1ipmi-config.conf(5) System Commands ipmi-config.conf(5)
2
6 ipmi-config - IPMI configuration file details
7
9 Before many IPMI tools can be used over a network, a machine's Base‐
10 board Management Controller (BMC) must be configured. The configuration
11 can be quite daunting for those who do not know much about IPMI. This
12 manpage hopes to provide enough information on BMC configuration so
13 that you can configure the BMC for your system. When appropriate, typi‐
14 cal BMC configurations will be suggested.
15 The following is an example configuration file partially generated by
17 running the --checkout option with the ipmi-config(8) command. This
18 configuration comes from the core category of configuration values (the
19 default). This example configuration should be sufficient for most
20 users after the appropriate local IP and MAC addresses are input. Fol‐
21 lowing this example, separate sections of this manpage will discuss the
22 different sections of the configuration file in more detail with expla‐
23 nations of how the BMC can be configured for different environments.
24 Note that many options may or may not be available on your particular
26 machine. For example, Serial-Over-Lan (SOL) is available only on IPMI
27 2.0 machines. Therefore, if you are looking to configure an IPMI 1.5
28 machine, many of the SOL or IPMI 2.0 related options will be be
29 unavailable to you. The number of configurable users may also vary for
30 your particular machine.
31 The below configuration file and most of this manpage assume the user
33 is interested in configuring a BMC for use with IPMI over LAN. Various
34 configuration options from ipmi-config(8) have been left out or skipped
35 because it is considered unnecessary. Future versions of this manpage
36 will try to include more information.
37 Section User1
39 ## Give username
40 ## Username NULL
41 ## Give password or leave it blank to clear password
42 Password mypassword
43 ## Possible values: Yes/No or blank to not set
44 Enable_User Yes
45 ## Possible values: Yes/No
46 Lan_Enable_Ipmi_Msgs Yes
47 ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
48 Lan_Privilege_Limit Administrator
49 ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
50 ## Lan_Session_Limit
51 ## Possible values: Yes/No
52 SOL_Payload_Access Yes
53 EndSection
54 Section User2
55 ## Give username
56 Username user2
57 ## Give password or leave it blank to clear password
58 Password userpass
59 ## Possible values: Yes/No or blank to not set
60 Enable_User No
61 ## Possible values: Yes/No
62 Lan_Enable_Ipmi_Msgs No
63 ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
64 Lan_Privilege_Limit No_Access
65 ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
66 ## Lan_Session_Limit
67 ## Possible values: Yes/No
68 SOL_Payload_Access No
69 EndSection
70 Section Lan_Channel
71 ## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
72 Volatile_Access_Mode Always_Available
73 ## Possible values: Yes/No
74 Volatile_Enable_User_Level_Auth Yes
75 ## Possible values: Yes/No
76 Volatile_Enable_Per_Message_Auth Yes
77 ## Possible values: Yes/No
78 Volatile_Enable_Pef_Alerting No
79 ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
80 Volatile_Channel_Privilege_Limit Administrator
81 ## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
82 Non_Volatile_Access_Mode Always_Available
83 ## Possible values: Yes/No
84 Non_Volatile_Enable_User_Level_Auth Yes
85 ## Possible values: Yes/No
86 Non_Volatile_Enable_Per_Message_Auth Yes
87 ## Possible values: Yes/No
88 Non_Volatile_Enable_Pef_Alerting No
89 ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
90 Non_Volatile_Channel_Privilege_Limit Administrator
91 EndSection
92 Section Lan_Conf
93 ## Possible values: Unspecified/Static/Use_DHCP/Use_BIOS/Use_Others
94 Ip_Address_Source Static
95 ## Give valid IP Address
96 Ip_Address 192.168.1.100
97 ## Give valid MAC Address
98 Mac_Address 00:0E:0E:FF:AA:12
99 ## Give valid Subnet mask
100 Subnet_Mask 255.255.255.0
101 ## Give valid IP Address
102 Default_Gateway_Ip_Address 192.168.1.1
103 ## Give valid MAC Address
104 Default_Gateway_Mac_Address 00:0E:0E:FF:AA:18
105 ## Give valid IP Address
106 Backup_Gateway_Ip_Address 192.168.1.2
107 ## Give valid MAC Address
108 Backup_Gateway_Mac_Address 00:0E:0E:FF:AA:15
109 EndSection
110 Section Lan_Conf_Auth
111 ## Possible values: Yes/No
112 Callback_Enable_Auth_Type_None No
113 ## Possible values: Yes/No
114 Callback_Enable_Auth_Type_Md2 No
115 ## Possible values: Yes/No
116 Callback_Enable_Auth_Type_Md5 No
117 ## Possible values: Yes/No
118 Callback_Enable_Auth_Type_Straight_Password No
