search

dell / iDRAC-Redfish-Scripting

Python and PowerShell scripting for Dell EMC PowerEdge iDRAC REST API with DMTF Redfish
GNU General Public License v2.0
606 stars 279 forks source link

ssh instead of -u -p ? #134

Closed KeithBierman closed 3 years ago

KeithBierman commented 4 years ago

Would it be possible to provide access sans passwords? Having the passwords hanging about in shell scripts, script arguments, etc. makes our Security people unhappy.

texroemer commented 4 years ago

Hi @KeithBierman

Have you looked into using X-auth token session for executing Redfish calls? With X-auth token, you only pass in the token ID to execute Redfish calls in the header, no iDRAC username / password required or will be passed over clear text.

See example below where i created X-auth token session, then used only that token session to execute a GET request. Btw, the python scripts that you are currently using would need to be modified if you do decide to use X-auth token session.

C:\Python38-32>CreateXAuthTokenSessionREDFISH.py -ip 192.168.0.120 -u root -p calvin -c y

- PASS, successfuly created X auth session

- INFO, created session details -

Date: Thu, 03 Sep 2020 20:07:44 GMT
Server: Apache
WWW-Authenticate: Basic realm="RedfishService"
X-Auth-Token: b9f509102d85ebe41dff08d50d1a9c51
OData-Version: 4.0
Access-Control-Allow-Origin: *
Cache-Control: no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Location: /redfish/v1/SessionService/Sessions/39
Content-Length: 784
Keep-Alive: timeout=60, max=100
Connection: Keep-Alive
Content-Type: application/json;odata.metadata=minimal;charset=utf-8 

C:\Python38-32>CreateXAuthTokenSessionREDFISH.py -ip 192.168.0.120 -g y -t b9f509102d85ebe41dff08d50d1a9c51

- PASS, GET request using X-auth session passed
KeithBierman commented 4 years ago

Sure, and in our ultimate integrated tool we'll use something along those lines. However, we're using these github based scripts for some ad hoc Ops groups, and I suspect that Ops will always want to string together some of these ... so it would be nice if the github code used an approach that Security would approve of. Otherwise, Ops will need to string together racadm CLI calls (which would be fine, except several of these scripts provide much more useful error messaging (e.g. importsystemconfiguration .. if anything misfires, racadm and the GUI report "100% complete with errors" without any clue as to the error, while the github script provides an itemized list ...

texroemer commented 4 years ago

Hi @KeithBierman

Would this be something that would work for your implementation? See below where i created test script to allow the user to either pass in password as clear text or prompt you to enter password where the password is not returned back or reported to the terminal when entering.

C:\Python38-32>GetRemoteServicesAPIStatusREDFISH_test.py -ip 192.168.0.120 -u root -p calvin

-PASS: POST command passed for GetRemoteServicesAPIStatus method, status code 200 returned

LCStatus: Ready
RTStatus: Ready
ServerStatus: OutOfPOST
Status: Ready

C:\Python38-32>GetRemoteServicesAPIStatusREDFISH_test.py -ip 192.168.0.120 -u root -P
Password:

-PASS: POST command passed for GetRemoteServicesAPIStatus method, status code 200 returned

LCStatus: Ready
RTStatus: Ready
ServerStatus: OutOfPOST
Status: Ready
KeithBierman commented 4 years ago

We'd much rather not have to use a password, either a public key (ala racadm) or a revocable token (ala github).

On Thu, Sep 10, 2020 at 1:29 PM texroemer notifications@github.com wrote:

Hi @KeithBierman https://github.com/KeithBierman

Would this be something that would work for your implementation? See below where i created test script to allow the user to either pass in password as clear text or prompt you to enter password where the password is not returned back or reported to the terminal when entering.

C:\Python38-32>GetRemoteServicesAPIStatusREDFISH_test.py -ip 192.168.0.120 -u root -p calvin

-PASS: POST command passed for GetRemoteServicesAPIStatus method, status code 200 returned

LCStatus: Ready RTStatus: Ready ServerStatus: OutOfPOST Status: Ready

C:\Python38-32>GetRemoteServicesAPIStatusREDFISH_test.py -ip 192.168.0.120 -u root -P Password:

-PASS: POST command passed for GetRemoteServicesAPIStatus method, status code 200 returned

LCStatus: Ready RTStatus: Ready ServerStatus: OutOfPOST Status: Ready

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/dell/iDRAC-Redfish-Scripting/issues/134#issuecomment-690664375, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC32RF4IPEUJBLVDPULFLSTSFESK3ANCNFSM4QWFJYMA .

jonas-werner commented 4 years ago

@KeithBierman Just an idea: How about having the iDRAC username and password as shell environment variables? That way they'd be loaded for that session but would not have to be entered into any script or terminal.

They could be created and loaded by script like this: 

jonas@octo:/tmp$ cat > loadCredentials.sh
#!/bin/sh
export IDRAC_USER="root" 
export IDRAC_PASS="secret"
^C
jonas@octo:/tmp$ . ./!$
. ./loadCredentials.sh
jonas@octo:/tmp$ env | grep IDRAC
IDRAC_USER=root
IDRAC_PASS=secret
jonas@octo:/tmp$

And accessed from within the Redfish Python script like this:

idrac_username       = os.environ["IDRAC_USER"]
idrac_password       = os.environ["IDRAC_PASS"]