1ipmiconsole(8) System Commands ipmiconsole(8)
2
6 ipmiconsole - IPMI console utility
7
9 ipmiconsole [OPTION...]
10
12 ipmiconsole is a Serial-over-LAN (SOL) console utility. It can be used
13 to establish console sessions to remote machines using the IPMI 2.0 SOL
14 protocol. Ipmiconsole communicates with a remote machine's Baseboard
15 Management Controller (BMC) to establish a console session. Before any
16 SOL communication can take place, the remote machine's BMC must be con‐
17 figured properly. The FreeIPMI tool ipmi-config(8) may be used to do
18 this configuration.
19 Often (although not always), console redirection must be also be con‐
21 figured properly in the BIOS and/or operating system. Both must be con‐
22 figured to redirect console traffic out the appropriate COM port.
23 Please see your motherboard and OS documentation for instructions on
24 proper setup.
25 Listed below are general IPMI options, tool specific options, trouble
27 shooting information, workaround information, examples, and known
28 issues. For a general introduction to FreeIPMI please see freeipmi(7).
29
31 The following options are general options for configuring IPMI communi‐
32 cation and executing general tool commands.
33 -h IPMIHOST, --hostname=IPMIHOST[:PORT]
35 Specify the remote host to communicate with. An optional port
36 can be specified, which may be useful in port forwarding or sim‐
37 ilar situations.
38 -u, --username=USERNAME
40 Specify the username to use when authenticating with the remote
41 host. If not specified, a null (i.e. anonymous) username is
42 assumed. The user must a high enough privilege to establish a
43 SOL session and have SOL session abilities.
44 -p PASSWORD, --password=PASSWORD
46 Specify the password to use when authenticationg with the remote
47 host. If not specified, a null password is assumed. Maximum
48 password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
49 -P, --password-prompt
51 Prompt for password to avoid possibility of listing it in
52 process lists.
53 -k K_G, --k-g=K_G
55 Specify the K_g BMC key to use when authenticating with the
56 remote host for IPMI 2.0. If not specified, a null key is
57 assumed. To input the key in hexadecimal form, prefix the string
58 with '0x'. E.g., the key 'abc' can be entered with the either
59 the string 'abc' or the string '0x616263'
60 -K, --k-g-prompt
62 Prompt for k-g to avoid possibility of listing it in process
63 lists.
64 --session-timeout=MILLISECONDS
66 Specify the session timeout in milliseconds. Defaults to 60000
67 milliseconds (60 seconds) if not specified.
68 --retransmission-timeout=MILLISECONDS
70 Specify the packet retransmission timeout in milliseconds.
71 Defaults to 500 milliseconds (0.5 seconds) if not specified.
72 -I, --cipher-suite-id=CIPHER-SUITE-ID
74 Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
75 identifies a set of authentication, integrity, and confidential‐
76 ity algorithms to use for IPMI 2.0 communication. The authenti‐
77 cation algorithm identifies the algorithm to use for session
78 setup, the integrity algorithm identifies the algorithm to use
79 for session packet signatures, and the confidentiality algorithm
80 identifies the algorithm to use for payload encryption. Defaults
81 to cipher suite ID 3 if not specified. The user should be aware
82 that only cipher suite ids 3, 8, and 12 encrypt console pay‐
83 loads. Console information will be sent in the clear if an
84 alternate cipher suite id is selected. The following cipher
85 suite ids are currently supported:
86 0 - Authentication Algorithm = None; Integrity Algorithm = None;
88 Confidentiality Algorithm = None
89 1 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
91 None; Confidentiality Algorithm = None
92 2 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
94 HMAC-SHA1-96; Confidentiality Algorithm = None
95 3 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
97 HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
98 6 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
100 None; Confidentiality Algorithm = None
101 7 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
103 HMAC-MD5-128; Confidentiality Algorithm = None
104 8 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
106 HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
107 11 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
109 MD5-128; Confidentiality Algorithm = None
110 12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
112 MD5-128; Confidentiality Algorithm = AES-CBC-128
113 15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
115 = None; Confidentiality Algorithm = None
116 16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
118 = HMAC_SHA256_128; Confidentiality Algorithm = None
119 17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
121 = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
122 -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
124 Specify the privilege level to be used. The currently available
125 privilege levels are USER, OPERATOR, and ADMIN. Defaults to
126 ADMIN if not specified.
127 --config-file=FILE
129 Specify an alternate configuration file.
130 -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
132 Specify workarounds to vendor compliance issues. Multiple work‐
133 arounds can be specified separated by commas. A special command
134 line flag of "none", will indicate no workarounds (may be useful
135 for overriding configured defaults). See WORKAROUNDS below for a
136 list of available workarounds.
