1ipmiconsole(8)                  System Commands                 ipmiconsole(8)
2
3
4

NAME

6       ipmiconsole - IPMI console utility
7

SYNOPSIS

9       ipmiconsole [OPTION...]
10

DESCRIPTION

12       ipmiconsole  is a Serial-over-LAN (SOL) console utility. It can be used
13       to establish console sessions to remote machines using the IPMI 2.0 SOL
14       protocol.
15
16       Ipmiconsole  communicates  with a remote machine's Baseboard Management
17       Controller (BMC) to establish a console session. Before any SOL  commu‐
18       nication  can  take  place, the remote machine's BMC must be configured
19       properly.  The FreeIPMI tool bmc-config(8) may be used to do this  con‐
20       figuration.
21
22       Often  (although  not always), console redirection must be also be con‐
23       figured properly in the BIOS and/or operating system. Both must be con‐
24       figured  to  redirect  console  traffic  out  the appropriate COM port.
25       Please see your motherboard and OS documentation  for  instructions  on
26       proper setup.
27
28       Listed  below  are general IPMI options, tool specific options, trouble
29       shooting  information,  workaround  information,  examples,  and  known
30       issues. For a general introduction to FreeIPMI please see freeipmi(7).
31

GENERAL OPTIONS

33       The following options are general options for configuring IPMI communi‐
34       cation and executing general tool commands.
35
36       -h IPMIHOST, --hostname=IPMIHOST[:PORT]
37              Specify the remote host to communicate with.  An  optional  port
38              can be specified, which may be useful in port forwarding or sim‐
39              ilar situations.
40
41       -u, --username=USERNAME
42              Specify the username to use when authenticating with the  remote
43              host.   If  not  specified,  a null (i.e. anonymous) username is
44              assumed. The user must a high enough privilege  to  establish  a
45              SOL session and have SOL session abilities.
46
47       -p PASSWORD, --password=PASSWORD
48              Specify the password to use when authenticationg with the remote
49              host.  If not specified, a null  password  is  assumed.  Maximum
50              password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
51
52       -P, --password-prompt
53              Prompt  for  password  to  avoid  possibility  of  listing it in
54              process lists.
55
56       -k K_G, --k-g=K_G
57              Specify the K_g BMC key to  use  when  authenticating  with  the
58              remote  host  for  IPMI  2.0.  If  not  specified, a null key is
59              assumed. To input the key in hexadecimal form, prefix the string
60              with  '0x'.  E.g.,  the key 'abc' can be entered with the either
61              the string 'abc' or the string '0x616263'
62
63       -K, --k-g-prompt
64              Prompt for k-g to avoid possibility of  listing  it  in  process
65              lists.
66
67       --session-timeout=MILLISECONDS
68              Specify  the  session timeout in milliseconds. Defaults to 60000
69              milliseconds (60 seconds) if not specified.
70
71       --retransmission-timeout=MILLISECONDS
72              Specify  the  packet  retransmission  timeout  in  milliseconds.
73              Defaults to 500 milliseconds (0.5 seconds) if not specified.
74
75       -I, --cipher-suite-id=CIPHER-SUITE-ID
76              Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
77              identifies a set of authentication, integrity, and confidential‐
78              ity  algorithms to use for IPMI 2.0 communication. The authenti‐
79              cation algorithm identifies the algorithm  to  use  for  session
80              setup,  the  integrity algorithm identifies the algorithm to use
81              for session packet signatures, and the confidentiality algorithm
82              identifies the algorithm to use for payload encryption. Defaults
83              to cipher suite ID 3 if not specified. The user should be  aware
84              that  only  cipher  suite  ids 3, 8, and 12 encrypt console pay‐
85              loads. Console information will be  sent  in  the  clear  if  an
86              alternate  cipher  suite  id  is  selected. The following cipher
87              suite ids are currently supported:
88
89              0 - Authentication Algorithm = None; Integrity Algorithm = None;
90              Confidentiality Algorithm = None
91
92              1  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
93              None; Confidentiality Algorithm = None
94
95              2 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
96              HMAC-SHA1-96; Confidentiality Algorithm = None
97
98              3  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
99              HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
100
101              6 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
102              None; Confidentiality Algorithm = None
103
104              7  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
105              HMAC-MD5-128; Confidentiality Algorithm = None
106
107              8 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
108              HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
109
110              11  - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
111              MD5-128; Confidentiality Algorithm = None
112
113              12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm  =
114              MD5-128; Confidentiality Algorithm = AES-CBC-128
115
116              15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
117              = None; Confidentiality Algorithm = None
118
119              16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
120              = HMAC_SHA256_128; Confidentiality Algorithm = None
121
122              17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
123              = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
124
125       -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
126              Specify the privilege level to be used. The currently  available
127              privilege  levels  are  USER,  OPERATOR,  and ADMIN. Defaults to
128              ADMIN if not specified.
129
130       --config-file=FILE
131              Specify an alternate configuration file.
132
133       -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
134              Specify workarounds to vendor compliance issues. Multiple  work‐
135              arounds  can be specified separated by commas. A special command
136              line flag of "none", will indicate no workarounds (may be useful
137              for overriding configured defaults). See WORKAROUNDS below for a
138              list of available workarounds.
139
140       --debug
141              Turn on debugging.
142
143       -?, --help
144              Output a help list and exit.
145
146       --usage
147              Output a usage message and exit.
148
149       -V, --version
150              Output the program version and exit.
151

