ipmi jumphost - user docs

Intro

Access to your IPMI BMC is via riseup’s ipmi jumphost. Your BMC is physically wired to a port on a switch on a specific VLAN and the jumphost is also a member of that VLAN. The jumphost and BMC can communicate, but the BMC can’t talk to anything else (including the internet). This prevents anyone else from accessing it, or in the event it become malicious, it from accessing anything else. The details of how this is implemented are here.

You access your device via ssh that is restricted to only certain actions on the jumphost side. riseup setup the ssh keys you provided to be able to do this. If you need to change/add/delete keys let us know.

WARNING: BMC devices can sometimes crash. It is a good idea to connect to it before rebooting your server. If it’s crashed there is a way to reset it from the host (details below) but that only works if the host is booted.

WARNING: For many of these methods, you are inherently trusting riseup and our infrastructure because cleartext, including login credentials, is passing through our server. It is possible that riseup, an attacker that compromised our system, law enforcement that forced riseup to grant access, etc could listen to these methods. The only exceptions are methods that use end-to-end encryption. In each section below we will list the implications of each method.

Access

There are a few ways to access the ipmi. All are via ssh to magpie.riseup.net port 4422, ask taggart or micah for the current key fingerprint.

Use ipmi tools via ssh

When you ssh to the server you are restricted to a couple commands. These use “ADMIN” as username and prompt for password.
Here are some shell aliases you can use to make this easier.
(change ‘foo’ to the name of your ipmi that riseup gave you)

alias ipmipower='ssh -p 4422 -t foo@magpie.riseup.net power'
alias ipmiconsole='ssh -p 4422 -t foo@magpie.riseup.net console'

NOTE when you use the above two commands, you will authenticate via ssh using your ssh key, and then you will be prompted for a “Password:” – this password is the ADMIN password of the device, not the password for your ssh connection.
WARNING: These methods trust riseup, see warning at the top.

Here are some handy aliases to setup tunnels

You can also use ssh tunnels to certain ports on the device, here are some shell aliases to make this easier.
(change ‘foo’ to the name of your ipmi that riseup gave you)

alias ipmihttp='echo "ipmi web at http://localhost:8080  Hit ctrl-c when done";ssh -p 4422 -L 8080:foo-ipmi:80 -N -T foo@magpie.riseup.net'
alias ipmihttps='echo "ipmi web at https://localhost:8443  Hit ctrl-c when done";ssh -p 4422 -L 8443:foo-ipmi:443 -N -T foo@magpie.riseup.net'
alias ipmivnc='echo "ipmi vnc at vnc://localhost:5900  Hit ctrl-c when done";ssh -p 4422 -L 5900:foo-ipmi:5900 -N -T foo@magpie.riseup.net'
alias ipmissh='echo "ipmi ssh at localhost:2222  Hit ctrl-c when done";ssh -p 4422 -L 2222:foo-ipmi:22 -N -T foo@magpie.riseup.net'
alias ipmiusb='echo "ipmi usb at localhost:2623  Hit ctrl-c when done";ssh -p 4422 -L 2623:foo-ipmi:623 -N -T foo@magpie.riseup.net'

NOTE: The methods that use https and ssh to the BMC are end-to-end encrypted and(assuming you setup/verified keys/certs) are hidden from riseup.
WARNING: http and vnc are unencrypted and you are trusting riseup, see the warning at the top.

Other useful things

  • If you need to change ADMIN’s password on the device, use the tunnels to access the web interface and change it there.
  • If you need to upgrade the BMC firmware, use the web tunnels to to access the web interface and update.
  • You can do some things from the server side, including reset the BMC if it’s crashed. Details.
  • Here is riseup’s general IPMI documentation page
  • You might be able to run the ipmi tools locally and have them communicate via a tunnel to the BMC. You might even be able to have those tools use end-to-end encrypt so the traffic couldn’t be seen by riseup’s server. More research is needed here.