137 --debug
139 Turn on debugging.
140 -?, --help
142 Output a help list and exit.
143 --usage
145 Output a usage message and exit.
146 -V, --version
148 Output the program version and exit.
149
151 The following options are specific to Ipmiconsole.
152 -e CHAR, --escape-char=CHAR
154 Specify an alternate escape character (default char '&').
155 --dont-steal
157 Do not steal an SOL session if one is already detected as being
158 in use. Under most circumstances, if SOL is detected as being in
159 use, ipmiconsole will attempt to steal the SOL session away from
160 the previous session. This default behavior exists for several
161 reasons, most notably that earlier SOL sessions may have not
162 been able to be deactivate properly.
163 --deactivate
165 Deactivate SOL session if one is detected as being in use and
166 exit.
167 --serial-keepalive
169 Occasionally send NUL characters to detect inactive serial con‐
170 nections. This option is particularly useful for those who
171 intend to run ipmiconsole without much interaction, such as for
172 logging purposes. While IPMI connections may still be alive,
173 some motherboards have exhibited bugs in which underlying serial
174 data can no longer be sent/received. From the viewpoint of ipmi‐
175 console, data is simply not be sent out of the remote system and
176 this problem is only detected once there is user interaction. By
177 sending the occasional NUL character, the underlying loss of
178 serial data transfer can be detected far more quickly. There is
179 some risk with this option, as the NUL character byte may affect
180 the remote system depending on what data it may or may not be
181 expecting.
182 --serial-keepalive-empty
184 This option is identical to --serial-keepalive except that SOL
185 packets will contain no NUL character data. On some mother‐
186 boards, this may be sufficient to deal with a hanging IPMI ses‐
187 sion without the risk of regularly sending a NUL character byte
188 may have. However, some systems may not ACK a SOL packet without
189 character data in it, meaning these keepalive packets do noth‐
190 ing.
191 --sol-payload-instance=NUM
193 Specify the SOL payload instance number. The default value is 1,
194 valid values range from 1 to 15. Most systems only support a
195 single instance, however a few allow users to access multiple.
196 --deactivate-all-instances
198 When used along with the --deactivate option, will deactivate
199 all active SOL instances instead of just the currently config‐
200 ured payload instance.
201 --lock-memory
203 Lock sensitive information (such as usernames and passwords) in
204 memory.
205 --debugfile
207 Output debugging to files in current directory rather than to
208 standard output.
209
211 The following escape sequences are supported. The default supported
212 escape character is '&', but can be changed with the -e option.
213 &? Display a list of currently available escape sequences.
215 &. Terminate the connection.
217 &B Send a "serial-break" to the remote console.
219 &D Send a DEL character.
221 && Send a single escape character.
223
225 Most often, IPMI problems are due to configuration problems.
226 IPMI over LAN problems involve a misconfiguration of the remote
228 machine's BMC. Double check to make sure the following are configured
229 properly in the remote machine's BMC: IP address, MAC address, subnet
230 mask, username, user enablement, user privilege, password, LAN privi‐
231 lege, LAN enablement, and allowed authentication type(s). For IPMI 2.0
232 connections, double check to make sure the cipher suite privilege(s)
233 and K_g key are configured properly. The ipmi-config(8) tool can be
234 used to check and/or change these configuration settings.
235 In addition to the troubleshooting tips below, please see WORKAROUNDS
237 below to also if there are any vendor specific bugs that have been dis‐
238 covered and worked around.
239 Listed below are many of the common issues for error messages. For
241 additional support, please e-mail the <freeipmi-users@gnu.org> mailing
242 list.
243 "username invalid" - The username entered (or a NULL username if none
245 was entered) is not available on the remote machine. It may also be
246 possible the remote BMC's username configuration is incorrect.
247 "password invalid" - The password entered (or a NULL password if none
249 was entered) is not correct. It may also be possible the password for
250 the user is not correctly configured on the remote BMC.
251 "password verification timeout" - Password verification has timed out.
253 A "password invalid" error (described above) or a generic "session
254 timeout" (described below) occurred. During this point in the protocol
255 it cannot be differentiated which occurred.
