IPMI User privilege for Booting PC

Status
Not open for further replies.

Grinchy

Explorer
Joined
Aug 5, 2017
Messages
78
Hello,

I want to boot my FreeNAS System by starting an Script on my Windows PC. For this I'm using ipmiutil on Windows 10.

Got it now working with "./ireset -D -N IP -U USERNAME -R XXX". But the big Problem is, to boot your System, the IPMI User needs Admin privileges for starting the Server. User or Operator seems to be not enough for this.
I already created a new User just for booting the Server. But if I would give Admin privileges to this User, the password would be written in this Windows Script without any Encryption. So if someone would open this Script, he would have Admin privilege and full Access to my IPMI.

Is there any way to create an IPMI User who's just allowed to boot the System? There would be no other purpose for this User. Or is there, at least, a way to Encrypt the PW so that nobody can see the PW even after opening the Script?

Thank you!
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194
What motherboard? Different manufacturers may have different implementations.
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194
Have you looked into Redfish? It may support what you need. I believe Supermicro has a manual for their implementation, somewhere.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,680
The IPMI stuff is oriented towards data center operations, where this sort of security isn't really the same type of concern, and in fact being able to see the password might be considered a plus in some environments.

There isn't a practical way to encrypt the password within the script that doesn't also leave a path to someone copying the script and doing s/ireset/echo/ and running the script to reveal the obfuscated password. This is always a tricky area to cope with.

The IPMI user levels are not as fine-grained as you might wish. There may be some hacky ways to "make" it work with the IPMI controller, but consider looking at Redfish or even see if the Wake-on-LAN stuff works on that particular board. I haven't tried any of that, just throwing out ideas. The Wake-on-LAN stuff seems ideal except that I believe FreeNAS still lacks support for it. It would be nice to be wrong, though.
 

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
I have a utility (I forgot the name) that will send the wake-on-LAN magic packet to any MAC address. As long as wake-on-LAN is enabled in the BIOS, it is like you pushed the power button on the server.

Why do you want to script that?

Sent from my SAMSUNG-SGH-I537 using Tapatalk
 

Grinchy

Explorer
Joined
Aug 5, 2017
Messages
78
Can WOL turn on an Server even if it's fully turned off (S5)? Thought this would work only if the System is in Sleep (S3) State?

I never tried it, but from what I've read in this Forum it seems like the i210-AT doesn't support WOL on FreeNAS. It works with Windows so.

That's why I was searching for a Method to turn on the Server with IPMI.
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194
even see if the Wake-on-LAN stuff works on that particular board
Now that you mentioned it, Wake on LAN was fixed for Intel NICs in either 11.0 or 11.1. Turns out it was completely broken and (almost) nobody noticed.

I never tried it, but from what I've read in this Forum it seems like the i210-AT doesn't support WOL on FreeNAS.
It should now. Give it a try.
 
Status
Not open for further replies.
Top