[Info-vax] RX2800 i4 iLO 3 firmware

Eberhard Heuser e.heuser at dvdwrite.de
Wed Jun 23 13:47:30 EDT 2021 

Do you know if there is a special CPU for the ILO Programm? And if true, could you tell which one?
Eberhard

Am 23. Juni 2021 18:58:40 MESZ schrieb Stephen Hoffman via Info-vax <info-vax at rbnsn.com>:
>On 2021-06-22 23:27:16 +0000, <kemain.nospam at gmail.com> said:
>
>> Out of band server management like ILO's, DRAC including remote power
>
>> mgmt. strategies has been around for decades (early 1980's).
>
>Outboard console was more of a necessity back then, as the earliest VAX
>
>itself was comparatively, well, stupid.
>
>The VAX-11/780 operated as a peripheral of an LSI-11, in a manner of 
>consideration. Boot the LSI, which then loads and boots Star and 
>Starlet.
>
>Later VAX systems got somewhat smarter.
>
>Remote management was something comparatively new for OpenVMS folks, 
>first arriving with Itanium for many of the OpenVMS sites around.
>
>> VAX Nautilus and Polarstar systems used external PRO-350/380 PC
>systems 
>> to manage (including Poff/Pon, searchable soft log files) VAX
>systems.
>
>The Nautilus family used Pro 350 and Pro 380 hardware, with those boxes
>
>renamed as VAX console. The Polarstar family used a MicroVAX II as the 
>console. The MicroVAX was one of the distinguishing features of 
>Polarstar. VAX-11/780 used an LSI-11, as mentioned above. The VAX 9000 
>service processor unit comprised of 4 MicroVAX II processors. Alpha 
>eventually added RCM and RMC hardware outboard, all the way up to the 
>entirely gonzo server management network present within the 
>Marvel-class AlphaServer boxes; AlphaServer GS1280, etc.
>
>IBM used last year's mainframe model as this year's channel controller 
>as that old joke went, and analogous jokes about VAX consoles.
>
>None of these VAX and Alpha consoles was supported for remote Ethernet 
>network access, with the gear supporting remote serial access at best. 
>Early on, this serial access was intended for DEC Field Service to dial
>
>in (modems, remember those?) and diagnose the server.
>
>Yes, some older sites did routinely use terminal servers as a 
>workaround for remote console access, or used a console app such as 
>VAXcluster Console System (VCS) or Minicom and serial cabling, or 
>screen/tmux, etc. And I've remotely tapped into the Marvel internal 
>network, as have others. These were wildly insecure, by present-day 
>standards.
>
>HP and HPE iLO, Dell iDRAC, the SuperMicro BMC, and various other 
>available gear all substantially improve on what the older server 
>consoles could do, though. Particularly around remote management and 
>monitoring and automation, and with far better support for server 
>installation. And with better connection security. (Usually. Somewhat. 
>See below.)
>
>For lower-end boxes, Intel vPro and AMD Pro management access is 
>available from various vendors.
>
>iLO 2 and iLO 2 are hardware limited and which reportedly constrains 
>what is possible with the hardware, and are nowadays best kept 
>isolated. There are exploits against these, including the CVE-2013-4786
>
>vulnerability.
>
>"There is no resolution to this issue. The authentication process for 
>the IPMI 2.0 specification mandates that the server send a salted SHA1 
>or MD5 hash of the requested user's password to the client, prior to 
>the client authenticating. The BMC returns the password hash for any 
>valid user account requested. This password hash can be broken using an
>
>offline brute force or dictionary attack. Because this functionality is
>
>a key part of the IPMI 2.0 specification, there is no way to fix the 
>problem without deviating from the IPMI 2.0 specification."
>
>Meaning you will want to disable IPMI ( MP:CM> sa -lanipmi d ) if 
>you're not using it, and not on a constrained-access management
>network.
>
>And another reason for isolation: iLO 2 and iLO 3 ssh security is badly
>
>down-revision, which means connecting using something similar to this: 
>ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o 
>KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc
>
>-o MACs=hmac-md5,hmac-sha1 User at Server.Example.Com
>
>
>
>
>-- 
>Pure Personal Opinion | HoffmanLabs LLC 
>
>_______________________________________________
>Info-vax mailing list
>Info-vax at rbnsn.com
>http://rbnsn.com/mailman/listinfo/info-vax_rbnsn.com

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

More information about the Info-vax mailing list