IPMICONSOLE OPTIONS

153       The following options are specific to Ipmiconsole.
154
155       -e CHAR, --escape-char=CHAR
156              Specify an alternate escape character (default char '&').
157
158       -N, --dont-steal
159              Do not steal an SOL session if one is already detected as  being
160              in use. Under most circumstances, if SOL is detected as being in
161              use, ipmiconsole will attempt to steal the SOL session away from
162              the  previous session.  This default behavior exists for several
163              reasons, most notably that earlier SOL  sessions  may  have  not
164              been able to be deactivate properly.
165
166       -T, --deactivate
167              Deactivate  a SOL session if one is detected as being in use and
168              exit.
169
170       --serial-keepalive
171              Occasionally send NUL characters to detect inactive serial  con‐
172              nections.  This  option  is  particularly  useful  for those who
173              intend to run ipmiconsole without much interaction, such as  for
174              logging  purposes.  While  IPMI  connections may still be alive,
175              some motherboards have exhibited bugs in which underlying serial
176              data can no longer be sent/received. From the viewpoint of ipmi‐
177              console, data is simply not be sent out of the remote system and
178              this problem is only detected once there is user interaction. By
179              sending the occasional NUL character,  the  underlying  loss  of
180              serial  data transfer can be detected far more quickly. There is
181              some risk with this option, as the NUL character byte may affect
182              the  remote  system  depending on what data it may or may not be
183              expecting.
184
185       --serial-keepalive-empty
186              This option is identical to --serial-keepalive except  that  SOL
187              packets  will  contain  no  NUL  character data. On some mother‐
188              boards, this may be sufficient to deal with a hanging IPMI  ses‐
189              sion without the risk regularly sending a NUL character byte may
190              have. However, some systems may not ACK  a  SOL  packet  without
191              character  data  in it, meaning these keepalive packets do noth‐
192              ing.
193
194       -L, --lock-memory
195              Lock sensitive information (such as usernames and passwords)  in
196              memory.
197

ESCAPE CHARACTERS

199       The  following  escape  sequences  are supported. The default supported
200       escape character is '&', but can be changed with the -e option.
201
202       &?     Display a list of currently available escape sequences.
203
204       &.     Terminate the connection.
205
206       &B     Send a "serial-break" to the remote console.
207
208       &D     Send a DEL character.
209
210       &&     Send a single escape character.
211

