Description of problem: username (for ipmilan) should be not required. $ ipmitool -I lanplus -H ibm-p8-rhevm-hv-01-fsp.lab.bos.redhat.com -U '' -P admin power status Chassis Power is on $ man ipmitool | col -b | awk '/^[ \t]*\-U/ {print; getline;print }' -U <username> Remote server username, default is NULL user. $ ipmitool -I lanplus -H ibm-p8-rhevm-hv-01-fsp.lab.bos.redhat.com -P admin power status Chassis Power is on we are not here to "repair" bad ideas, if we would then we should kill horrible[1] IPMI anyway :D Version-Release number of selected component (if applicable): rhevm-webadmin-portal-3.5.0-0.13.beta.el6ev.noarch and 3.4.3 too How reproducible: 100% Steps to Reproduce: 1. try to setup power mgmt (or at least ipmilan) without username 2. 3. Actual results: not possible Expected results: should work, people are stupid and use default username/pass anyway (or they use ipmi anyway) Additional info: [1] http://www.darkreading.com/new-gaping-security-holes-found-exposing-servers/d/d-id/1140063? have ipmi manufactures repaired great heartbleed bug? lol
One can see here even IBM doesn't use username :) https://www.ibm.com/developerworks/linux/tutorials/l-ibm-powerkvm-system-bring-up/
Can you run the ipmitool command with 'on' or 'off' without giving the user as well or just the status command ??? This is important since the same credentials are persisted to DB and used for both status and on/off
I suppose this is irrelevant to the bug/issue here, 'query' commands are probably dependent on how priviledges are setup.
One cannot do anything without valid priviledges. I can't query power status with fake credentials or without authentication. # ipmitool -I lanplus -H ibm-p8-rhevm-hv-01-fsp.lab.bos.redhat.com -A none power status Error: Unable to establish IPMI v2 / RMCP+ session I didn't ask to drop authentication but this IPMI does allow to have NULL username but requires valid password. # ipmitool -I lanplus -H ibm-p8-rhevm-hv-01-fsp.lab.bos.redhat.com user list Password: ID Name Callin Link Auth IPMI Msg Channel Priv Limit 1 true false true ADMINISTRATOR 2 root true false true ADMINISTRATOR See above, NULL for 'Name'. And as it is default for this machines, and probably default for whole IPMI horror, we should not require the username not to be NULL. Requiring the username not to be NULL means you ask an administrator to reconfigure IPMI interface on his hardware.
I am incredibly hesitent to agree with this one due to just how bad the practice is. While it may be possible to configure an environment in this way, it is absolutely a security risk. I do not want RHEV being used as a potential attack vector or even be remotely assosciated with a potential third party vulnerability. I propose CLOSED - WONTFIX
Please reread #5. "I can't query power status with fake credentials or without authentication." If you close as wontfix you add more work to all sysadmin, and they would ask: why do I need to set username, my configured password is enough! (there is password!) If you care absolutely about a security risk, then propose a big popup informing users of IPMI that their IPMI device is probably unpatched, contains OpenSSL heartbleed bug, probably uses default password (I saw this on enterprise servers of wellknown worldwide enterprises)...
Scott Any decision on that regarding comment 7 and comment 8 Should we apply or close as WONTFIX ?