285 lines
8.5 KiB
HTML
285 lines
8.5 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
|
|
<html>
|
|
<head>
|
|
<title>
|
|
Security on the Origin2000 MMSC
|
|
</title>
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<h1>
|
|
Security on the Origin2000 Multi-Module System Controller
|
|
</h1>
|
|
|
|
<p>
|
|
The Origin2000 Multi-Module System Controller (MMSC) provides
|
|
the main system control and console interface on an
|
|
Origin2000 system composed of two or more modules.
|
|
|
|
Consequently, it is not unreasonable to expect that the MMSC
|
|
should provide at least a small measure of protection against
|
|
unauthorized access.
|
|
|
|
This page documents the security features that are present in
|
|
the MMSC, as well as potential security holes.
|
|
</p>
|
|
|
|
<h3>
|
|
Architectural overview
|
|
</h3>
|
|
|
|
<p>
|
|
First, a brief overview of the way system controllers are set
|
|
up on multi-module Origin2000 systems.
|
|
</p>
|
|
|
|
<img src="mmsc-overview.gif">
|
|
|
|
<p>
|
|
A single module always has a Module System Controller
|
|
(MSC) which is used for the normal system controller
|
|
functions like reset, power, NMI, etc.
|
|
|
|
Each MSC has a physical keyswitch which enables
|
|
"dangerous" commands such as power down or reset.
|
|
|
|
If the keyswitch is in the "disable dangerous
|
|
commands" position, one can still issue dangerous
|
|
commands over a console connection by providing a password.
|
|
|
|
Every MSC has a password; by default, it is
|
|
"<tt>none</tt>".
|
|
</p>
|
|
|
|
<p>
|
|
If a system has two or more modules, then each rack of two
|
|
modules will have a Multi-Module System Controller (MMSC)
|
|
attached to the two MSCs.
|
|
|
|
In a system with two or more racks, each rack will have its
|
|
own MMSC and the MMSC's will all be linked together over a
|
|
<i>private</i> network.
|
|
|
|
Exactly one MMSC in the entire complex will have an LCD
|
|
display with six buttons.
|
|
|
|
A user can issue commands to the MMSC(s) either from the
|
|
display or from a terminal attached to one of the MMSCs.
|
|
</p>
|
|
|
|
<p>
|
|
The purpose of the MMSC is to provide a single point of
|
|
control for a multi-module system.
|
|
|
|
Thus, rather than having to issue (for example) a "power
|
|
on" command to each MSC, one can issue it once to the
|
|
MMSC and the MMSC will send the command to each of the MSCs.
|
|
|
|
To a user, the MMSC is equivalent to the "sysctlr"
|
|
port on Challenge systems.
|
|
|
|
However, an MMSC's only point of attachment to the rest of the
|
|
system is through the MSC's - it cannot do anything to a
|
|
particular module that the module's MSC can't do.
|
|
</p>
|
|
|
|
<h3>
|
|
MMSC Authority Levels
|
|
</h3>
|
|
|
|
<p>
|
|
Like the MSC, the MMSC restricts access to certain commands
|
|
that could potentially disrupt the system.
|
|
|
|
The available commands are determined by the
|
|
<i>authority level</i> of the user.
|
|
|
|
Each authority level other than <i>basic</i> may have a
|
|
password associated with it.
|
|
</p>
|
|
|
|
<p>
|
|
In the <i>basic</i> authority level, the user is allowed to
|
|
display information and manipulate the console characteristics
|
|
(for example, change certain control character settings), but
|
|
commands that affect actual system operation will not be
|
|
allowed.
|
|
|
|
When a user with <i>basic</i> authority issues commands
|
|
to an MSC, each command will be preceded by the MSC command
|
|
"<tt>pas</tt>", which will revoke any
|
|
supervisor/diagnostic mode password that the MSC may have.
|
|
</p>
|
|
|
|
<p>
|
|
In the <i>supervisor</i> authority level, commands that affect
|
|
the system itself (for example, reset or power commands) are
|
|
permitted.
|
|
|
|
When a user with <i>supervisor</i> authority issues commands
|
|
to an MSC, each command will be preceded by the MSC command
|
|
"<tt>pas</tt> <i>pw</i>", where <i>pw</i> is the
|
|
MSC password.
|
|
|
|
This will allow the user to issue restricted MSC commands even
|
|
if the MSC's keyswitch is not currently in the diagnostic
|
|
position.
|
|
|
|
These commands will be followed by the MSC command
|
|
"<tt>pas</tt>" to revoke the password.
|
|
</p>
|
|
|
|
<p>
|
|
In the <i>service</i> authority level, commands that affect
|
|
the operation of the MMSC itself are permitted.
|
|
|
|
This would include commands to reconfigure the MMSC serial
|
|
ports, and to change the various passwords.
|
|
|
|
The <i>service</i> authority level is a superset of the
|
|
<i>supervisor</i> authority level.
