Skip to content

CAST-38539: Warn and prompt in sat bmccreds for long passwords #376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
haasken-hpe merged 1 commit into from
Sep 23, 2025
Merged

CAST-38539: Warn and prompt in sat bmccreds for long passwords #376

haasken-hpe merged 1 commit into from
Sep 23, 2025

Conversation

@haasken-hpe
Copy link
Contributor

@haasken-hpe haasken-hpe commented Sep 18, 2025
edited
Loading

Summary and Scope

Add logic to sat bmccreds to log a warning if the provided or
generated password is longer than 20 characters. This is the maximum
password length supported by ipmitool, which is required to control
management nodes during system boot and shutdown procedures.

The warning is logged whenever the password exceeds 20 characters. The
user must answer the prompt if it is determined that the affected xnames
include management node BMCs or if that can't be determined (i.e. if the
HSM query fails, or --no-hsm-check is specified).

Added unit tests for the new validate_password_length method.

Issues and Related PRs

Testing

Tested on:

  • vinland

Test description:

Unit tests pass. Tested the following cases with sat bmmcreds on
vinland:

  • User-specified password of an acceptable length against a compute and
    management node BMC
  • Too long generated password against a compute and management node BMC
  • Too long user-specified password against a compute and management node
    BMC
  • Too long user-specified password against only compute BMC
  • Exactly 20-character password against both BMCs
  • Too long password entered at the prompt against both BMCs

Risks and Mitigations

This is pretty low-risk as it is still possible to proceed with passwords longer
than 20 characters if the user really wants to. Such passwords would cause
problems during the system shutdown and boot procedures anyway, even if accepted
by the Redfish implementation on the system hardware.

Pull Request Checklist

  • Version number(s) incremented, if applicable
  • Copyrights updated
  • License file intact
  • Target branch correct
  • CHANGELOG.md updated
  • Testing is appropriate and complete, if applicable
  • HPC Product Announcement prepared, if applicable

@haasken-hpe
Copy link
Contributor Author

haasken-hpe commented Sep 18, 2025

Here is a detailed description of my testing. These are the nodes on the system and the ones I chose for the test:

ncn-m001:/mnt/developer/haasken/CAST-38539 # sat status --hsm-fields --sls-fields --fields xname,role,subrole,aliases,state
+----------------+-------------+---------+-----------+-----------+
| xname          | Role        | SubRole | Aliases   | State     |
+----------------+-------------+---------+-----------+-----------+
| x3000c0s1b0n0  | Management  | Master  | ncn-m001  | Populated |
| x3000c0s3b0n0  | Management  | Master  | ncn-m002  | Ready     |
| x3000c0s5b0n0  | Management  | Master  | ncn-m003  | Ready     |
| x3000c0s7b0n0  | Management  | Worker  | ncn-w001  | Ready     |
| x3000c0s9b0n0  | Management  | Worker  | ncn-w002  | Ready     |
| x3000c0s11b0n0 | Management  | Worker  | ncn-w003  | Ready     |
| x3000c0s13b0n0 | Management  | Worker  | ncn-w004  | Ready     |
| x3000c0s15b1n0 | Compute     | None    | nid000001 | Ready     |
| x3000c0s15b2n0 | Compute     | None    | nid000002 | Ready     |
| x3000c0s15b3n0 | Compute     | None    | nid000003 | Ready     |
| x3000c0s15b4n0 | Compute     | None    | nid000004 | Ready     |
| x3000c0s17b0n0 | Management  | Storage | ncn-s001  | Ready     |
| x3000c0s19b0n0 | Management  | Storage | ncn-s002  | Ready     |
| x3000c0s21b0n0 | Management  | Storage | ncn-s003  | Ready     |
| x3000c0s23b0n0 | Application | UAN     | uan01     | Ready     |
| x3000c0s25b0n0 | Management  | Worker  | ncn-w005  | Ready     |
| x3000c0s27b0n0 | Application | UAN     | uan02     | Ready     |
| x3000c0s29b0n0 | Application | Gateway | gw01      | Ready     |
| x3000c0s31b0n0 | Application | Gateway | gw02      | Ready     |
+----------------+-------------+---------+-----------+-----------+
ncn-m001:/mnt/developer/haasken/CAST-38539 # echo $MGMT_NODE_BMC
x3000c0s11b0
ncn-m001:/mnt/developer/haasken/CAST-38539 # echo $COMPUTE_NODE_BMC
x3000c0s15b1
ncn-m001:/mnt/developer/haasken/CAST-38539 # echo $BOTH_NODE_BMCS
x3000c0s11b0,x3000c0s15b1