119 ## Possible values: Yes/No
120 Callback_Enable_Auth_Type_Oem_Proprietary No
121 ## Possible values: Yes/No
122 User_Enable_Auth_Type_None No
123 ## Possible values: Yes/No
124 User_Enable_Auth_Type_Md2 Yes
125 ## Possible values: Yes/No
126 User_Enable_Auth_Type_Md5 Yes
127 ## Possible values: Yes/No
128 User_Enable_Auth_Type_Straight_Password No
129 ## Possible values: Yes/No
130 User_Enable_Auth_Type_Oem_Proprietary No
131 ## Possible values: Yes/No
132 Operator_Enable_Auth_Type_None No
133 ## Possible values: Yes/No
134 Operator_Enable_Auth_Type_Md2 Yes
135 ## Possible values: Yes/No
136 Operator_Enable_Auth_Type_Md5 Yes
137 ## Possible values: Yes/No
138 Operator_Enable_Auth_Type_Straight_Password No
139 ## Possible values: Yes/No
140 Operator_Enable_Auth_Type_Oem_Proprietary No
141 ## Possible values: Yes/No
142 Admin_Enable_Auth_Type_None No
143 ## Possible values: Yes/No
144 Admin_Enable_Auth_Type_Md2 Yes
145 ## Possible values: Yes/No
146 Admin_Enable_Auth_Type_Md5 Yes
147 ## Possible values: Yes/No
148 Admin_Enable_Auth_Type_Straight_Password No
149 ## Possible values: Yes/No
150 Admin_Enable_Auth_Type_Oem_Proprietary No
151 ## Possible values: Yes/No
152 Oem_Enable_Auth_Type_None No
153 ## Possible values: Yes/No
154 Oem_Enable_Auth_Type_Md2 No
155 ## Possible values: Yes/No
156 Oem_Enable_Auth_Type_Md5 No
157 ## Possible values: Yes/No
158 Oem_Enable_Auth_Type_Straight_Password No
159 ## Possible values: Yes/No
160 Oem_Enable_Auth_Type_Oem_Proprietary No
161 EndSection
162 Section Lan_Conf_Security_Keys
163 ## Give string or blank to clear. Max 20 chars
164 K_G
165 EndSection
166 Section Lan_Conf_Misc
167 ## Possible values: Yes/No
168 Enable_Gratuitous_Arps Yes
169 ## Possible values: Yes/No
170 Enable_Arp_Response No
171 ## Give valid number. Intervals are 500 ms.
172 Gratuitous_Arp_Interval 4
173 EndSection
174 Section Rmcpplus_Conf_Privilege
175 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
176 Maximum_Privilege_Cipher_Suite_Id_0 Unused
177 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
178 Maximum_Privilege_Cipher_Suite_Id_1 Unused
179 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
180 Maximum_Privilege_Cipher_Suite_Id_2 Unused
181 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
182 Maximum_Privilege_Cipher_Suite_Id_3 Administrator
183 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
184 Maximum_Privilege_Cipher_Suite_Id_4 Administrator
185 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
186 Maximum_Privilege_Cipher_Suite_Id_5 Administrator
187 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
188 Maximum_Privilege_Cipher_Suite_Id_6 Unused
189 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
190 Maximum_Privilege_Cipher_Suite_Id_7 Unused
191 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
192 Maximum_Privilege_Cipher_Suite_Id_8 Administrator
193 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
194 Maximum_Privilege_Cipher_Suite_Id_9 Administrator
195 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
196 Maximum_Privilege_Cipher_Suite_Id_10 Administrator
197 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
198 Maximum_Privilege_Cipher_Suite_Id_11 Unused
199 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
200 Maximum_Privilege_Cipher_Suite_Id_12 Administrator
201 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
202 Maximum_Privilege_Cipher_Suite_Id_13 Administrator
203 ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
204 Maximum_Privilege_Cipher_Suite_Id_14 Administrator
205 EndSection
206 Section SOL_Conf
207 ## Possible values: Yes/No
208 Enable_SOL Yes
209 ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
210 SOL_Privilege_Level Administrator
211 ## Possible values: Yes/No
212 Force_SOL_Payload_Authentication Yes
213 ## Possible values: Yes/No
214 Force_SOL_Payload_Encryption Yes
215 ## Give a valid integer. Each unit is 5ms
216 Character_Accumulate_Interval 50
217 ## Give a valid number
218 Character_Send_Threshold 100
219 ## Give a valid integer
220 SOL_Retry_Count 5
221 ## Give a valid integer. Interval unit is 10ms
222 SOL_Retry_Interval 50
223 ## Possible values: Serial/9600/19200/38400/57600/115200
224 Non_Volatile_Bit_Rate 115200
225 ## Possible values: Serial/9600/19200/38400/57600/115200
226 Volatile_Bit_Rate 115200
227 EndSection
228
230 The User sections of the BMC configuration file are for username con‐
231 figuration for IPMI over LAN communication. The number of users avail‐
232 able to be configured on your system will vary by manufacturer. With
233 the exception of the Username for User1, all sections are identical.
