I have some SuperMicro servers which I use MAAS to provision.
I'm intrigued that upon PXE-booting them, they auto-magically gain a 'maas' user in their local BMC users DB, with a random password which is clearly set by the MAAS server, as it's then able to control the servers over IPMI.
This happens despite having modified the factory default 'admin' credentials on the BMCs. It's very convenient but leaves me wondering how MAAS achieves this? Some kind of in-band interface between the main server and the BMC?
So my questions are:
- Is this safe/expected behaviour or does it suggest the servers haven't been properly secured?
- Is there a way to influence the role of the user MAAS creates on the BMC? At present it's created with 'Administrator' role; I'd rather have smth less privileged, such as 'Operator', which would still allow power operations that MAAS requires.
Related question: How do you add a machine to MAAS with IPMI power using CLI Note that I did not use the CLI mentioned on that question; all I did was PXE-boot my servers on a network enrolled in MAAS DHCP.
MAAS 2.3 (2.0-2.2 had same behaviour)
With e. g.
ipmitoolit is possible to directly access the ipmi controller using the/dev/ipmi0device (or similar). Since this can be done only as root and locally, it does not require an IPMI user name and password. Presumably this is what MAAS does an deployment of a new machine.As to how to define how MAAS creates an account for its own management needs I can not answer, but it should be possible to change later using this command:
In any case: In general it is advised to set the default IPMI password to something sane and in addition have the LAN port of IPMI devices in a separate vlan or physical network.