GENERAL TROUBLESHOOTING

213       Most often, IPMI problems are due to configuration problems.
214
215       IPMI over  LAN  problems  involve  a  misconfiguration  of  the  remote
216       machine's  BMC.  Double check to make sure the following are configured
217       properly in the remote machine's BMC: IP address, MAC  address,  subnet
218       mask,  username,  user enablement, user privilege, password, LAN privi‐
219       lege, LAN enablement, and allowed authentication type(s). For IPMI  2.0
220       connections,  double  check  to make sure the cipher suite privilege(s)
221       and K_g key are configured properly. The bmc-config(8) tool can be used
222       to check and/or change these configuration settings.
223
224       In  addition  to the troubleshooting tips below, please see WORKAROUNDS
225       below to also if there are any vendor specific bugs that have been dis‐
226       covered and worked around.
227
228       Listed  below  are  many  of the common issues for error messages.  For
229       additional support, please e-mail the <freeipmi-users@gnu.org>  mailing
230       list.
231
232       "username  invalid"  - The username entered (or a NULL username if none
233       was entered) is not available on the remote machine.  It  may  also  be
234       possible the remote BMC's username configuration is incorrect.
235
236       "password  invalid"  - The password entered (or a NULL password if none
237       was entered) is not correct. It may also be possible the  password  for
238       the user is not correctly configured on the remote BMC.
239
240       "password  verification timeout" - Password verification has timed out.
241       A "password invalid" error (described  above)  or  a  generic  "session
242       timeout" (described below) occurred.  During this point in the protocol
243       it cannot be differentiated which occurred.
244
245       "k_g invalid" - The K_g key entered (or a NULL  K_g  key  if  none  was
246       entered)  is  not  correct.  It may also be possible the K_g key is not
247       correctly configured on the remote BMC.
248
249       "privilege level insufficient" - An IPMI command requires a higher user
250       privilege  than  the one authenticated with. Please try to authenticate
251       with a higher privilege. This may require authenticating to a different
252       user which has a higher maximum privilege.
253
254       "privilege  level  cannot  be  obtained  for this user" - The privilege
255       level you are attempting to authenticate with is higher than the  maxi‐
256       mum  allowed for this user. Please try again with a lower privilege. It
257       may also be possible the maximum privilege level allowed for a user  is
258       not configured properly on the remote BMC.
259
260       "authentication  type  unavailable for attempted privilege level" - The
261       authentication type you wish to authenticate with is not available  for
262       this privilege level. Please try again with an alternate authentication
263       type or alternate privilege level. It may also be possible  the  avail‐
264       able  authentication  types you can authenticate with are not correctly
265       configured on the remote BMC.
266
267       "cipher suite id unavailable" - The cipher suite id you wish to authen‐
268       ticate  with  is not available on the remote BMC. Please try again with
269       an alternate cipher suite id. It may also  be  possible  the  available
270       cipher suite ids are not correctly configured on the remote BMC.
271
272       "ipmi  2.0  unavailable"  -  IPMI  2.0 was not discovered on the remote
273       machine. Please try to use IPMI 1.5 instead.
274
275       "connection timeout" - Initial IPMI communication failed. A  number  of
276       potential errors are possible, including an invalid hostname specified,
277       an IPMI IP address cannot be resolved,  IPMI  is  not  enabled  on  the
278       remote  server,  the network connection is bad, etc. Please verify con‐
279       figuration and connectivity.
280
281       "session timeout" - The IPMI session has timed out.  Please  reconnect.
282       If this error occurs often, you may wish to increase the retransmission
283       timeout. Some remote BMCs are considerably slower than others.
284

IPMICONSOLE TROUBLESHOOTING

286       The following are common issues for error messages in ipmiconsole.
287
288       "SOL unavailable" - SOL is not configured for use on  the  remote  BMC.
289       It may be not configured in general or for the specific user specified.
290       Authenticating with a different user may  be  sufficient,  however  the
291       IPMI  protocol  does not reveal detail on what is not configured on the
292       remote BMC.
293
294       "SOL in use" - SOL is already in use on the remote BMC. If you  do  not
295       specify  the --dont-steal option, ipmiconsole will attempt to steal the
296       SOL session away from the other session.
297
298       "SOL session stolen" - Your SOL session has been stolen by another ses‐
299       sion. You may wish to try and steal the session back by reconnecting.
300
301       "SOL  requires  encryption"  -  SOL  requires  a  cipher  suite id that
302       includes encryption. Please try to use cipher suite id 3, 8, or 12.  It
303       may  also  be  possible  the encryption requirements are not configured
304       correctly on the remote BMC.
305
306       "SOL requires no encryption" - SOL requires a cipher suite id that does
307       not use encryption. Please try to use cipher suite id 0, 1, 2, 6, 7, or
308       11. It may also be possible the encryption requirements are not config‐
309       ured correctly on the remote BMC.
310
311       "BMC Implementation" - The BMC on the remote machine has a severe prob‐
312       lem in its implementation. Please see the WORKAROUNDS section below for
313       possible  workarounds.  If  additional vendor workarounds are required,
314       please contact the authors.
315
316       "excess retransmissions sent" - An excessive number of  retransmissions
317       of  SOL  packets has occurred and ipmiconsole has given up. This may be
318       due to network issues or SOL issues. Some of the same  issues  involved
319       with  "connection timeout" or "session timeout" errors may be involved.
320       Please try to reconnect.
321
322       "excess errors received" - An excessive number of SOL packet errors has
323       occurred  and  ipmiconsole  has  given  up.  This may be due to network
324       issues or SOL issues.  Please try to reconnect.
325
326       "BMC Error" - This error usually  means  a  vendor  SOL  implementation
327       requires  a  combination of authentication, encryption, privilege, etc.
328       that have not been met by the user's choices.  Please try a combination
329       of  different  cipher  suites, privileges, etc. to resolve the problem.
330       Please see the WORKAROUNDS section below for possible workarounds too.
331

