From e2a7fa2a535c7ab199ed9f490997d9d8aeff693e Mon Sep 17 00:00:00 2001 From: jbjohnso Date: Wed, 10 Dec 2008 18:28:08 +0000 Subject: [PATCH] -Preclude sending of ba parameter for rvid (too risky) -Block attempts to use the BPET42T compatible code (requires insecure behavior, mandate BPET46C or newer) git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@2540 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd --- xCAT-client/share/xcat/rvid/rvid.blade | 2 ++ xCAT-server/lib/xcat/plugins/blade.pm | 10 +++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/xCAT-client/share/xcat/rvid/rvid.blade b/xCAT-client/share/xcat/rvid/rvid.blade index aa49a8323..30e3a4e15 100755 --- a/xCAT-client/share/xcat/rvid/rvid.blade +++ b/xCAT-client/share/xcat/rvid/rvid.blade @@ -15,6 +15,8 @@ if [ $fwpref == 'BPET' ]; then if [ $fwmaj -ge 46 ]; then java -jar /tmp/xcat/$rvid_server.remotekvm.jar -s $rvid_server -r $rvid_authtoken -b $rvid_slot >& /dev/null elif [ $fwmaj -ge 42 ]; then + echo "Unable to securely support $rvid_fwrev in an adequately secure manner, please upgrade to BPET46C or better" + exit 1 java -jar /tmp/xcat/$rvid_server.remotekvm.jar $rvid_server -rbs $rvid_authtoken -ba $rvid_ba -port $rvid_port >& /dev/null else echo "Unknown method for firmware $rvid_fwrev, ensure it is at least BPET42R"; diff --git a/xCAT-server/lib/xcat/plugins/blade.pm b/xCAT-server/lib/xcat/plugins/blade.pm index 8d4f3a7fe..a6b875e27 100644 --- a/xCAT-server/lib/xcat/plugins/blade.pm +++ b/xCAT-server/lib/xcat/plugins/blade.pm @@ -1806,8 +1806,8 @@ sub get_kvm_params { $destip=$2; } elsif ($1 eq 'rbs') { $rbs = $2; - } elsif ($1 eq 'ba') { - $ba=$2; #NOTE: This is the username and password. The client seems to required it for this version of firmware. + #} elsif ($1 eq 'ba') { + # $ba=$2; #NOTE: This is the username and password. The client seems to required it for this version of firmware, not exporting for SECURITY } elsif ($1 eq 'cdl') { $fwrev=$2; } elsif ($1 eq 'port') { @@ -2677,9 +2677,9 @@ sub dompa { if ($port) { push(@output,"port:$port"); } - if ($ba) { - push(@output,"ba:$ba"); - } + #if ($ba) { #SECURITY: This exposes AMM credentials, use at own risk + # push(@output,"ba:$ba"); + #} my %outh; $outh{node}->[0]->{name}=[$node]; $outh{node}->[0]->{data}=[];