Proving that I currently know the password and can use ipmitool against these node BMCs:

ncn-m001:/mnt/developer/haasken/CAST-38539 # read -s -p "Enter BMC password: " IPMI_PASSWORD
Enter BMC password:
ncn-m001:/mnt/developer/haasken/CAST-38539 # export IPMI_PASSWORD
ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -E -I lanplus -H $COMPUTE_NODE_BMC chassis power status
Chassis Power is on
ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -E -I lanplus -H $MGMT_NODE_BMC chassis power status
Chassis Power is on

Setting the password to a short user-specified value:

ncn-m001:/mnt/developer/haasken/CAST-38539 # read -s -p "Enter a new password: " NEW_PASSWORD
Enter a new password:
ncn-m001:/mnt/developer/haasken/CAST-38539 # echo -e $NEW_PASSWORD | wc -c
9
ncn-m001:/mnt/developer/haasken/CAST-38539 # sat bmccreds -x $BOTH_NODE_BMCS --password $NEW_PASSWORD
Setting BMC credentials on the following BMCs: x3000c0s11b0, x3000c0s15b1. Proceed? (yes/[no]) : yes
+--------------+---------+----------------------+-------------+----------------+
| xname        | Type    | Password Type        | Status Code | Status Message |
+--------------+---------+----------------------+-------------+----------------+
| x3000c0s11b0 | NodeBMC | User, domain: system | 204         | No Content     |
| x3000c0s15b1 | NodeBMC | User, domain: system | 204         | No Content     |
+--------------+---------+----------------------+-------------+----------------+

Now I can no longer use the old password:

ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -E -I lanplus -H $MGMT_NODE_BMC chassis power status
Error: Unable to establish IPMI v2 / RMCP+ session
ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -E -I lanplus -H $COMPUTE_NODE_BMC chassis power status
Error: Unable to establish IPMI v2 / RMCP+ session

The new password works:

ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -P $NEW_PASSWORD -I lanplus -H $MGMT_NODE_BMC chassis power status
Chassis Power is on
ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -P $NEW_PASSWORD -I lanplus -H $COMPUTE_NODE_BMC chassis power status
Chassis Power is on

Now if I try to set a too-long generated password:

ncn-m001:/mnt/developer/haasken/CAST-38539 # sat bmccreds -x $BOTH_NODE_BMCS --password-length 21 --random-password
Setting BMC credentials on the following BMCs: x3000c0s11b0, x3000c0s15b1. Proceed? (yes/[no]) : yes
WARNING: Password exceeds 20-character limit imposed by ipmitool, which is used to control management nodes during system shutdown and boot procedures. Management node BMCs are included in the xnames having their credentials updated.
Proceed with setting credentials? [yes,no] no
Will not proceed with setting credentials. Exiting.

Trying to set a too-longer user-provided password:

ncn-m001:/mnt/developer/haasken/CAST-38539 # sat bmccreds -x $BOTH_NODE_BMCS --password $LONG_PASSWORD
Setting BMC credentials on the following BMCs: x3000c0s11b0, x3000c0s15b1. Proceed? (yes/[no]) : yes
WARNING: Password exceeds 20-character limit imposed by ipmitool, which is used to control management nodes during system shutdown and boot procedures. Management node BMCs are included in the xnames having their credentials updated.
Proceed with setting credentials? [yes,no] yes
Proceeding with setting credentials.
ERROR: Attempt 1 of 3: Failed to update BMC credentials due to an error from the SCSD API: POST request to URL 'https://api-gw-service-nmn.local/apis/scsd/v1/bmc/globalcreds' failed with status code 500: Internal Server Error. User cred set error Detail: ERROR: Problem attempting to set user creds: Bad return code from 'https://x3000c0s11b0/redfish/v1/AccountService/Accounts/4': 400 - Bad Request, none were changed.
ERROR: Attempt 2 of 3: Failed to update BMC credentials due to an error from the SCSD API: POST request to URL 'https://api-gw-service-nmn.local/apis/scsd/v1/bmc/globalcreds' failed with status code 500: Internal Server Error. User cred set error Detail: ERROR: Problem attempting to set user creds: Bad return code from 'https://x3000c0s11b0/redfish/v1/AccountService/Accounts/4': 400 - Bad Request, none were changed.
ERROR: Attempt 3 of 3: Failed to update BMC credentials due to an error from the SCSD API: POST request to URL 'https://api-gw-service-nmn.local/apis/scsd/v1/bmc/globalcreds' failed with status code 500: Internal Server Error. User cred set error Detail: ERROR: Problem attempting to set user creds: Bad return code from 'https://x3000c0s11b0/redfish/v1/AccountService/Accounts/4': 400 - Bad Request, none were changed.
ERROR: Failed to update BMC credentials after 3 retries

