[Info-vax] RX2800 i4 iLO 3 firmware

Dave Froble davef at tsoft-inc.com
Wed Jun 23 20:50:32 EDT 2021 

On 6/23/2021 12:58 PM, Stephen Hoffman wrote:
> On 2021-06-22 23:27:16 +0000, <kemain.nospam at gmail.com> said:
>
>> Out of band server management like ILO's, DRAC including remote power
>> mgmt. strategies has been around for decades (early 1980's).
>
> Outboard console was more of a necessity back then, as the earliest VAX
> itself was comparatively, well, stupid.
>
> The VAX-11/780 operated as a peripheral of an LSI-11, in a manner of
> consideration. Boot the LSI, which then loads and boots Star and Starlet.
>
> Later VAX systems got somewhat smarter.
>
> Remote management was something comparatively new for OpenVMS folks,
> first arriving with Itanium for many of the OpenVMS sites around.

Well, it wasn't "management", but way back I recall a PDP-11 with a 
device the Colorado support people could dial into.

>> VAX Nautilus and Polarstar systems used external PRO-350/380 PC
>> systems to manage (including Poff/Pon, searchable soft log files) VAX
>> systems.
>
> The Nautilus family used Pro 350 and Pro 380 hardware, with those boxes
> renamed as VAX console. The Polarstar family used a MicroVAX II as the
> console. The MicroVAX was one of the distinguishing features of
> Polarstar. VAX-11/780 used an LSI-11, as mentioned above. The VAX 9000
> service processor unit comprised of 4 MicroVAX II processors. Alpha
> eventually added RCM and RMC hardware outboard, all the way up to the
> entirely gonzo server management network present within the Marvel-class
> AlphaServer boxes; AlphaServer GS1280, etc.
>
> IBM used last year's mainframe model as this year's channel controller
> as that old joke went, and analogous jokes about VAX consoles.
>
> None of these VAX and Alpha consoles was supported for remote Ethernet
> network access, with the gear supporting remote serial access at best.
> Early on, this serial access was intended for DEC Field Service to dial
> in (modems, remember those?) and diagnose the server.

I do remember that ...

> Yes, some older sites did routinely use terminal servers as a workaround
> for remote console access, or used a console app such as VAXcluster
> Console System (VCS) or Minicom and serial cabling, or screen/tmux, etc.
> And I've remotely tapped into the Marvel internal network, as have
> others. These were wildly insecure, by present-day standards.
>
> HP and HPE iLO, Dell iDRAC, the SuperMicro BMC, and various other
> available gear all substantially improve on what the older server
> consoles could do, though. Particularly around remote management and
> monitoring and automation, and with far better support for server
> installation. And with better connection security. (Usually. Somewhat.
> See below.)
>
> For lower-end boxes, Intel vPro and AMD Pro management access is
> available from various vendors.
>
> iLO 2 and iLO 2 are hardware limited and which reportedly constrains
> what is possible with the hardware, and are nowadays best kept isolated.
> There are exploits against these, including the CVE-2013-4786
> vulnerability.
>
> "There is no resolution to this issue. The authentication process for
> the IPMI 2.0 specification mandates that the server send a salted SHA1
> or MD5 hash of the requested user's password to the client, prior to the
> client authenticating. The BMC returns the password hash for any valid
> user account requested. This password hash can be broken using an
> offline brute force or dictionary attack. Because this functionality is
> a key part of the IPMI 2.0 specification, there is no way to fix the
> problem without deviating from the IPMI 2.0 specification."
>
> Meaning you will want to disable IPMI ( MP:CM> sa -lanipmi d ) if you're
> not using it, and not on a constrained-access management network.
>
> And another reason for isolation: iLO 2 and iLO 3 ssh security is badly
> down-revision, which means connecting using something similar to this:
> ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o
> KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc
> -o MACs=hmac-md5,hmac-sha1 User at Server.Example.Com

Apparently I'm getting an itanic on Friday.  Do I have to use iLO and 
such, or, can I ignore tham?


-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list