IPMI – Understanding the ipmitool ‘Auth Type’

ipmiipmitool

What's the meaning of Auth Type Support: NONE MD2 MD5 PASSWORD and Auth Type Enable : Callback : MD2 MD5 PASSWORD?

When I use lan print 1 in my server, ipmitool shows the following output:

[root@localhost ~]# ipmitool -I open lan print 1
Set in Progress         : Set Complete
Auth Type Support       : NONE MD2 MD5 PASSWORD 
Auth Type Enable        : Callback : MD2 MD5 PASSWORD 
                        : User     : MD2 MD5 PASSWORD 
                        : Operator : MD2 MD5 PASSWORD 
                        : Admin    : MD2 MD5 PASSWORD 
                        : OEM      : MD2 MD5 PASSWORD 
IP Address Source       : Static Address
IP Address              : 172.16.22.237
Subnet Mask             : 255.255.255.0
MAC Address             : 00:25:90:a9:42:4a
SNMP Community String   : public
IP Header               : TTL=0x00 Flags=0x00 Precedence=0x00 TOS=0x00
BMC ARP Control         : ARP Responses Enabled, Gratuitous ARP Disabled
Default Gateway IP      : 0.0.0.0
Default Gateway MAC     : 00:00:00:00:00:00
Backup Gateway IP       : 0.0.0.0
Backup Gateway MAC      : 00:00:00:00:00:00
802.1q VLAN ID          : Disabled
802.1q VLAN Priority    : 0
RMCP+ Cipher Suites     : 1,2,3,6,7,8,11,12
Cipher Suite Priv Max   : aaaaXXaaaXXaaXX
                        :     X=Cipher Suite Unused
                        :     c=CALLBACK
                        :     u=USER
                        :     o=OPERATOR
                        :     a=ADMIN
                        :     O=OEM
Bad Password Threshold  : Not Available

Best Answer

Like most tools, ipmitool comes with a man page man ipmitool. The application's online manual will usually either explain outricht or more often than not hint at what the output means.

Often a bit of background knowledge helps for context though.

-A <authtype>
Specify an authentication type to use during IPMIv1.5 lan session activation. Supported types are NONE, PASSWORD, MD2, MD5, or OEM.

In other words:

The IPMI protocol allows different mechanisms to authenticate. Your IPMI device does not need to support all of them to be standards compliant, so ipmitool will display which ones YOUR device does support: 

Auth Type Support   :  NONE MD2 MD5 PASSWORD

So your device supports all authentication types, except OEM.

Auth Type Enable        : Callback : MD2 MD5 PASSWORD 
                        : User     : MD2 MD5 PASSWORD 
                        : Operator : MD2 MD5 PASSWORD 
                        : Admin    : MD2 MD5 PASSWORD 
                        : OEM      : MD2 MD5 PASSWORD

That is a list of which authentication mechanisms are supported for each (default) ipmi user account. As you can see NONE is absent there, in other words, you will always need a valid password to log in to and use any of those accounts.

You can supply the password in plain text: the PASSWORD mechanism,
or use a (cryptographic weak) MD2 message digest,
or use a (cryptographically stronger) MD5 message digest to authenticate .

Related Topic