IPMI Disable Cipher Suite Zero

Ivan Lawrence -

Note the current settings

From a system using ipmitools issue the following command:

EX: the remote hosts IP is 192.168.1.10 & the username / password is ADMIN

[root@host ~]# ipmitool -H 192.168.1.10 -P ADMIN -U ADMIN lan print
Set in Progress         : Set Complete
Auth Type Support       : NONE MD2 MD5 OEM
Auth Type Enable        : Callback : NONE MD2 MD5 OEM
                        : User     : NONE MD2 MD5 OEM
                        : Operator : NONE MD2 MD5 OEM
                        : Admin    : NONE MD2 MD5 OEM
                        : OEM      :
IP Address Source       : Static Address
IP Address              : 192.168.1.10
Subnet Mask             : 255.255.255.0
MAC Address             : 00:11:22:33:44:55
SNMP Community String   : AMI
IP Header               : TTL=0x00 Flags=0x00 Precedence=0x00 TOS=0x00
BMC ARP Control         : ARP Responses Disabled, Gratuitous ARP Disabled
Gratituous ARP Intrvl   : 0.0 seconds
Default Gateway IP      : 192.168.1.1
Default Gateway MAC     : 00:00:00:00:00:00
Backup Gateway IP       : 0.0.0.0
Backup Gateway MAC      : 00:00:00:00:00:00
802.1q VLAN ID          : Disabled
802.1q VLAN Priority    : 0
RMCP+ Cipher Suites     : 1,2,3,6,7,8,11,12,0
Cipher Suite Priv Max   : aaaaXXaaaXXaaXX
                        :     X=Cipher Suite Unused
                        :     c=CALLBACK
                        :     u=USER
                        :     o=OPERATOR
                        :     a=ADMIN
                        :     O=OEM

If the first character of "Cipher Suite Priv Max" is not a capital X then cipher suite zero is enabled.

Make the change

To disable it, copy the "Cipher Suite Priv Max" output (ex: aaaaXXaaaXXaaXX) and change the first character to X (ex: XaaaXXaaaXXaaXX)

Re-run the command but replace print with set 1 cipher_privs XaaaXXaaaXXaaXX (note the X as the first character)

[root@host ~]# ipmitool -H 192.168.1.10 -P ADMIN -U ADMIN lan set 1 cipher_privs XaaaXXaaaXXaaXX

 

Now re-run the first command to be sure the changes were made:

[root@host ~]# ipmitool -H 192.168.1.10 -P ADMIN -U ADMIN lan print
Set in Progress         : Set Complete
Auth Type Support       : NONE MD2 MD5 OEM
Auth Type Enable        : Callback : NONE MD2 MD5 OEM
                        : User     : NONE MD2 MD5 OEM
                        : Operator : NONE MD2 MD5 OEM
                        : Admin    : NONE MD2 MD5 OEM
                        : OEM      :
IP Address Source       : Static Address
IP Address              : 192.168.1.10
Subnet Mask             : 255.255.255.0
MAC Address             : 00:11:22:33:44:55
SNMP Community String   : AMI
IP Header               : TTL=0x00 Flags=0x00 Precedence=0x00 TOS=0x00
BMC ARP Control         : ARP Responses Disabled, Gratuitous ARP Disabled
Gratituous ARP Intrvl   : 0.0 seconds
Default Gateway IP      : 192.168.1.1
Default Gateway MAC     : 00:00:00:00:00:00
Backup Gateway IP       : 0.0.0.0
Backup Gateway MAC      : 00:00:00:00:00:00
802.1q VLAN ID          : Disabled
802.1q VLAN Priority    : 0
RMCP+ Cipher Suites     : 1,2,3,6,7,8,11,12,0
Cipher Suite Priv Max   : XaaaXXaaaXXaaXX
                        :     X=Cipher Suite Unused
                        :     c=CALLBACK
                        :     u=USER
                        :     o=OPERATOR
                        :     a=ADMIN
                        :     O=OEM

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.