[Info-vax] RX2800 i4 iLO 3 firmware

vaxinf@gmail.com vaxinf at googlemail.com
Thu Jun 24 10:03:38 EDT 2021 

Do you know if there is a special CPU for the ILO Programm? And if true, 
could you tell which one?
Eberhard

Am 23. Juni 2021 18:58:40 MESZ schrieb Stephen Hoffman via Info-vax 
<info-vax at rbnsn.com>:

    On 2021-06-22 23:27:16 +0000, <kemain.nospam at gmail.com> said:

        Out of band server management like ILO's, DRAC including remote
        power mgmt. strategies has been around for decades (early 1980's). 


    Outboard console was more of a necessity back then, as the earliest VAX
    itself was comparatively, well, stupid.

    The VAX-11/780 operated as a peripheral of an LSI-11, in a manner of
    consideration. Boot the LSI, which then loads and boots Star and
    Starlet.

    Later VAX systems got somewhat smarter.

    Remote management was something comparatively new for OpenVMS folks,
    first arriving with Itanium for many of the OpenVMS sites around.

        VAX Nautilus and Polarstar systems used external PRO-350/380 PC
        systems to manage (including Poff/Pon, searchable soft log
        files) VAX systems. 


    The Nautilus family used Pro 350 and Pro 380 hardware, with those boxes
    renamed as VAX console. The Polarstar family used a MicroVAX II as the
    console. The MicroVAX was one of the distinguishing features of
    Polarstar. VAX-11/780 used an LSI-11, as mentioned above. The VAX 9000
    service processor unit comprised of 4 MicroVAX II processors. Alpha
    eventually added RCM and RMC hardware outboard, all the way up to the
    entirely gonzo server management network present within the
    Marvel-class AlphaServer boxes; AlphaServer GS1280, etc.

    IBM used last year's mainframe model as this year's channel controller
    as that old joke went, and analogous jokes about VAX consoles.

    None of these VAX and Alpha consoles was supported for remote Ethernet
    network access, with the gear supporting remote serial access at best.
    Early on, this serial access was intended for DEC Field Service to dial
    in (modems, remember those?) and diagnose the server.

    Yes, some older sites did routinely use terminal servers as a
    workaround for remote console access, or used a console app such as
    VAXcluster Console System (VCS) or Minicom and serial cabling, or
    screen/tmux, etc. And I've remotely tapped into the Marvel internal
    network, as have others. These were wildly insecure, by present-day
    standards.

    HP and HPE iLO, Dell iDRAC, the SuperMicro BMC, and various other
    available gear all substantially improve on what the older server
    consoles could do, though. Particularly around remote management and
    monitoring and automation, and with far better support for server
    installation. And with better connection security. (Usually. Somewhat.
    See below.)

    For lower-end boxes, Intel vPro and AMD Pro management access is
    available from various vendors.

    iLO 2 and iLO 2 are hardware limited and which reportedly constrains
    what is possible with the hardware, and are nowadays best kept
    isolated. There are exploits against these, including the CVE-2013-4786
    vulnerability.

    "There is no resolution to this issue. The authentication process for
    the IPMI 2.0 specification mandates that the server send a salted SHA1
    or MD5 hash of the requested user's password to the client, prior to
    the client authenticating. The BMC returns the password hash for any
    valid user account requested. This password hash can be broken using an
    offline brute force or dictionary attack. Because this functionality is
    a key part of the IPMI 2.0 specification, there is no way to fix the
    problem without deviating from the IPMI 2.0 specification."

    Meaning you will want to disable IPMI ( MP:CM> sa -lanipmi d ) if
    you're not using it, and not on a constrained-access management network.

    And another reason for isolation: iLO 2 and iLO 3 ssh security is badly
    down-revision, which means connecting using something similar to this:
    ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o
    KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc
    -o MACs=hmac-md5,hmac-sha1 User at Server.Example.Com




-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

More information about the Info-vax mailing list