This document describes setting up an “IPMI jumphost” using a server with an extra network port and a switch with VLAN capabilities in order to create a dedicated and isolated network for each IPMI device(BMC=Baseboard Management Controller). IPMI devices are accessed via ssh tunnels or dedicate commands, no general access is allowed.

Physical connections

WARNING: most servers with IPMI have “feature” where they automatically bridge a port to the BMC network, usually the eth0 host port. They do this so you only have to plug one cable into the switch, but this can result in putting the horribly insecure BMC on an accessible network where it can be hacked. Always use the server eth1 for the public network, use a dedicated cable in the BMC network port (even if it’s going to the same network as eth0), and if possible disable the BMC/eth0 bridging in the IPMI interface (not always possible with proprietary IPMI firmware).

Switch configuration

On the switch we create a separate VLAN for each IPMI device.

Some good info about VLANs in this HP switch manual PDF.

Jump host networking configuration

In

/etc/network/interfaces
add a VLAN device for each IPMI network,

auto eth3.4
iface eth3.4 inet static
  address 192.168.239.1
  netmask 255.255.255.0
  # older releases will need the 'vlan' package installed and:
  #vlan-raw-device eth3

Jump host software configuration

Create a wrapper script

#!/bin/sh
# riseup ssh wrapper script 

USER=`whoami`

case "$SSH_ORIGINAL_COMMAND" in
  "power")
    /usr/sbin/ipmi-power -h ${USER}-ipmi -u ADMIN -P
    ;;
  "console")
    /usr/sbin/ipmi-console -h ${USER}-ipmi -u ADMIN -P
    ;;
  *)
    echo "Sorry. Only these commands are available to you: power, console"
    exit 1
    ;;
esac

For each user:
1) Create a user (we use ‘foo’ for example in the remaining steps)

2) In /etc/hosts create an entry named ${USER}-ipmi that points to the ipmi. For example

foo-ipmi  192.168.123.2

3) setup an authorized_keys file similar to this

command="/usr/local/bin/ipmi-wrapper",no-agent-forwarding,no-X11-forwarding,permitopen="foo-ipmi:22",permitopen="foo-ipmi:80",permitopen="foo-ipmi:443",permitopen="foo-ipmi:5900" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAAAAAAAAAyd7vhhZgbAMK2aJ4XAAAAAA+5i3d4gD9j foo@bar

This restricts the user to only run the wrapper command and also setup tunnels to the ipmi interfaces.

4) In sshd_config, enable port forwarding for the user

Match User foo
  AllowTcpForwarding yes

Client configuration

There are a few ways to access the ipmi

Use ipmi tools via ssh

alias ipmipower='ssh -p 4422 -t as250@magpie.riseup.net power'
alias ipmiconsole='ssh -p 4422 -t as250@magpie.riseup.net console'

Here are some handy aliases to setup tunnels

alias ipmihttp='echo "ipmi web at http://localhost:8080  Hit ctrl-c when done";ssh -p 4422 -L 8080:as250-ipmi:80 -N -T as250@magpie.riseup.net'
alias ipmihttps='echo "ipmi web at https://localhost:8443  Hit ctrl-c when done";ssh -p 4422 -L 8443:as250-ipmi:443 -N -T as250@magpie.riseup.net'
alias ipmivnc='echo "ipmi vnc at vnc://localhost:5900  Hit ctrl-c when done";ssh -p 4422 -L 5900:as250-ipmi:5900 -N -T as250@magpie.riseup.net'
alias ipmissh='echo "ipmi ssh at localhost:2222  Hit ctrl-c when done";ssh -p 4422 -L 2222:as250-ipmi:22 -N -T as250@magpie.riseup.net'