256 "k_g invalid" - The K_g key entered (or a NULL K_g key if none was
258 entered) is not correct. It may also be possible the K_g key is not
259 correctly configured on the remote BMC.
260 "privilege level insufficient" - An IPMI command requires a higher user
262 privilege than the one authenticated with. Please try to authenticate
263 with a higher privilege. This may require authenticating to a different
264 user which has a higher maximum privilege.
265 "privilege level cannot be obtained for this user" - The privilege
267 level you are attempting to authenticate with is higher than the maxi‐
268 mum allowed for this user. Please try again with a lower privilege. It
269 may also be possible the maximum privilege level allowed for a user is
270 not configured properly on the remote BMC.
271 "authentication type unavailable for attempted privilege level" - The
273 authentication type you wish to authenticate with is not available for
274 this privilege level. Please try again with an alternate authentication
275 type or alternate privilege level. It may also be possible the avail‐
276 able authentication types you can authenticate with are not correctly
277 configured on the remote BMC.
278 "cipher suite id unavailable" - The cipher suite id you wish to authen‐
280 ticate with is not available on the remote BMC. Please try again with
281 an alternate cipher suite id. It may also be possible the available
282 cipher suite ids are not correctly configured on the remote BMC.
283 "ipmi 2.0 unavailable" - IPMI 2.0 was not discovered on the remote
285 machine. Please try to use IPMI 1.5 instead.
286 "connection timeout" - Initial IPMI communication failed. A number of
288 potential errors are possible, including an invalid hostname specified,
289 an IPMI IP address cannot be resolved, IPMI is not enabled on the
290 remote server, the network connection is bad, etc. Please verify con‐
291 figuration and connectivity.
292 "session timeout" - The IPMI session has timed out. Please reconnect.
294 If this error occurs often, you may wish to increase the retransmission
295 timeout. Some remote BMCs are considerably slower than others.
296 "internal IPMI error" - An IPMI error has occurred that FreeIPMI does
298 not know how to handle. Please e-mail <freeipmi-users@gnu.org> to
299 report the issue.
300
302 The following are common issues for error messages in ipmiconsole.
303 "SOL unavailable" - SOL is not configured for use on the remote BMC.
305 It may be not configured in general or for the specific user specified.
306 Authenticating with a different user may be sufficient, however the
307 IPMI protocol does not reveal detail on what is not configured on the
308 remote BMC.
309 "SOL in use" - SOL is already in use on the remote BMC. If you do not
311 specify the --dont-steal option, ipmiconsole will attempt to steal the
312 SOL session away from the other session. Not all BMCs support the abil‐
313 ity to steal away a SOL session.
314 "SOL session stolen" - Your SOL session has been stolen by another ses‐
316 sion. You may wish to try and steal the session back by reconnecting.
317 "SOL requires encryption" - SOL requires a cipher suite id that
319 includes encryption. Please try to use cipher suite id 3, 8, or 12. It
320 may also be possible the encryption requirements are not configured
321 correctly on the remote BMC.
322 "SOL requires no encryption" - SOL requires a cipher suite id that does
324 not use encryption. Please try to use cipher suite id 0, 1, 2, 6, 7, or
325 11. It may also be possible the encryption requirements are not config‐
326 ured correctly on the remote BMC.
327 "BMC Implementation" - The BMC on the remote machine has a severe prob‐
329 lem in its implementation. Please see the WORKAROUNDS section below for
330 possible workarounds. If additional vendor workarounds are required,
331 please contact the authors.
332 "excess retransmissions sent" - An excessive number of retransmissions
334 of SOL packets has occurred and ipmiconsole has given up. This may be
335 due to network issues or SOL issues. Some of the same issues involved
336 with "connection timeout" or "session timeout" errors may be involved.
337 Please try to reconnect.
338 "excess errors received" - An excessive number of SOL packet errors has
340 occurred and ipmiconsole has given up. This may be due to network
341 issues or SOL issues. Please try to reconnect.
342 "BMC Error" - This error usually means a vendor SOL implementation
344 requires a combination of authentication, encryption, privilege, etc.
345 that have not been met by the user's choices. Please try a combination
346 of different cipher suites, privileges, etc. to resolve the problem.