I think this behavior is going to depend on the Redfish implementation and the maximum length password it accepts. In this case, the Redfish implementation on the management node rejected it. The previously set password still works:

ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -P $NEW_PASSWORD -I lanplus -H $COMPUTE_NODE_BMC chassis power status
Chassis Power is on
ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -P $NEW_PASSWORD -I lanplus -H $MGMT_NODE_BMC chassis power status
Chassis Power is on

Trying to set the password to something too long on only non-management (in this case, compute) nodes. Note the lack of the prompt because we do not necessarily need ipmitool on nodes other than management nodes:

ncn-m001:/mnt/developer/haasken/CAST-38539 # sat bmccreds -x $COMPUTE_NODE_BMC --password $LONG_PASSWORD
Setting BMC credentials on the following BMCs: x3000c0s15b1. Proceed? (yes/[no]) : yes
WARNING: Password exceeds 20-character limit imposed by ipmitool, which is used to control management nodes during system shutdown and boot procedures. Management node BMCs are not included in the xnames having their credentials updated.
ERROR: Attempt 1 of 3: Failed to update BMC credentials due to an error from the SCSD API: POST request to URL 'https://api-gw-service-nmn.local/apis/scsd/v1/bmc/globalcreds' failed with status code 500: Internal Server Error. User cred set error Detail: ERROR: Problem attempting to set user creds: Bad return code from 'https://x3000c0s15b1/redfish/v1/AccountService/Accounts/4': 400 - Bad Request, none were changed.
ERROR: Attempt 2 of 3: Failed to update BMC credentials due to an error from the SCSD API: POST request to URL 'https://api-gw-service-nmn.local/apis/scsd/v1/bmc/globalcreds' failed with status code 500: Internal Server Error. User cred set error Detail: ERROR: Problem attempting to set user creds: Bad return code from 'https://x3000c0s15b1/redfish/v1/AccountService/Accounts/4': 400 - Bad Request, none were changed.
ERROR: Attempt 3 of 3: Failed to update BMC credentials due to an error from the SCSD API: POST request to URL 'https://api-gw-service-nmn.local/apis/scsd/v1/bmc/globalcreds' failed with status code 500: Internal Server Error. User cred set error Detail: ERROR: Problem attempting to set user creds: Bad return code from 'https://x3000c0s15b1/redfish/v1/AccountService/Accounts/4': 400 - Bad Request, none were changed.
ERROR: Failed to update BMC credentials after 3 retries

Trying with --no-hsm-check to confirm it warns and prompts:

ncn-m001:/mnt/developer/haasken/CAST-38539 # sat bmccreds -x $BOTH_NODE_BMCS --password $LONG_PASSWORD --no-hsm-check
Setting BMC credentials on the following BMCs: x3000c0s11b0, x3000c0s15b1. Proceed? (yes/[no]) : yes
WARNING: Password exceeds 20-character limit imposed by ipmitool, which is used to control management nodes during system shutdown and boot procedures. The "--no-hsm-check" option was specified, so we cannot detect whether any management node BMCs are having their credentials updated.
Proceed with setting credentials? [yes,no] no
Will not proceed with setting credentials. Exiting.

Trying with a password of exactly 20 characters:

ncn-m001:/mnt/developer/haasken/CAST-38539 # read -s -p "Enter a 20-char password: " PERFECT_PASSWORD
Enter a 20-char password:
ncn-m001:/mnt/developer/haasken/CAST-38539 # echo -n $PERFECT_PASSWORD | wc -c
20
ncn-m001:/mnt/developer/haasken/CAST-38539 # sat bmccreds -x $BOTH_NODE_BMCS --password $PERFECT_PASSWORD --no-hsm-check
Setting BMC credentials on the following BMCs: x3000c0s15b1, x3000c0s11b0. Proceed? (yes/[no]) : yes
+--------------+---------+----------------------+-------------+----------------+
| xname        | Type    | Password Type        | Status Code | Status Message |
+--------------+---------+----------------------+-------------+----------------+
| x3000c0s15b1 | NodeBMC | User, domain: system | 204         | No Content     |
| x3000c0s11b0 | NodeBMC | User, domain: system | 204         | No Content     |
+--------------+---------+----------------------+-------------+----------------+

