actions such as resets, power on/off, and watchdog activation are disallowed.
3. Operator level
All BMC commands are allowed, except for configuration commands that can change the behavior of the out-of-band interfaces.
4. Administrator level
All BMC commands are allowed, including configuration commands. An Adminstrator can even execute configuration commands that would disable the channel that the Administrator is communicating over.
5. OEM Proprietary level
15. No access

[root@local ~]# ipmitool -I lanplus -H 172.16.0.172 -U admin -P admin channel setaccess 1 3 callin=on ipmi=on link=on privilege=4
[root@local ~]# ipmitool -I lanplus -H 172.16.0.172 -U admin -P admin channel getaccess 1 3 
Maximum User IDs     : 13
Enabled User IDs     : 3

User ID              : 3
User Name            : ben
Fixed Name           : No
Access Available     : call-in / callback
Link Authentication  : disabled
IPMI Messaging       : enabled
Privilege Level      : ADMINISTRATOR

最後需要做 enable.

[root@local ~]# ipmitool -I lanplus -H 172.16.0.172 -U admin -P admin user enable 3

新的使用者已經設定完成,如果指令可以執行就確認沒問題了.

[root@local ~]# # ipmitool -I lanplus -H 172.16.0.172 -U ben -P 111111 sdr