WORKAROUNDS

333       With so many different vendors implementing their own  IPMI  solutions,
334       different  vendors  may implement their IPMI protocols incorrectly. The
335       following describes a number of workarounds currently available to han‐
336       dle  discovered compliance issues. When possible, workarounds have been
337       implemented so they will be transparent to the user. However, some will
338       require the user to specify a workaround be used via the -W option.
339
340       The hardware listed below may only indicate the hardware that a problem
341       was discovered on. Newer versions of  hardware  may  fix  the  problems
342       indicated  below.  Similar machines from vendors may or may not exhibit
343       the same problems. Different vendors may license  their  firmware  from
344       the  same IPMI firmware developer, so it may be worthwhile to try work‐
345       arounds listed below even if your motherboard is not listed.
346
347       If you believe your hardware has an additional  compliance  issue  that
348       needs a workaround to be implemented, please contact the FreeIPMI main‐
349       tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
350
351       authcap - This workaround flag will  skip  early  checks  for  username
352       capabilities,  authentication  capabilities,  and K_g support and allow
353       IPMI authentication to succeed. It  works  around  multiple  issues  in
354       which the remote system does not properly report username capabilities,
355       authentication capabilities, or K_g status. Those  hitting  this  issue
356       may  see  "username  invalid",  "authentication  type  unavailable  for
357       attempted privilege level", or "k_g invalid" errors.  Issue observed on
358       Asus  P5M2/P5MT-R/RS162-E4/RX4,  Intel  SR1520ML/X38ML,  and  Sun  Fire
359       2200/4150/4450 with ELOM.
360
361       intel20 - This workaround flag will work around several Intel IPMI  2.0
362       authentication issues. The issues covered include padding of usernames,
363       and password  truncation  if  the  authentication  algorithm  is  HMAC-
364       MD5-128. Those hitting this issue may see "username invalid", "password
365       invalid", or "k_g invalid" errors. Issue observed  on  Intel  SE7520AF2
366       with Intel Server Management Module (Professional Edition).
367
368       supermicro20 - This workaround flag will work around several Supermicro
369       IPMI 2.0  authentication  issues  on  motherboards  w/  Peppercon  IPMI
370       firmware.  The issues covered include handling invalid length authenti‐
371       cation codes. Those hitting  this  issue  may  see  "password  invalid"
372       errors.   Issue  observed on Supermicro H8QME with SIMSO daughter card.
373       Confirmed fixed on newerver firmware.
374
375       sun20 - This workaround flag will work work around several Sun IPMI 2.0
376       authentication issues. The issues covered include invalid lengthed hash
377       keys, improperly hashed keys, and invalid cipher suite  records.  Those
378       hitting  this  issue  may see "password invalid" or "bmc error" errors.
379       Issue observed on Sun Fire 4100/4200/4500 with ILOM.   This  workaround
380       automatically includes the "opensesspriv" workaround.
381
382       opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
383       2.0 connection protocol to workaround an invalid hashing algorithm used
384       by  the remote system. The privilege level sent during the Open Session
385       stage of an IPMI 2.0 connection is used for hashing keys instead of the
386       privilege  level  sent during the RAKP1 connection stage. Those hitting
387       this issue may see "password invalid", "k_g invalid", or "bad  rmcpplus
388       status  code"  errors.   Issue observed on Sun Fire 4100/4200/4500 with
389       ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
390       Intel S5500WBV/Penguin Relion 700, Intel S2600JF/Appro 512X, and Quanta
391       QSSC-S4R//Appro GB812X-CN. This workaround is  automatically  triggered
392       with the "sun20" workaround.
393
394       integritycheckvalue  - This workaround flag will work around an invalid
395       integrity check value during an IPMI  2.0  session  establishment  when
396       using  Cipher Suite ID 0. The integrity check value should be 0 length,
397       however the remote motherboard responds with a non-empty  field.  Those
398       hitting  this  issue  may  see  "k_g invalid" errors. Issue observed on
399       Supermicro X8DTG, Supermicro X8DTU, and Intel  S5500WBV/Penguin  Relion
400       700, and Intel S2600JF/Appro 512X.
401
402       solpayloadsize - This workaround flag will not check for valid SOL pay‐
403       load sizes and assume a proper set. It works around remote systems that
404       report invalid IPMI 2.0 SOL payload sizes. Those hitting this issue may
405       see   "BMC   Implementation"   errors.   Issue   observed    on    Asus
406       P5M2/RS162-E4/RX4,  Intel SR1520ML/X38ML, Inventec 5441/Dell Xanadu II,
407       Sun x4100, Supermicro X8DTH, Supermicro X8DTG,  Supermicro  X8DTU,  and
408       Quanta QSSC-S4R//Appro GB812X-CN.
409
410       solport  -  This workaround flag will ignore alternate SOL ports speci‐
411       fied during the protocol. It works around remote  systems  that  report
412       invalid  alternate SOL ports. Those hitting this issue may see "connec‐
413       tion timeout" errors. Issue observed  on  Asus  P5MT-R  and  Supermicro
414       X8DTH-iF.
415
416       solstatus  - This workaround flag will not check the current activation
417       status of SOL during the protocol setup. It works around remote systems
418       that do not properly support this command. Those hitting this issue may
419       see "BMC Error" errors. Issue observed on Supermicro X8SIL-F.
420