347 Please see the WORKAROUNDS section below for possible workarounds too.
348
350 With so many different vendors implementing their own IPMI solutions,
351 different vendors may implement their IPMI protocols incorrectly. The
352 following describes a number of workarounds currently available to han‐
353 dle discovered compliance issues. When possible, workarounds have been
354 implemented so they will be transparent to the user. However, some will
355 require the user to specify a workaround be used via the -W option.
356 The hardware listed below may only indicate the hardware that a problem
358 was discovered on. Newer versions of hardware may fix the problems
359 indicated below. Similar machines from vendors may or may not exhibit
360 the same problems. Different vendors may license their firmware from
361 the same IPMI firmware developer, so it may be worthwhile to try work‐
362 arounds listed below even if your motherboard is not listed.
363 If you believe your hardware has an additional compliance issue that
365 needs a workaround to be implemented, please contact the FreeIPMI main‐
366 tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
367 authcap - This workaround flag will skip early checks for username
369 capabilities, authentication capabilities, and K_g support and allow
370 IPMI authentication to succeed. It works around multiple issues in
371 which the remote system does not properly report username capabilities,
372 authentication capabilities, or K_g status. Those hitting this issue
373 may see "username invalid", "authentication type unavailable for
374 attempted privilege level", or "k_g invalid" errors. Issue observed on
375 Asus P5M2/P5MT-R/RS162-E4/RX4, Intel SR1520ML/X38ML, and Sun Fire
376 2200/4150/4450 with ELOM.
377 nochecksumcheck - This workaround flag will tell FreeIPMI to not check
379 the checksums returned from IPMI command responses. It works around
380 systems that return invalid checksums due to implementation errors, but
381 the packet is otherwise valid. Users are cautioned on the use of this
382 option, as it removes validation of packet integrity in a number of
383 circumstances. However, it is unlikely to be an issue in most situa‐
384 tions. Those hitting this issue may see "connection timeout", "session
385 timeout", or "password verification timeout" errors. On IPMI 1.5 con‐
386 nections, the "noauthcodecheck" workaround may also needed too. Issue
387 observed on Supermicro X9SCM-iiF, Supermicro X9DRi-F, and Supermicro
388 X9DRFR.
389 intel20 - This workaround flag will work around several Intel IPMI 2.0
391 authentication issues. The issues covered include padding of usernames,
392 and password truncation if the authentication algorithm is HMAC-
393 MD5-128. Those hitting this issue may see "username invalid", "password
394 invalid", or "k_g invalid" errors. Issue observed on Intel SE7520AF2
395 with Intel Server Management Module (Professional Edition).
396 supermicro20 - This workaround flag will work around several Supermicro
398 IPMI 2.0 authentication issues on motherboards w/ Peppercon IPMI
399 firmware. The issues covered include handling invalid length authenti‐
400 cation codes. Those hitting this issue may see "password invalid"
401 errors. Issue observed on Supermicro H8QME with SIMSO daughter card.
402 Confirmed fixed on newerver firmware.
403 sun20 - This workaround flag will work work around several Sun IPMI 2.0
405 authentication issues. The issues covered include invalid lengthed hash
406 keys, improperly hashed keys, and invalid cipher suite records. Those
407 hitting this issue may see "password invalid" or "bmc error" errors.
408 Issue observed on Sun Fire 4100/4200/4500 with ILOM. This workaround
409 automatically includes the "opensesspriv" workaround.
410 opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
412 2.0 connection protocol to workaround an invalid hashing algorithm used
413 by the remote system. The privilege level sent during the Open Session
414 stage of an IPMI 2.0 connection is used for hashing keys instead of the
415 privilege level sent during the RAKP1 connection stage. Those hitting
416 this issue may see "password invalid", "k_g invalid", or "bad rmcpplus
417 status code" errors. Issue observed on Sun Fire 4100/4200/4500 with
418 ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
419 Intel S5500WBV/Penguin Relion 700, Intel S2600JF/Appro 512X, and Quanta
420 QSSC-S4R/Appro GB812X-CN. This workaround is automatically triggered
421 with the "sun20" workaround.
422 integritycheckvalue - This workaround flag will work around an invalid
424 integrity check value during an IPMI 2.0 session establishment when
425 using Cipher Suite ID 0. The integrity check value should be 0 length,
426 however the remote motherboard responds with a non-empty field. Those
427 hitting this issue may see "k_g invalid" errors. Issue observed on
428 Supermicro X8DTG, Supermicro X8DTU, and Intel S5500WBV/Penguin Relion
429 700, and Intel S2600JF/Appro 512X.
