[2.5] MAAS IPMI config doesn't always enable admin privileges

Do you have known IPMI hardware that MAAS doesn't create administrator privileges on?

Check one of the machines in the CI whether you can ssh to the BMC using the MAAS credentials. If not, you can always figureout what settings you need to be tweaked.

Using the CI I found some machines would not let me ssh into the BMC:

ubuntu@autopkgtest:~$ ssh maas@10.245.143.122
Unable to negotiate with 10.245.143.122 port 22: no matching cipher found. Their offer: aes256-cbc,aes128-cbc,3des-cbc
ubuntu@autopkgtest:~$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
<email address hidden>
aes128-ctr
aes192-ctr
aes256-ctr
<email address hidden>
<email address hidden>
<email address hidden>
ubuntu@autopkgtest:~$ ssh -c aes256-cbc maas@10.245.143.122
The authenticity of host '10.245.143.122 (10.245.143.122)' can't be established.
RSA key fingerprint is SHA256:i8CxQNa3x7pi2BkjOmy02XSQVBbz9AdvbubWkC1YWOo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.245.143.122' (RSA) to the list of known hosts.
maas@10.245.143.122's password:
User:maas logged-in to ILOMXQ342025J.(10.245.143.122 / FE80::2E59:E5FF:FE4B:2CA0)
ProLiant DL360e Gen8
iLO 4 Standard 2.10 at Jan 15 2015
Server Name:
Server Power: Off

Based on customer feedback, we will be enhancing the SSH command line
interface in a future release of the iLO 4 firmware. Our future CLI will
focus on increased usability and improved functionality. This message is
to provide advance notice of the coming change. Please see the iLO 4
Release Notes on www.hp.com/go/iLO for additional information.

</>hpiLO->

There were also some machines that had no issues (here is one example):

ubuntu@autopkgtest:~$ ssh maas@10.245.143.107
The authenticity of host '10.245.143.107 (10.245.143.107)' can't be established.
RSA key fingerprint is SHA256:kntzBNkedP/FqIPX5JUligpXFvlDwJLHRmODGw99+14.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.245.143.107' (RSA) to the list of known hosts.
Password:

BusyBox v1.1.3 (2010.07.09-05:22+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

$

By adding the below to ~/.ssh/config and restarting sshd I was able to ssh into machines that were giving me issues before (here is one example):

ubuntu@autopkgtest:~$ ssh maas@10.245.143.123
The authenticity of host '10.245.143.123 (10.245.143.123)' can't be established.
RSA key fingerprint is SHA256:7P2jK+9eHWTfm3lgRHwoN5S/LubaYHtrIv/NfTIJ5Nw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.245.143.123' (RSA) to the list of known hosts.
maas@10.245.143.123's password:
User:maas logged-in to ILOMXQ34000BM.(10.245.143.123 / FE80::2E59:E5FF:FE39:7B4)
ProLiant DL360e Gen8
iLO 4 Standard 2.10 at Jan 15 2015
Server Name:
Server Power: Off

Based on customer feedback, we will be enhancing the SSH command line
interface in a future release of the iLO 4 firmware. Our future CLI will
focus on increased usability and improved functionality. This message is
to provide advance notice of the coming change. Please see the iLO 4
Release Notes on www.hp.com/go/iLO for additional information.

</>hpiLO->

By adding this ~/.ssh/config (forgot to include in last comment above):

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

Marking this as invalid as I do not think this is a MAAS bug due to what was found above.

I have tried multiple times to reproduce this by logging into the UI of the BMC for the MAAS CI's IPMI machines. The only time I have had issues logging in is with:

Tuleta-8247-22L-SN213572A FW860.20 (SV860_082)

This has happened each time.

For all other machines, I have never been able to reproduce this issue.

Some reasons why I think this is an issue with the firmware of the Tuleta:

1. MAAS is already configuring "Lan_Privilege_Limit" to "Administrator" for each BMC. The documentation states-

# For IPMI over LAN access for a username, set "Enable_User" to "Yes",
# "Lan_Enable_IPMI_Msgs" to "Yes", and "Lan_Privilege_Limit" to a privilege
# level. The privilege level is used to limit various IPMI operations for
# individual usernames. It is recommened that atleast one username be created
# with a privilege limit "Administrator", so all system functions are available
# to atleast one username via IPMI over LAN.

2. Below is part of the output of `bmc-config --checkout` for a working BMC. This shows us the settings that MAAS is
   creating by default.

Section User2
 ## Give Username
 Username maas
 ## Give password or blank to clear. MAX 16 chars (20 chars if IPMI 2.0 supported).
 ## Password
 ## Possible values: Yes/No or blank to not set
 Enable_User Yes
 ## Possible values: Yes/No
 Lan_Enable_IPMI_Msgs Yes
 ## Possible values: Yes/No
 Lan_Enable_Link_Auth No
 ## Possible values: Yes/No
 Lan_Enable_Restricted_to_Callback No
 ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
 Lan_Privilege_Limit Administrator
 ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
 ## Lan_Session_Limit
 ## Possible values: Yes/No
 SOL_Payload_Access No
EndSection

As we can see we are creating the maas user with Administrator privileges.