234 The username(s) you wish to configure the BMC with are defined with
236 Username. The first username under Section User1 is typically the NULL
237 username and cannot be modified. The password for the username can be
238 specified with Password. It can be left empty to define a NULL pass‐
239 word. Each user you wish to enable must be enabled through the
240 Enable_User configuration option. It is recommended that all usernames
241 have non-NULL passwords or be disabled for security reasons.
242 Lan_Enable_Ipmi_Msgs is used to enable or disable IPMI over LAN access
244 for the user. This should be set to "Yes" to allow IPMI over LAN tools
245 to work.
246 Lan_Privilege_Limit specifies the maximum privilege level limit the
248 user is allowed. Different IPMI commands have different privilege
249 restrictions. For example, determining the power status of a machine
250 only requires the "User" privilege level. However, power cycling
251 requires the "Operator" privilege. Typically, you will want to assign
252 atleast one user with a privilege limit of "Administrator" so that all
253 system functions are available to atleast one user via IPMI over LAN.
254 Lan_Session_Limit specifies the number of simultaneous IPMI sessions
256 allowed for the user. Most users will wish to set this to "0" to allow
257 unlimited simultaneous IPMI sessions. This field is considered optional
258 by IPMI standards, and may result in errors when attempting to config‐
259 ure it to a non-zero value. If errors to occur, setting the value back
260 to 0 should resolve problems.
261 SOL_Payload_Access specifies if a particular user is allowed to connect
263 with Serial-Over-LAN (SOL). This should be set to "Yes" to allow this
264 username to use SOL.
265 The example configuration above disables "User2" but enables the
267 default "NULL" (i.e. anonymous) user. Many IPMI tools (both open-source
268 and vendor) do not allow the user to input a username and assume the
269 NULL username by default. If the tools you are interested in using
270 allow usernames to be input, then it is recommended that one of the
271 non-NULL usernames be enabled and the NULL username disabled for secu‐
272 rity reasons. It is recommeneded that you disable the NULL username in
273 section User1, so that users are required to specify a username for
274 IPMI over LAN communication.
275 Some motherboards may require a Username to be configured prior to
277 other fields being read/written. If this is the case, those fields will
278 be set to <username-not-set-yet>.
279
281 The Lan_Channel section configures a variety of IPMI over LAN configu‐
282 ration parameters. Both Volatile and Non_Volatile configurations can be
283 set. Volatile configurations are immediately configured onto the BMC
284 and will have immediate effect on the system. Non_Volatile configura‐
285 tions are only available after the next system reset. Generally, both
286 the Volatile and Non_Volatile should be configured identically.
287 The Access_Mode parameter configures the availability of IPMI over LAN
289 on the system. Typically this should be set to "Always_Available" to
290 enable IPMI over LAN.
291 The Privilege_Limit sets the maximum privilege any user of the system
293 can have when performing IPMI over LAN. This should be set to the maxi‐
294 mum privilege level configured to a username. Typically, this should be
295 set to "Administrator".
296 Typically User_Level_Auth and Per_Message_Auth should be set to "Yes"
298 for additional security. Disabling User_Level_Auth allows "User" privi‐
299 leged IPMI commands to be executed without authentication. Disabling
300 Per_Message_Auth allows fewer individual IPMI messages to require
301 authentication.
302
304 Those familiar with setting up networks should find most of the fields
305 in this section self explanatory. The example BMC configuration above
306 illustrates the setup of a static IP address. The field
307 IP_Address_Source is configured with "Static". The IP address, subnet
308 mask, and gateway IP addresses of the machine are respecitvely config‐
309 ured with the IP_Address, Subnet_Mask, Default_Gateway_Ip_Address, and
310 Backup_Gateway_Ip_Address fields. The respective MAC addresses for the
311 IP addresses are configured under Mac_Address, Default_Gate‐
312 way_Mac_Address, and Backup_Gateway_Mac_Address.