Now the previously set password does not work:

ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -P $NEW_PASSWORD -I lanplus -H $MGMT_NODE_BMC chassis power status
Error: Unable to establish IPMI v2 / RMCP+ session
ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -P $NEW_PASSWORD -I lanplus -H $MGMT_NODE_BMC chassis power status
Error: Unable to establish IPMI v2 / RMCP+ session

And the new one does:

ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -P $PERFECT_PASSWORD -I lanplus -H $MGMT_NODE_BMC chassis power status
Chassis Power is on
ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -P $PERFECT_PASSWORD -I lanplus -H $COMPUTE_NODE_BMC chassis power status
Chassis Power is on

Just for thoroughness, checking that passwords entered at a prompt are handled correctly as well:

ncn-m001:/mnt/developer/haasken/CAST-38539 # sat bmccreds -x $BOTH_NODE_BMCS
Setting BMC credentials on the following BMCs: x3000c0s11b0, x3000c0s15b1. Proceed? (yes/[no]) : yes
BMC password:
Confirm BMC password:
WARNING: Password exceeds 20-character limit imposed by ipmitool, which is used to control management nodes during system shutdown and boot procedures. Management node BMCs are included in the xnames having their credentials updated.
Proceed with setting credentials? [yes,no] no
Will not proceed with setting credentials. Exiting.

Cleaning up and setting it back to the starting value:

ncn-m001:/mnt/developer/haasken/CAST-38539 # sat bmccreds -x $BOTH_NODE_BMCS
Setting BMC credentials on the following BMCs: x3000c0s15b1, x3000c0s11b0. Proceed? (yes/[no]) : yes
BMC password:
Confirm BMC password:
+--------------+---------+----------------------+-------------+----------------+
| xname        | Type    | Password Type        | Status Code | Status Message |
+--------------+---------+----------------------+-------------+----------------+
| x3000c0s15b1 | NodeBMC | User, domain: system | 204         | No Content     |
| x3000c0s11b0 | NodeBMC | User, domain: system | 204         | No Content     |
+--------------+---------+----------------------+-------------+----------------+
ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -E -I lanplus -H $COMPUTE_NODE_BMC chassis power status
Chassis Power is on
ncn-m001:/mnt/developer/haasken/CAST-38539 # ipmitool -U root -E -I lanplus -H $MGMT_NODE_BMC chassis power status
Chassis Power is on

@haasken-hpe
CAST-38539: Warn and prompt in sat bmccreds for long passwords
b55cf31 
Add logic to `sat bmccreds` to log a warning if the provided or
generated password is longer than 20 characters. This is the maximum
password length supported by `ipmitool`, which is required to control
management nodes during system boot and shutdown procedures.

The warning is logged whenever the password exceeds 20 characters. The
user must answer the prompt if it is determined that the affected xnames
include management node BMCs or if that can't be determined (i.e. if the
HSM query fails, or `--no-hsm-check` is specified).

Added unit tests for the new `validate_password_length` method.

Test Description:
Unit tests pass. Tested the following cases with `sat bmmcreds` on
vinland:

- User-specified password of an acceptable length against a compute and
  management node BMC
- Too long generated password against a compute and management node BMC
- Too long user-specified password against a compute and management node
  BMC
- Too long user-specified password against only compute BMC
- Exactly 20-character password against both BMCs
- Too long password entered at the prompt against both BMCs
@haasken-hpe haasken-hpe merged commit 2af9c0e into main Sep 23, 2025
3 checks passed
@haasken-hpe haasken-hpe deleted the CAST-38539 branch September 23, 2025 21:11
@haasken-hpe
Copy link
Contributor Author

haasken-hpe commented Sep 23, 2025

/backport release/3.36

@github-actions
Copy link

github-actions bot commented Sep 23, 2025

Backporting into branch release/3.36 was successful. New PR: #377

@github-actions github-actions bot mentioned this pull request Sep 23, 2025
Merged
@haasken-hpe haasken-hpe mentioned this pull request Sep 23, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@annapoorna-s-alt annapoorna-s-alt annapoorna-s-alt approved these changes

@ethanholen-hpe ethanholen-hpe Awaiting requested review from ethanholen-hpe

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@haasken-hpe @annapoorna-s-alt