From: "vernon.mauery@linux.intel.com" <vernon.mauery@linux.intel.com>
To: "Jerry Wan (萬祐嘉)" <Jerry.Wan@quantatw.com>
Cc: "openbmc@lists.ozlabs.org" <openbmc@lists.ozlabs.org>,
"George Hung (洪忠敬)" <George.Hung@quantatw.com>
Subject: Re: ipmi: Inquiry Regarding IPMI User Password Testing
Date: Mon, 13 Nov 2023 13:20:13 -0800 [thread overview]
Message-ID: <ZVKTDa8MnUDt//Oz@mauery.jf.intel.com> (raw)
In-Reply-To: <PUZPR04MB48670ADEFA76685E7FC585EB88AFA@PUZPR04MB4867.apcprd04.prod.outlook.com>
On 09-Nov-2023 08:06 AM, Jerry Wan (萬祐嘉) wrote:
>Hi Vernon,
>
>
>We recently conducted some tests on phosphor-ipmi-host and found that the user password test command doesn't appear to be compliant with the IPMI specification.
>
>We used a 20-byte password testing command to validate a 16-byte password, and it passed the test. However, according to the IPMI specification, I think the above test combination should return a failure.(Please refer to IPMI spec 22.30-Set User Password Command, page 313)
>
>Here is the testing procedure:
>
> 1. Change the user password with a 16-byte flag.
>root@evb:~# ipmitool user set password 5 Passw0rd 16
>Set User Password command successful (user 5)
>
> 2.
>Use a 16-byte testing command to validate the correct password: Pass
>root@evb:~# ipmitool user test 5 16 Passw0rd
>Success
>
> 3.
>Use a 20-byte testing command to validate the correct password: Pass <== I think this should be a Fail
>root@gms:~# ipmitool user test 5 20 Passw0rd
>Success
>
>Could you please confirm if my understanding is correct?
Jerry,
The openbmc platform doesn't keep track of how the passwords were set
(whether with the 16 or 20 byte flag). So the behavior you showed is
expected.
When you set a password, the flag is there just because the IPMI
specification had to add it for backwards compatibility with IPMI-1.5.
But really, the same underlying code is called with either the 16 or 20
byte buffer.
If the password matches, the password matches. The only thing
you can't do is attempt to set a 20-byte password and then attempt to
authenticate with only the first 16 bytes.
--Vernon
prev parent reply other threads:[~2023-11-13 21:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-09 8:06 ipmi: Inquiry Regarding IPMI User Password Testing Jerry Wan (萬祐嘉)
2023-11-13 21:20 ` vernon.mauery [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZVKTDa8MnUDt//Oz@mauery.jf.intel.com \
--to=vernon.mauery@linux.intel.com \
--cc=George.Hung@quantatw.com \
--cc=Jerry.Wan@quantatw.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).