430 solpayloadsize - This workaround flag will not check for valid SOL pay‐
432 load sizes and assume a proper set. It works around remote systems that
433 report invalid IPMI 2.0 SOL payload sizes. Those hitting this issue may
434 see "BMC Implementation" errors. Issue observed on Asus
435 P5M2/RS162-E4/RX4, Intel SR1520ML/X38ML, Inventec 5441/Dell Xanadu II,
436 Sun x4100, Supermicro X8DTH, Supermicro X8DTG, Supermicro X8DTU, and
437 Quanta QSSC-S4R//Appro GB812X-CN.
438 solport - This workaround flag will ignore alternate SOL ports speci‐
440 fied during the protocol. It works around remote systems that report
441 invalid alternate SOL ports. Those hitting this issue may see "connec‐
442 tion timeout" errors. Issue observed on Asus P5MT-R and Supermicro
443 X8DTH-iF.
444 solstatus - This workaround flag will not check the current activation
446 status of SOL during the protocol setup. It works around remote systems
447 that do not properly support this command. Those hitting this issue may
448 see "BMC Error" errors. Issue observed on Supermicro X8SIL-F.
449 solchannelsupport - This workaround flag will not check if SOL is sup‐
451 ported on the current channel. It works around remote systems that do
452 not properly support this command. Those hitting this issue may see
453 "BMC Error" errors. Issue observed on Intel Windmill, Quanta Winter‐
454 fell, and Wiwynn Windmill
455 serialalertsdeferred - This workaround option will set serial alerts to
457 be deferred instead of have them be failures. This works around mother‐
458 boards that perform IPMI over serial along with IPMI serial over LAN.
459 Those hitting this issue may see "excess retransmissions sent" when
460 they attempt to input data via SOL. Issue observed on Intel Windmill,
461 Quanta Winterfell, and Wiwynn Windmill.
462 solpacketseq - This workaround option will increment the SOL payload
464 packet sequence number under dire circumstances. Normally SOL should
465 never do this, however some motherboards have shown to get "stuck" due
466 to an internal bug on the motherboard. This workaround can help in get‐
467 ting the BMC un-stuck. Those hitting this issue may see "excess
468 retransmissions sent" when they attempt to input data via SOL. Issue
469 observed on Intel Windmill, Quanta Winterfell, and Wiwynn Windmill.
470
472 On older operating systems, if you input your username, password, and
473 other potentially security relevant information on the command line,
474 this information may be discovered by other users when using tools like
475 the ps(1) command or looking in the /proc file system. It is generally
476 more secure to input password information with options like the -P or
477 -K options. Configuring security relevant information in the FreeIPMI
478 configuration file would also be an appropriate way to hide this infor‐
479 mation.
480 In order to prevent brute force attacks, some BMCs will temporarily
482 "lock up" after a number of remote authentication errors. You may need
483 to wait awhile in order to this temporary "lock up" to pass before you
484 may authenticate again.
485 Some motherboards define an OEM SOL inactivity timeout for SOL ses‐
487 sions. If SOL sessions stay inactive for long periods of time, ipmicon‐
488 sole sessions may be abruptly closed, most likely resulting in session
489 timeout errors. Please see OEM notes for information on modifying this
490 parameter if you wish for sessions to stay active longer.
491
493 Intel SR1520ML/X38ML: After a reboot, the SOL session appears to "dis‐
494 connect" from the motherboard but stay alive. Character data input
495 from the ipmiconsole client is accepted by the remote machine, but no
496 character data or console data is ever sent back from the remote
497 machine. The SOL session is subsequently useless. There is currently no
498 workaround in place to handle this. The session must be closed and
499 restarted.
500
502 # ipmiconsole -h ahost -u myusername -p mypassword
503 Establish a console sesssion with a remote host.
505
507 Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
508
510 Copyright (C) 2007-2015 Lawrence Livermore National Security, LLC.
511 Copyright (C) 2006-2007 The Regents of the University of California.
512 This program is free software; you can redistribute it and/or modify it
514 under the terms of the GNU General Public License as published by the
515 Free Software Foundation; either version 3 of the License, or (at your
516 option) any later version.
517
519 freeipmi.conf(5), freeipmi(7), ipmi-config(8)
520 http://www.gnu.org/software/freeipmi/
522ipmiconsole 1.5.7 2018-04-11 ipmiconsole(8)