-Preclude sending of ba parameter for rvid (too risky)

-Block attempts to use the BPET42T compatible code (requires insecure behavior, mandate BPET46C or newer)


git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@2540 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd

xCAT-client/share/xcat/rvid/rvid.blade

@@ -15,6 +15,8 @@ if [ $fwpref == 'BPET' ]; then
     if [ $fwmaj -ge 46 ]; then
         java -jar /tmp/xcat/$rvid_server.remotekvm.jar -s $rvid_server -r $rvid_authtoken -b $rvid_slot >& /dev/null
     elif [ $fwmaj -ge 42 ]; then
+        echo "Unable to securely support $rvid_fwrev in an adequately secure manner, please upgrade to BPET46C or better"
+        exit 1
         java -jar /tmp/xcat/$rvid_server.remotekvm.jar $rvid_server -rbs $rvid_authtoken -ba $rvid_ba -port $rvid_port >& /dev/null
     else 
         echo "Unknown method for firmware $rvid_fwrev, ensure it is at least BPET42R";

xCAT-server/lib/xcat/plugins/blade.pm

@@ -1806,8 +1806,8 @@ sub get_kvm_params {
                    $destip=$2;
                } elsif ($1 eq 'rbs') {
                     $rbs = $2;
-               } elsif ($1 eq 'ba') {
-                   $ba=$2; #NOTE: This is the username and password.  The client seems to required it for this version of firmware.
+               #} elsif ($1 eq 'ba') {
+               #    $ba=$2; #NOTE: This is the username and password.  The client seems to required it for this version of firmware, not exporting for SECURITY
                } elsif ($1 eq 'cdl') {
                    $fwrev=$2;
                } elsif ($1 eq 'port') {
@@ -2677,9 +2677,9 @@ sub dompa {
           if ($port) {
             push(@output,"port:$port");
           }
-          if ($ba) {
-            push(@output,"ba:$ba");
-          }
+          #if ($ba) { #SECURITY: This exposes AMM credentials, use at own risk
+          #  push(@output,"ba:$ba");
+          #}
           my %outh;
           $outh{node}->[0]->{name}=[$node];
           $outh{node}->[0]->{data}=[];