Setting up password controls

You can set up password controls for BMC LAN access on Power Systems servers.

The following example shows how to set up password control for two users (default user with userid 1 and the null user) in the LAN channel.

Note: To reduce vulnerability, the IPMI LAN interface must be enabled only in a trusted environment where the system is secure, or where it is connected to a dedicated secure or private network.

The BMC can be configured to support multiple users and passwords for all channels except the Open channel. Typically the same user and same password can be used for all the BMC channels. Instructions to set up password control for other channels are not included in this example. The instructions cane be used for only the LAN channel.

User IDs and privilege levels are unique for each channel. To view the current user IDs that are in use and the related information for the LAN channel (0x1), run the following command:

# ipmitool user list 1
ID Name       Callin Link Auth IPMI Msg  Channel Priv Limit
1  USERID      true  false   true    ADMINISTRATOR

Note: On all IBM® BMCs, the default userid 1 is USERID with a password of PASSW0RD.

To change the name of userid 1, run the following command:

# ipmitool user set name 1 <New User ID>

To set a new password for userid 1, run the following command:

# ipmitool user set password 1 ipmitool user set password 1 <New Password>

You can also use a null user for anonymous login. To change the password for the null user (userid 1) on the LAN channel, run the following command:

# ipmitool lan set 1 password <New Password>

You can list the users that you have set up and find the new name (user ID) for userid 1 user. The null user is not listed by running the following command when it is disabled in the BMC BIOS settings:

# ipmitool user list 1

After configuring the user IDs, you can set up the BMC LAN channel parameters by setting its IP address, netmask, snmp public community string, and gateway address. Run the following commands:

# ipmitool lan set 1 ipaddr <Your IP address for the BMC>
# ipmitool lan set 1 netmask <Your Subnet Mask>
# ipmitool lan set 1 snmp <Your SNMP>
# ipmitool lan set 1 defgw ipaddr <Your gateway server>

You can also set other LAN parameters. To check for the parameters that you can set, enter the following command:

# ipmitool lan set help

Check your LAN parameter settings by running the following command. An output similar to the following example is displayed:

# ipmitool lan print
Set in Progress       : Set Complete
Auth Type Support     : NONE MD2 MD5 PASSWORD 
Auth Type Enable      : Callback : 
                      : User     : MD2 MD5 PASSWORD 
                      : Operator : MD2 MD5 PASSWORD 
                      : Admin    : MD2 MD5 PASSWORD 
                      : OEM      : 
IP Address Source     : BIOS Assigned Address
IP Address            : 192.168.0.3
Subnet Mask           : 255.255.255.0
MAC Address           : 00:14:5e:1b:c6:c1
SNMP Community String : public
IP Header             : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control       : ARP Responses Enabled, Gratuitous ARP Disabled
Gratituous ARP Intrvl : 2.0 seconds
Default Gateway IP    : 192.168.0.1
Default Gateway MAC   : 00:00:00:00:00:00
Backup Gateway IP     : 0.0.0.0
Backup Gateway MAC    : 00:00:00:00:00:00
802.1q VLAN ID        : Disabled
802.1q VLAN Priority  : 0
RMCP+ Cipher Suites   : 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14
Cipher Suite Priv Max : aaaaaaaaaaaaaaa
                      :   X=Cipher Suite Unused
                      :   c=CALLBACK
                      :   u=USER
                      :   o=OPERATOR
                      :   a=ADMIN

Note: No unauthorized person can use the published default information to access your BMC LAN channel to remotely cause your system to power cycle or to perform other unauthorized activities. If you forget the BMC user ID or passwords, you can set a new user ID and password by using commands after you log in to the system and run IPMItool as root.