IPMI account/password got displayed when command failed

[tjyang]

I am using this perl script, thanks for the work.

• WHAT: There is security risk of exposing IMM/iDRAC's credential when underneath ipmi commands failed. Currently, no option to disable this password displaying.

• WHY : from existing code logic, $returncode !=0 will display IPMI account and password from command output and on web page.

• HOW:

  • Adding one extra option like --nocmdout to not displaying command output so one can ensure no password displayed when in production.
  • I can submit a PR if there is interest but I only do causal perl programming.

[selcukKaraca]

Hi you should use "-f server.cfg" in the file, you should specify the following: $ cat server.cfg username nagios password abcd...! privilege-level operator $

[tjyang]

@selcukKaraca , Thanks for the suggestion. But "-f" is more work(IMHO) given that this will generate more "server.cfg" files to maintain with, for site that hosts with much different accounts/passwords.

[selcukKaraca]

as a solution I have implemented a wrapper script. I use nagios for monitoring. there is a table (ipmi_table.cfg) which includes the following fields OS_IP ILO_IP AUTH_FILE OPTIONS

my wrapper script looks at this table, find necessary arguments and construct perfect check_ipmi_sensors command. like this one:

# cat check_ipmi_wrapper.sh 
#this script constructs check-ipmi-sensor command using hostname parameter.
#it does this by looking up from a table ipmi_table.cfg
# written by mehmet selcuk karaca

FOUND=FALSE
IPMI_TABLE=/path/to/ipmi_table.cfg
HOST_IP=$2
#nagios unknown exit value
UNKNOWN=3

while read LINE
do
  IP=$(echo $LINE | cut -f 1 -d " ")
  #we have found IP (given as parameter) in the table. Now get other required arguments
  if [ $IP = $HOST_IP ]; then
     ILO=$(echo $LINE | cut -f 2 -d " ")
     AUTH_FILE=$(echo $LINE | cut -f 3 -d " ")
     AUTH_FILE=/path/to/$AUTH_FILE
     OPTIONS=$(echo $LINE | cut -f 4- -d " ")
     FOUND=TRUE
     break
  fi
done <$IPMI_TABLE

if [ $FOUND = "TRUE" ]; then
    /path/to/check_ipmi_sensor -H $ILO -f $AUTH_FILE $OPTIONS -v
else
   echo "$HOST_IP could not be found in $IPMI_TABLE please add IP and related info to the table."
   exit $UNKNOWN
fi

[tjyang]

@selcukKaraca , are you interested to see how I resolve this issue by modifying perl code directly by adding --nocmdout argument ?

[gschoenberger]

Resolved by 82ebecc963aa3be756db4fdb030dffe10c893bd5 Password is now masked in debug output if command failed.