313 It is not required to setup the BMC IP_Address to be the same P_Address
315 used by your operating system for that network interface. However, if
316 you choose to use a different address, an alternate ARP configuration
317 may need to be setup.
318 To instead setup your BMC network information via DHCP, the field
320 IP_Address_Source should be configured with "Use_DHCP".
321 It is recommended that static IP addresses be configured for address
323 resolution reasons. See Lan_Conf_Misc below for a more detailed expla‐
324 nation.
325
327 This section determines what types of password authentication mecha‐
328 nisms are allowed for users at different privilege levels under the
329 IPMI 1.5 protocol. The currently supported authentication methods for
330 IPMI 1.5 are None (no username/password required), Straight_Password
331 (passwords are sent in the clear), MD2 (passwords are MD2 hashed), and
332 MD5 (passwords are MD5 hashed). Different usernames at different priv‐
333 ilege levels may be allowed to authenticate differently through this
334 configuration. For example, a username with "User" privileges may be
335 allowed to authenticate with a straight password, but a username with
336 "Administrator" privileges may be allowed only authenticate with MD5.
337 The above example configuration supports MD2 and MD5 authentication for
339 all users at the "User", "Operator", and "Administrator" privilege lev‐
340 els. All authentication mechanisms have been disabled for the "Call‐
341 back" privilege level.
342 Generally speaking, you do not want to allow any user to authenticate
344 with None or Straight_Password for security reasons. MD2 and MD5 are
345 digital signature algorithms that can minimally encrypt passwords. If
346 you have chosen to support the NULL username (enabled User1) and NULL
347 passwords (NULL password for User1), you will have to enable the None
348 authentication fields above to allow users to connect via None.
349
351 This section supports configuration of the IPMI 2.0 (including Serial-
352 over-LAN) K_g key. If your machine does not support IPMI 2.0, this
353 field will not be configurable.
354 The key is used for two-key authentication in IPMI 2.0. In most tools,
356 when doing IPMI 2.0, the K_g can be optionally specified. It is not
357 required for IPMI 2.0 operation.
358 In the above example, we have elected to leave this field blank so the
360 K_g key is not used.
361
363 This section lists miscellaneous IPMI over LAN configuration options.
364 These are optional IPMI configuration options that are not implemented
365 on all BMCs.
366 Normally, a client cannot resolve the ethernet MAC address without the
368 remote operating system running. However, IPMI over LAN would not work
369 when a machine is powered off or if the IP address used by the operat‐
370 ing system for that network interface differs from the BMC IP Address.
371 One way to work around this is through gratuitous ARPs. Gratuitous
372 ARPs are ARP packets generated by the BMC and sent out to advertise the
373 BMC's IP and MAC address. Other machines on the network can store this
374 information in their local ARP cache for later IP/hostname resolution.
375 This would allow IPMI over LAN to work when the remote machine is pow‐
376 ered off. The Enable_Gratuitous_Arps option allows you to enable or
377 disable this feature. The Gratuitous_Arp_Interval option allows you to
378 configure the frequency at which gratuitous ARPs are sent onto the net‐
379 work.
380 Instead of gratuitous ARPs some BMCs are able to respond to ARP
382 requests, even when powered off. If offerred, this feature can be
383 enabled through the Enable_Arp_Response option.
384 Generally speaking, turning on gratuitous ARPs is acceptable. However,
386 it will increase traffic on your network. If you are using IPMI on a
387 large cluster, the gratuitous ARPs may easily flood your network. They
388 should be tuned to occur less frequently or disabled. If disabled, the
389 remote machine's MAC address should be permanently stored in the local
390 ARP cache through arp(8).
391 See bmc-watchdog(8) for a method which allows gratuitous ARPs to be
393 disabled when the operating system is running, but enabled when the
394 system is down.
395
397 This section supports configuration of the IPMI 2.0 (including Serial-
398 over-LAN) cipher suite IDs. If your machine does not support IPMI 2.0,
399 the fields will not be configurable.
400 Each cipher suite ID describes a combination of an authentication algo‐
402 rithm, integrity algorithm, and encryption algorithm for IPMI 2.0. The
403 authentication algorithm is used for user authentication with the BMC.