KNOWN ISSUES

422       On older operating systems, if you input your username,  password,  and
423       other  potentially  security  relevant information on the command line,
424       this information may be discovered by other users when using tools like
425       the  ps(1) command or looking in the /proc file system. It is generally
426       more secure to input password information with options like the  -P  or
427       -K  options.  Configuring security relevant information in the FreeIPMI
428       configuration file would also be an appropriate way to hide this infor‐
429       mation.
430
431       In  order  to  prevent  brute force attacks, some BMCs will temporarily
432       "lock up" after a number of remote authentication errors. You may  need
433       to  wait awhile in order to this temporary "lock up" to pass before you
434       may authenticate again.
435
436       Some motherboards define an OEM SOL inactivity  timeout  for  SOL  ses‐
437       sions. If SOL sessions stay inactive for long periods of time, ipmicon‐
438       sole sessions may be abruptly closed, most likely resulting in  session
439       timeout  errors. Please see OEM notes for information on modifying this
440       parameter if you wish for sessions to stay active longer.
441

SPECIFIC HARDWARE NOTES

443       Intel SR1520ML/X38ML: After a reboot, the SOL session appears to  "dis‐
444       connect"  from  the  motherboard  but stay alive.  Character data input
445       from the ipmiconsole client is accepted by the remote machine,  but  no
446       character  data  or  console  data  is  ever  sent back from the remote
447       machine. The SOL session is subsequently useless. There is currently no
448       workaround  in  place  to  handle  this. The session must be closed and
449       restarted.
450

EXAMPLES

452       # ipmiconsole -h ahost -u myusername -p mypassword
453
454       Establish a console sesssion with a remote host.
455

KNOWN ISSUES

457       On older operating systems, if you input your username,  password,  and
458       other  potentially  security  relevant information on the command line,
459       this information may be discovered by other users when using tools like
460       the  ps(1) command or looking in the /proc file system. It is generally
461       more secure to input password information with options like the  -P  or
462       -K  options.  Configuring security relevant information in the FreeIPMI
463       configuration file would also be an appropriate way to hide this infor‐
464       mation.
465
466       In  order  to  prevent  brute force attacks, some BMCs will temporarily
467       "lock up" after a number of remote authentication errors. You may  need
468       to  wait awhile in order to this temporary "lock up" to pass before you
469       may authenticate again.
470

REPORTING BUGS

472       Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
473
475       Copyright (C) 2007-2012 Lawrence Livermore National Security, LLC.
476       Copyright (C) 2006-2007 The Regents of the University of California.
477
478       This program is free software; you can redistribute it and/or modify it
479       under  the  terms of the GNU General Public License as published by the
480       Free Software Foundation; either version 3 of the License, or (at  your
481       option) any later version.
482

SEE ALSO

484       freeipmi.conf(5), freeipmi(7), bmc-config(8)
485
486       http://www.gnu.org/software/freeipmi/
487
488
489
490ipmiconsole 1.2.1                 2017-03-22                    ipmiconsole(8)
Impressum