MAAS

MAAS setting wrong Cipher Suite ID for recent Lenovo machines

Bug #2023495 reported by Jeff Lane  on 2023-06-11

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
MAAS	Status tracked in 3.6
3.5	Won't Fix	Low	Unassigned
3.6	Triaged	Low	Unassigned	MAAS 3.6.x

Bug Description

When enlisting recent Lenovo machines, I've noticed that MAAS is setting the Cipher Suite ID to 3. This is incorrect and makes ipmi-over-lan fail.

These machines all use Cipher Suite 17 and I have to manually modify them in MAAS to use ID 17, at which point MAAS can successfully control them remotely.

Note, in this most recent case (SR635 V3 with XCC 2) MAAS set the cipher suite id to 3 during enlistment. I had to change it manually to get commissioning to work. After commissioning, MAAS changed it back to ID 3 again, once more making the machine unmanageable. So had to correct this a second time, resetting it once again to 17

See original description

Jeff Lane  (bladernr) on 2023-06-11

description:

updated

Revision history for this message

Jeff Lane  (bladernr) wrote on 2023-06-13:

This is low priority, I noticed in the BMC that it warns that the default security setting requires ID 17. You can also change to a lower security setting and ID 3 will then work.

I get the feeling (unconfirmed) that MAAS just asks what is supported and set it to the first thing on the list... perhaps the answer is a simple message saying "We've chosen $ID but if MAAS is unable to control the machine via IPMI, you may need to pick one of the other available IDs or review your server's security policy"

in a popup or something.

Just a thought...

So there IS a workaround, either one of:
A: Change the cipher suite ID to 17 or
B: Change the system security settings to a setting that allows use of ID 3.

description:

updated

Revision history for this message

Thorsten Merten (thorsten-merten) wrote on 2023-06-14:

somewhat related to https://bugs.launchpad.net/maas/+bug/1975730

Revision history for this message

Thorsten Merten (thorsten-merten) wrote on 2023-06-14:

The main problem here is that MAAS does not remember that the user set the cipher suite manually and overwrites it.

Eline Maaike De Weerd (emdw) on 2023-06-14

Changed in maas:
status:	New → Triaged
importance:	Undecided → Low
milestone:	none → 3.5.0

Revision history for this message

Nicholas Fries (nicfries) wrote on 2023-06-20 (last edit on 2023-06-20):

This affects us with multiple other platforms (non-Lenovo). Cipher 3 is insecure. Only Cipher 17 is secure enough for use, currently.

We reported this issue to Canonical last August.

Anton Troyanov (troyanov) on 2024-03-05

Changed in maas:
milestone:	3.5.0 → 3.5.x

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.