404 The integrity algorithm is used for generating signatures on IPMI pack‐
405 ets. The confidentiality algorithm is used for encrypting data. The
406 configuration in this section enables certain cipher suite IDs to be
407 enabled or disabled, and the maximum privilege level a username can
408 authenticate with.
409 The following table shows the cipher suite ID to algorithms mapping:
411 0 - Authentication Algorithm = None; Integrity Algorithm = None; Confi‐
413 dentiality Algorithm = None
414 1 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = None;
416 Confidentiality Algorithm = None
417 2 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = HMAC-
419 SHA1-96; Confidentiality Algorithm = None
420 3 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = HMAC-
422 SHA1-96; Confidentiality Algorithm = AES-CBC-128
423 4 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = HMAC-
425 SHA1-96; Confidentiality Algorithm = xRC4-128
426 5 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = HMAC-
428 SHA1-96; Confidentiality Algorithm = xRC4-40
429 6 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = None;
431 Confidentiality Algorithm = None
432 7 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = HMAC-
434 MD5-128; Confidentiality Algorithm = None
435 8 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = HMAC-
437 MD5-128; Confidentiality Algorithm = AES-CBC-128
438 9 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = HMAC-
440 MD5-128; Confidentiality Algorithm = xRC4-128
441 10 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = HMAC-
443 MD5-128; Confidentiality Algorithm = xRC4-40
444 11 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
446 MD5-128; Confidentiality Algorithm = None
447 12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
449 MD5-128; Confidentiality Algorithm = AES-CBC-128
450 13 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
452 MD5-128; Confidentiality Algorithm = xRC4-128
453 14 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
455 MD5-128; Confidentiality Algorithm = xRC4-40
456 Generally speaking, HMAC-SHA1 based algorithms are stronger than HMAC-
458 MD5, which are better than MD5-128 algorithms. AES-CBC-128 confiden‐
459 tiality algorithms are stronger than xRC4-128 algorithms, which are
460 better than xRC4-40 algorithms. Cipher suite ID 3 is therefore typi‐
461 cally considered the most secure. Some users may wish to set cipher
462 suite ID 3 to a privilege level and disable all remaining cipher suite
463 IDs.
464 The above example configuration has decided to allow any user with
466 "Administrator" privileges use any Cipher Suite algorithm suite which
467 requires an authentication, integrity, and confidentiality algorithm.
468 Typically, the maximum privilege level configured to a username should
469 be set for atleast one cipher suite ID. Typically, this is the "Admin‐
470 istrator" privilege.
471 A number of cipher suite IDs are optionally implemented, so the avail‐
473 able cipher suite IDs available your system may vary.
474
476 This section is for setting up Serial-Over-Lan (SOL) and will only be
477 available for configuration on those machines. SOL can be enabled with
478 the Enable_SOL field. The minimum privilege level required for connect‐
479 ing with SOL is specified by SOL_Privilege_Level. This should be set
480 to the maximum privilege level configured to a username that has SOL
481 enabled. Typically, this is the "Administrator" privilege. Authentica‐
482 tion and Encryption can be forced or not using the fields
483 Force_SOL_Payload_Authentication and Force_SOL_Payload_Encryption
484 respectively. It is recommended that these be set on. However, forced
485 authentication and/or encryption support depend on the cipher suite IDs
486 supported.
487 The Character_Accumulate_Interval, Character_Send_Threshold ,
489 SOL_Retry_Count and , SOL_Retry_Interval options are used to set SOL
490 character output speeds. Character_Accumulate_Interval determines how
491 often serial data should be regularly sent and Character_Send_Threshold
492 indicates the character count that if passed, will force serial data to
493 be sent. SOL_Retry_Count indicates how many times packets must be
494 retransmitted if acknowledgements are not received. SOL_Retry_Interval
495 indicates the timeout interval. Generally, the manufacturer recommended
496 numbers will be sufficient. However, you may wish to experiment with
497 these values for faster SOL throughput.
498 The Non_Volatile_Bit_Rate and Volatile_Bit_Rate determine the baudrate
500 the BMC should use. This should match the baudrate set in the BIOS and
501 operating system, such as agetty(8). Generally speaking, both the
502 Volatile and Non_Volatile options should be set identically.
503 In addition to enabling SOL in this section, individual users most also
505 be capable of connecting with SOL. See the section Section User1,
506 User2, ... above for details.
507
509 Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
510
512 freeipmi(7), bmc-watchdog(8), ipmi-config(8), agetty(8)
513 http://www.gnu.org/software/freeipmi/
515ipmi-config 1.6.4 2019-08-21 ipmi-config.conf(5)