For the machine that we are seeing issues with we get-

ubuntu@autopkgtest:~$ sudo bmc-config --checkout -D LAN_2_0 -h 10.245.143.113 -u maas -p bBfqnAAfllCf4H
ipmi_cmd_get_sol_configuration_parameters_sol_payload_channel: session timeout

3. bmc-info command for the machine causing issues. Shows the machine is up and running:

ubuntu@autopkgtest:~$ sudo bmc-info -D LAN_2_0 -h 10.245.143.113 -u maas -p bBfqnAAfllCf4H
Device ID : 32
Device Revision : 0
Device SDRs : unsupported
Firmware Revision : 8.61
Device Available : yes (normal operation)
IPMI Version : 2.0
Sensor Device : supported
SDR Repository Device : supported
SEL Device : supported
FRU Inventory Device : supported
IPMB Event Receiver : supported
IPMB Event Generator : supported
Bridge : supported
Chassis Device : unsupported
Manufacturer ID : IBM Platform Firmware Division (42817)
Product ID : 306
Auxiliary Firmware Revision Information : 00000000h

System GUID : 902b4c94-be98-a60b-01da-a86497788eb4

Channel Information

Channel Number : 1
Medium Type : 802.3 LAN
Protocol Type : IPMB-1.0
Active Session Count : 2
Session Support : multi-session
Vendor ID : Intelligent Platform Management Interface forum (7154)

Channel Number : 1
Medium Type : 802.3 LAN
Protocol Type : IPMB-1.0
Active Session Coun...

Attached below is the BMC configuration data that was written by MAAS. In addition to the attached BMC configuration, other permutations were attempted such as setting Rmcpplus_Conf_Privilege:Maximum_Privilege_Cipher_Suite_Id_#'s to Administrator as outline in https://www.gnu.org/software/freeipmi/manpages/man5/ipmi-config.conf.5.html but I was still unable to login to the BMC's UI.

ubuntu@autopkgtest:~$ sudo bmc-config --checkout -D LAN_2_0 -h 10.245.143.118 -u maas -p E8VIyYgPujF5
#
# Section UserX Comments
#
# In the following User sections, users should configure usernames, passwords,
# and access rights for IPMI over LAN communication. Usernames can be set to any
# string with the exception of User1, which is a fixed to the "anonymous"
# username in IPMI.
#
# For IPMI over LAN access for a username, set "Enable_User" to "Yes",
# "Lan_Enable_IPMI_Msgs" to "Yes", and "Lan_Privilege_Limit" to a privilege
# level. The privilege level is used to limit various IPMI operations for
# individual usernames. It is recommened that atleast one username be created
# with a privilege limit "Administrator", so all system functions are available
# to atleast one username via IPMI over LAN. For security reasons, we recommend
# not enabling the "anonymous" User1. For most users, "Lan_Session_Limit" can be
# set to 0 (or ignored) to support an unlimited number of simultaneous IPMI over
# LAN sessions.
#
# If your system supports IPMI 2.0 and Serial-over-LAN (SOL),
# a"SOL_Payload_Access" field may be listed below. Set the "SOL_Payload_Access"
# field to "Yes" or "No" to enable or disable this username's ability to access
# SOL.
#
# Please do not forget to uncomment those fields, such as "Password", that may
# be commented out during the checkout.
#
# Some motherboards may require a "Username" to be configured prior to other
# fields being read/written. If this is the case, those fields will be set to
# <username-not-set-yet>.
#
Section User1
 ## Give Username
 ## Username NULL
 ## Give password or blank to clear. MAX 16 chars (20 chars if IPMI 2.0 supported).
 ## Password
 ## Possible values: Yes/No or blank to not set
 Enable_User Yes
 ## Possible values: Yes/No
 Lan_Enable_IPMI_Msgs Yes
 ## Possible values: Yes/No
 Lan_Enable_Link_Auth No
 ## Possible values: Yes/No
 Lan_Enable_Restricted_to_Callback No
 ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
 Lan_Privilege_Limit Administrator
 ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
 ## Lan_Session_Limit
 ## Possible values: Yes/No
 SOL_Payload_Access No
EndSection
Section User2
 ## Give Username
 Username maas
 ## Give password or blank to clear. MAX 16 chars (20 chars if IPMI 2.0 supported).
 ## Password
 ## Possible values: Yes/No or blank to not set
 Enable_User Yes
 ...

This bug has not seen any activity in the last 6 months, so it is being automatically closed.

If you are still experiencing this issue, please feel free to re-open.

MAAS Team