IPMI User privilege for Booting PC

[Grinchy]

Hello,

I want to boot my FreeNAS System by starting an Script on my Windows PC. For this I'm using ipmiutil on Windows 10.

Got it now working with "./ireset -D -N IP -U USERNAME -R XXX". But the big Problem is, to boot your System, the IPMI User needs Admin privileges for starting the Server. User or Operator seems to be not enough for this.
I already created a new User just for booting the Server. But if I would give Admin privileges to this User, the password would be written in this Windows Script without any Encryption. So if someone would open this Script, he would have Admin privilege and full Access to my IPMI.

Is there any way to create an IPMI User who's just allowed to boot the System? There would be no other purpose for this User. Or is there, at least, a way to Encrypt the PW so that nobody can see the PW even after opening the Script?

Thank you!

 

[Ericloewe]

What motherboard? Different manufacturers may have different implementations.

 

[Grinchy]

ah sorry! It's an X11SSM-F

 

[Ericloewe]

Have you looked into Redfish? It may support what you need. I believe Supermicro has a manual for their implementation, somewhere.

 

[jgreco]

The IPMI stuff is oriented towards data center operations, where this sort of security isn't really the same type of concern, and in fact being able to see the password might be considered a plus in some environments.

There isn't a practical way to encrypt the password within the script that doesn't also leave a path to someone copying the script and doing s/ireset/echo/ and running the script to reveal the obfuscated password. This is always a tricky area to cope with.

The IPMI user levels are not as fine-grained as you might wish. There may be some hacky ways to "make" it work with the IPMI controller, but consider looking at Redfish or even see if the Wake-on-LAN stuff works on that particular board. I haven't tried any of that, just throwing out ideas. The Wake-on-LAN stuff seems ideal except that I believe FreeNAS still lacks support for it. It would be nice to be wrong, though.

 

[Chris Moore]

I have a utility (I forgot the name) that will send the wake-on-LAN magic packet to any MAC address. As long as wake-on-LAN is enabled in the BIOS, it is like you pushed the power button on the server.

Why do you want to script that?

Sent from my SAMSUNG-SGH-I537 using Tapatalk

 

[Grinchy]

Can WOL turn on an Server even if it's fully turned off (S5)? Thought this would work only if the System is in Sleep (S3) State?

I never tried it, but from what I've read in this Forum it seems like the i210-AT doesn't support WOL on FreeNAS. It works with Windows so.

That's why I was searching for a Method to turn on the Server with IPMI.

 

[Ericloewe]

even see if the Wake-on-LAN stuff works on that particular board

Now that you mentioned it, Wake on LAN was fixed for Intel NICs in either 11.0 or 11.1. Turns out it was completely broken and (almost) nobody noticed.

I never tried it, but from what I've read in this Forum it seems like the i210-AT doesn't support WOL on FreeNAS.

It should now. Give it a try.