search

kelleyk / noVNC

A fork of noVNC that adds support for the ATEN iKVM "AST2100" (0x57) video encoding, as used by the BMCs in recent SuperMicro servers. (See the "bmc-support" branch.)
http://novnc.com
Other
85 stars 16 forks source link

SSL Based iKVM #6

Open syshackmin opened 5 years ago

syshackmin commented 5 years ago

I've been playing with your code and trying to revive this for the SSL forced boards. I've got the SSL auth working, I've got the version 055.008 accepted, but it's getting stuck on authentication.

Quick packet dump shows I send the VNC tunneling capabilities supported message and nothing comes back after that. Port 56356 is novnc, italk is the iKVM. Both 127.0.0.1 as I'm using a stunnel to decrypt SSL.

23 41.919044591 127.0.0.1 -> 127.0.0.1 TCP 66 56356 > italk [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=1046347434 TSecr=1046347434 24 41.956127482 127.0.0.1 -> 127.0.0.1 VNC 78 Server protocol version: 055.008 25 41.956142960 127.0.0.1 -> 127.0.0.1 TCP 66 56356 > italk [ACK] Seq=1 Ack=1 Win=342 Len=0 TSval=1046347471 TSecr=1046347471 26 41.981483344 127.0.0.1 -> 127.0.0.1 VNC 78 Client protocol version: 055.008 27 41.981493864 127.0.0.1 -> 127.0.0.1 TCP 66 italk > 56356 [ACK] Seq=1 Ack=13 Win=342 Len=0 TSval=1046347496 TSecr=1046347496 28 41.984064133 127.0.0.1 -> 127.0.0.1 VNC 68 Security types supported 29 42.009929934 127.0.0.1 -> 127.0.0.1 VNC 67 Authentication type selected by client 30 42.013231683 127.0.0.1 -> 127.0.0.1 VNC 90 TightVNC tunneling capabilities supported

Did you ever make any progress on the SSL encrypted boards? Seems these jerks just messed with the VNC version just to screw with us.

jimdigriz commented 3 years ago

...documenting this as no one seems to have written down this step.

It uses a client certificate and I found details about it at https://www.osso.nl/blog/supermicro-java-console-redirection-kvm/, I should have figured it was packaged up in the IPMIView bundle.

Use socat as a reverse SSL proxy to listen on 127.0.0.1:5901 and connect to your Supermicro system at 192.0.2.1:5900:

socat -d TCP-LISTEN:5901,fork,reuseaddr,bind=127.0.0.1 OPENSSL:192.0.2.1:5900,cert=IPMIView_2.18.0_build.201007_bundleJRE_Linux_x64/BMCSecurity/client.crt,key=IPMIView_2.18.0_build.201007_bundleJRE_Linux_x64/BMCSecurity/client.key,cafile=IPMIView_2.18.0_build.201007_bundleJRE_Linux_x64/BMCSecurity/server.crt,commonname=IPMI

This gets us hooked up, but it disconnects in the VNC protocol (looks like where @syshackmin also got) immediately in response to sending the credentials...at least it is better than during the SSL connection setup.

N.B. over SSL different credentials are used, as details in the linked blog post above you extract them from the launch.jnlp file you can fetch from the management interface when clicking on 'Launch Console'