|
|
</p>
|
|
|
|
<p>
|
|
There are separate authority levels associated with the main
|
|
terminal, the alternate console, and the MMSC display.
|
|
|
|
Thus, the display may be authorized to reset the system while
|
|
the main terminal is not, for example.
|
|
|
|
The <a href="commands.html#AUTHORITY"><b>authority</b></a>
|
|
command can be used to change the current authority level
|
|
associated with a user on a console.
|
|
|
|
The display's authority level is changed with the
|
|
"Configure|Authority" menu item.
|
|
|
|
Each user's current authority level is retained in NVRAM and
|
|
is restored after the MMSC has been reset.
|
|
|
|
The default authority level for each user is <i>service</i>.
|
|
</p>
|
|
|
|
<p>
|
|
There is one password associated with each authority level
|
|
(other than <i>basic</i>) on each MMSC.
|
|
|
|
To change to a higher authority level on a console, it is
|
|
necessary to specify the appropriate password along with the
|
|
<b>authority</b> command.
|
|
|
|
No password is required to switch to a lower authority level.
|
|
|
|
The <a href="commands.html#PASSWORD"><b>password</b></a>
|
|
command can be used to change the current password associated
|
|
with an authority level.
|
|
</p>
|
|
|
|
<p>
|
|
Notice that no password is required to change authority levels
|
|
on the display at this time.
|
|
|
|
Because someone who has access to the display also has access
|
|
to the cables and circuit breakers, this was considered to be
|
|
a relatively low-grade risk.
|
|
|
|
However, the ability to require a password for changing the
|
|
display's authority level is still planned for a future
|
|
release of the MMSC firmware.
|
|
</p>
|
|
|
|
<p>
|
|
The current authority level is valid on all MMSC's in a
|
|
system, even if the other MMSC's have different passwords for
|
|
that authority level.
|
|
|
|
Therefore, unless the terminal, alternate console and display
|
|
are physically separate and secure, and attached to different
|
|
MMSC's, there is little advantage in using different passwords
|
|
for the same authority level on different MMSC's.
|
|
</p>
|
|
|
|
|
|
<h3>
|
|
Clearing the MMSC Passwords
|
|
</h3>
|
|
|
|
<p>
|
|
An MMSC's passwords, as well as its internal copies of the MSC
|
|
passwords, are stored in NVRAM on the MMSC itself.
|
|
|
|
If the system adminstrator puts the system into a low
|
|
authority level and then subsequently forgets the appropriate
|
|
passwords, the system could effectively be rendered unusable.
|
|
|
|
Therefore, the MMSC has a procedure for clearing out its
|
|
NVRAM in order to recover from such emergencies.
|
|
</p>
|
|
|
|
<p>
|
|
Unless the system administrator is very agile, the procedure
|
|
requires two people.
|
|
|
|
One person must go to the back of the rack containing the MMSC
|
|
with the display and cut the power to the MMSC (most
|
|
conveniently by unplugging it from its power supply -- it is
|
|
<i>not</i> necessary to cut power to the entire rack).
|
|
|
|
The second person stands at the MMSC display and holds down
|
|
the LEFT and RIGHT buttons.
|
|
|
|
The first person then restores power to the MMSC.
|
|
|
|
Once the MMSC has booted far enough to be able to read the
|
|
display buttons, it will clear the contents of its NVRAM and
|
|
print an appropriate message on its display.
|
|
|
|
The MMSC then resumes booting in the normal fashion.
|
|
</p>
|
|
|
|
<p>
|
|
Once the MMSC has finished booting, the passwords will have
|
|
been cleared, and the system administrator can set them to new
|
|
values.
|
|
|
|
If necessary, the passwords on the other MMSC can be set as
|
|
well.
|
|
|
|
It will also be necessary to restore any other settings that
|
|
may have been stored in NVRAM, such as serial port speeds,
|
|
rack IDs, and the various MSC passwords.
|
|
</p>
|
|
|
|
<p>
|
|
Note that clearing an MMSC's NVRAM also clears its copies of
|
|
the MSC passwords, thus making it incapable of issuing
|
|
destructive commands to the MSC (assuming the MSC has a
|
|
non-default password in the first place).
|
|
|
|
On a carefully secured system (i.e. one on which non-default
|
|
passwords have been set everywhere), this will render the MMSC
|
|
effectively useless: a user would be able to reconfigure the
|
|
MMSC, but would not be able to do issue destructive commands
|
|
to the actual modules.
|
|
|
|
Thus, the ability to clear an MMSC's passwords should not
|
|
constitute an especially severe security risk.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<address>
|
|
<a href="mailto:rdb@uniscan.engr.sgi.com">
|
|
Rob Bradshaw
|
|
</a>
|
|
</address>
|
|
|
|
<!-- Created: Wed Dec 4 16:30:46 PST 1996 -->
|
|
<!-- hhmts start -->
|
|
Last modified: Wed Dec 4 20:10:46 PST
|
|
<!-- hhmts end -->
|
|
</body>
|
|
|
|
</html>
|