diff --git a/doc/ipmitool.1 b/doc/ipmitool.1 index 2c20821..0d8adcc 100644 --- a/doc/ipmitool.1 +++ b/doc/ipmitool.1 @@ -1921,6 +1921,27 @@ ADMIN, issue the following command: > ipmitool \-I \fIinterface\fR lan set \fIchannel\fR cipher_privs uaXXXXXXXXXXXXX +.TP + +\fIbad_pass_thresh\fP <\fBthresh_num\fR> <\fB1|0\fR> <\fBreset_interval\fR> <\fBlockout_interval\fR> +.br + +Sets the Bad Password Threshold. + +<\fBthresh_num\fR> If non-zero, this value determines the number of sequential bad passwords +that will be allowed to be entered for the identified user before the user is automatically +disabled from access on the channel. + +<\fB1|0\fR> 1 = generate a Session Audit sensor "Invalid password disable" event message. +0 = do not generate an event message when the user is disabled. + +<\fBreset_interval\fR> Attempt Count Reset Interval. The interval, in tens of seconds, for +which the accumulated count of bad password attempts is retained before being automatically +reset to zero. + +<\fBlockout_interval\fR> User Lockout Interval. The interval, in tens of seconds, that the user +will remain disabled after being disabled because the Bad Password Threshold number was reached. + .RE .TP \fIalert\fP \fIprint\fP [<\fBchannel\fR>] [<\fBalert destination\fR>] diff --git a/include/ipmitool/ipmi_lanp.h b/include/ipmitool/ipmi_lanp.h index 1aaae5e..db604eb 100644 --- a/include/ipmitool/ipmi_lanp.h +++ b/include/ipmitool/ipmi_lanp.h @@ -76,6 +76,8 @@ enum { IPMI_LANP_RMCP_CIPHER_SUPPORT, IPMI_LANP_RMCP_CIPHERS, IPMI_LANP_RMCP_PRIV_LEVELS, + IPMI_LANP_VLAN_TAGS, + IPMI_LANP_BAD_PASS_THRESH, IPMI_LANP_OEM_ALERT_STRING=96, IPMI_LANP_ALERT_RETRY=97, IPMI_LANP_UTC_OFFSET=98, @@ -117,6 +119,7 @@ static struct lan_param { { IPMI_LANP_RMCP_CIPHER_SUPPORT,1, "RMCP+ Cipher Suite Count" }, { IPMI_LANP_RMCP_CIPHERS, 16, "RMCP+ Cipher Suites" }, { IPMI_LANP_RMCP_PRIV_LEVELS, 9, "Cipher Suite Priv Max" }, + { IPMI_LANP_BAD_PASS_THRESH, 6, "Bad Password Threshold", NULL, 0 }, { IPMI_LANP_OEM_ALERT_STRING, 28, "OEM Alert String" }, /* 25 */ { IPMI_LANP_ALERT_RETRY, 1, "Alert Retry Algorithm" }, { IPMI_LANP_UTC_OFFSET, 3, "UTC Offset" }, diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c index 0c4135f..bb619eb 100644 --- a/lib/ipmi_lanp.c +++ b/lib/ipmi_lanp.c @@ -577,7 +577,6 @@ static int ipmi_lan_print(struct ipmi_intf * intf, uint8_t chan) { struct lan_param * p; - int rc = 0; if (chan < 1 || chan > IPMI_CHANNEL_NUMBER_MAX) { lprintf(LOG_ERR, "Invalid Channel %d", chan); @@ -842,7 +841,25 @@ ipmi_lan_print(struct ipmi_intf * intf, uint8_t chan) else printf("%-24s: Not Available\n", p->desc); - return rc; + /* Bad Password Threshold */ + p = get_lan_param(intf, chan, IPMI_LANP_BAD_PASS_THRESH); + if (p == NULL) + return -1; + if ((p->data != NULL) && (p->data_len == 6)) { + int tmp; + + printf("%-24s: %d\n", p->desc, p->data[1]); + printf("%-24s: %s\n", "Invalid password disable", + p->data[0] & 1 ? "yes" : "no" ); + tmp = p->data[2] + (p->data[3] << 8); + printf("%-24s: %d\n", "Attempt Count Reset Int.", tmp * 10); + tmp = p->data[4] + (p->data[5] << 8); + printf("%-24s: %d\n", "User Lockout Interval", tmp * 10); + } else { + printf("%-24s: Not Available\n", p->desc); + } + + return 0; } /* Configure Authentication Types */ @@ -1273,6 +1290,55 @@ ipmi_lan_set_vlan_priority(struct ipmi_intf *intf, uint8_t chan, char *string) return rc; } +static void +print_lan_set_bad_pass_thresh_usage(void) +{ + lprintf(LOG_NOTICE, +"lan set bad_pass_thresh <1|0> \n" +" Bad Pasword Threshold number.\n" +" <1|0> 1 = generate a Session Audit sensor event.\n" +" 0 = do not generate an event.\n" +" Attempt Count Reset Interval. In tens of seconds.\n" +" User Lockout Interval. In tens of seconds."); +} + +/* get_cmdline_bad_pass_thresh - parse-out bad password threshold from given + * string and store it into buffer. + * + * @arg: string to be parsed. + * @buf: buffer of 6 to hold parsed Bad Password Threshold. + * + * returns zero on success, (-1) on error. + */ +static int +get_cmdline_bad_pass_thresh(char *argv[], uint8_t *buf) +{ + uint16_t reset, lockout; + + if (str2uchar(argv[0], &buf[1])) { + return -1; + } + + if (str2uchar(argv[1], &buf[0]) || buf[0] > 1) { + return -1; + } + + if (str2ushort(argv[2], &reset)) { + return -1; + } + + if (str2ushort(argv[3], &lockout)) { + return -1; + } + + /* store parsed data */ + buf[2] = reset & 0xFF; + buf[3] = reset >> 8; + buf[4] = lockout & 0xFF; + buf[5] = lockout >> 8; + return 0; +} + static int ipmi_lan_set(struct ipmi_intf * intf, int argc, char ** argv) { @@ -1604,6 +1670,18 @@ ipmi_lan_set(struct ipmi_intf * intf, int argc, char ** argv) rc = set_lan_param(intf, chan, IPMI_LANP_RMCP_PRIV_LEVELS, data, 9); } } + else if (strncmp(argv[1], "bad_pass_thresh", 15) == 0) + { + if (argc == 3 && strncmp(argv[2], "help", 4) == 0) { + print_lan_set_bad_pass_thresh_usage(); + return 0; + } + if (argc < 6 || get_cmdline_bad_pass_thresh(&argv[2], data)) { + print_lan_set_bad_pass_thresh_usage(); + return (-1); + } + rc = set_lan_param(intf, chan, IPMI_LANP_BAD_PASS_THRESH, data, 6); + } else { print_lan_set_usage(); return (-1); @@ -2228,6 +2306,9 @@ print_lan_set_usage(void) " O = OEM"); lprintf(LOG_NOTICE, ""); + lprintf(LOG_NOTICE, +" bad_pass_thresh <1|0> \n" +" Set bad password threshold"); } static void @@ -2383,6 +2464,8 @@ ipmi_lanp_main(struct ipmi_intf * intf, int argc, char ** argv) lprintf(LOG_ERR, "Invalid channel: %s", argv[1]); return (-1); } + } else { + chan = find_lan_channel(intf, 1); } if (!is_lan_channel(intf, chan)) { lprintf(LOG_ERR, "Invalid channel: %d", chan); @@ -2402,6 +2485,8 @@ ipmi_lanp_main(struct ipmi_intf * intf, int argc, char ** argv) lprintf(LOG_ERR, "Invalid channel: %s", argv[2]); return (-1); } + } else { + chan = find_lan_channel(intf, 1); } if (!is_lan_channel(intf, chan)) { lprintf(LOG_ERR, "Invalid channel: %d", chan);