ID:376 - Add means to configure "Bad Password Threshold"

Add support for setting and printing of the "Bad Password Threshold"
LAN configuration parameter.

3 files changed, 111 insertions, 2 deletions

diff --git a/doc/ipmitool.1 b/doc/ipmitool.1
index 2c20821..0d8adcc 100644
--- a/doc/ipmitool.1
+++ b/doc/ipmitool.1
@@ -1921,6 +1921,27 @@ ADMIN, issue the following command:
 
 > ipmitool \-I \fIinterface\fR lan set \fIchannel\fR cipher_privs uaXXXXXXXXXXXXX
 
+.TP
+
+\fIbad_pass_thresh\fP <\fBthresh_num\fR> <\fB1|0\fR> <\fBreset_interval\fR> <\fBlockout_interval\fR>
+.br
+
+Sets the Bad Password Threshold.
+
+<\fBthresh_num\fR> If non-zero, this value determines the number of sequential bad passwords
+that will be allowed to be entered for the identified user before the user is automatically
+disabled from access on the channel.
+
+<\fB1|0\fR> 1 = generate a Session Audit sensor "Invalid password disable" event message.
+0 = do not generate an event message when the user is disabled.
+
+<\fBreset_interval\fR> Attempt Count Reset Interval. The interval, in tens of seconds, for
+which the accumulated count of bad password attempts is retained before being automatically
+reset to zero.
+
+<\fBlockout_interval\fR> User Lockout Interval. The interval, in tens of seconds, that the user
+will remain disabled after being disabled because the Bad Password Threshold number was reached.
+
 .RE
 .TP
 \fIalert\fP \fIprint\fP [<\fBchannel\fR>] [<\fBalert destination\fR>]
diff --git a/include/ipmitool/ipmi_lanp.h b/include/ipmitool/ipmi_lanp.h
index 1aaae5e..db604eb 100644
--- a/include/ipmitool/ipmi_lanp.h
+++ b/include/ipmitool/ipmi_lanp.h
@@ -76,6 +76,8 @@ enum {
 	IPMI_LANP_RMCP_CIPHER_SUPPORT,
 	IPMI_LANP_RMCP_CIPHERS,
 	IPMI_LANP_RMCP_PRIV_LEVELS,
+	IPMI_LANP_VLAN_TAGS,
+	IPMI_LANP_BAD_PASS_THRESH,
 	IPMI_LANP_OEM_ALERT_STRING=96,
 	IPMI_LANP_ALERT_RETRY=97,
 	IPMI_LANP_UTC_OFFSET=98,
@@ -117,6 +119,7 @@ static struct lan_param {
 	{ IPMI_LANP_RMCP_CIPHER_SUPPORT,1,	"RMCP+ Cipher Suite Count" },
 	{ IPMI_LANP_RMCP_CIPHERS,	16,	"RMCP+ Cipher Suites"   },
 	{ IPMI_LANP_RMCP_PRIV_LEVELS,	9,	"Cipher Suite Priv Max"	},
+	{ IPMI_LANP_BAD_PASS_THRESH,	6,	"Bad Password Threshold", NULL, 0 },
 	{ IPMI_LANP_OEM_ALERT_STRING,	28,	"OEM Alert String"	}, /* 25 */
 	{ IPMI_LANP_ALERT_RETRY,	1,	"Alert Retry Algorithm" },
 	{ IPMI_LANP_UTC_OFFSET,		3,	"UTC Offset"		},
diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c
index 0c4135f..bb619eb 100644
--- a/lib/ipmi_lanp.c
+++ b/lib/ipmi_lanp.c
@@ -577,7 +577,6 @@ static int
 ipmi_lan_print(struct ipmi_intf * intf, uint8_t chan)
 {
 	struct lan_param * p;
-	int rc = 0;
 
 	if (chan < 1 || chan > IPMI_CHANNEL_NUMBER_MAX) {
 		lprintf(LOG_ERR, "Invalid Channel %d", chan);
@@ -842,7 +841,25 @@ ipmi_lan_print(struct ipmi_intf * intf, uint8_t chan)
 	else
 		printf("%-24s: Not Available\n", p->desc);
 
-	return rc;
+	/* Bad Password Threshold */
+	p = get_lan_param(intf, chan, IPMI_LANP_BAD_PASS_THRESH);
+	if (p == NULL)
+		return -1;
+	if ((p->data != NULL) && (p->data_len == 6)) {
+		int tmp;
+
+		printf("%-24s: %d\n", p->desc, p->data[1]);
+		printf("%-24s: %s\n", "Invalid password disable",
+				p->data[0] & 1 ? "yes" : "no" );
+		tmp = p->data[2] + (p->data[3] << 8);
+		printf("%-24s: %d\n", "Attempt Count Reset Int.", tmp * 10);
+		tmp = p->data[4] + (p->data[5] << 8);
+		printf("%-24s: %d\n", "User Lockout Interval", tmp * 10);
+	} else {
+		printf("%-24s: Not Available\n", p->desc);
+	}
+
+	return 0;
 }
 
 /* Configure Authentication Types */
@@ -1273,6 +1290,55 @@ ipmi_lan_set_vlan_priority(struct ipmi_intf *intf,  uint8_t chan, char *string)
 	return rc;
 }
 
+static void
+print_lan_set_bad_pass_thresh_usage(void)
+{
+	lprintf(LOG_NOTICE,
+"lan set <chanel> bad_pass_thresh <thresh_num> <1|0> <reset_interval> <lockout_interval>\n"
+"        <thresh_num>         Bad Pasword Threshold number.\n"
+"        <1|0>                1 = generate a Session Audit sensor event.\n"
+"                             0 = do not generate an event.\n"
+"        <reset_interval>     Attempt Count Reset Interval. In tens of seconds.\n"
+"        <lockount_interval>  User Lockout Interval. In tens of seconds.");
+}
+
+/* get_cmdline_bad_pass_thresh - parse-out bad password threshold from given
+ * string and store it into buffer.
+ *
+ * @arg: string to be parsed.
+ * @buf: buffer of 6 to hold parsed Bad Password Threshold.
+ *
+ * returns zero on success, (-1) on error.
+ */
+static int
+get_cmdline_bad_pass_thresh(char *argv[], uint8_t *buf)
+{
+	uint16_t reset, lockout;
+
+	if (str2uchar(argv[0], &buf[1])) {
+		return -1;
+	}
+
+	if (str2uchar(argv[1], &buf[0]) || buf[0] > 1) {
+		return -1;
+	}
+
+	if (str2ushort(argv[2], &reset)) {
+		return -1;
+	}
+
+	if (str2ushort(argv[3], &lockout)) {
+		return -1;
+	}
+
+	/* store parsed data */
+	buf[2] = reset & 0xFF;
+	buf[3] = reset >> 8;
+	buf[4] = lockout & 0xFF;
+	buf[5] = lockout >> 8;
+	return 0;
+}
+
 static int
 ipmi_lan_set(struct ipmi_intf * intf, int argc, char ** argv)
 {
@@ -1604,6 +1670,18 @@ ipmi_lan_set(struct ipmi_intf * intf, int argc, char ** argv)
 			rc = set_lan_param(intf, chan, IPMI_LANP_RMCP_PRIV_LEVELS, data, 9);
 		}
 	}
+	else if (strncmp(argv[1], "bad_pass_thresh", 15) == 0)
+	{
+		if (argc == 3 && strncmp(argv[2], "help", 4) == 0) {
+			print_lan_set_bad_pass_thresh_usage();
+			return 0;
+		}
+		if (argc < 6 || get_cmdline_bad_pass_thresh(&argv[2], data)) {
+			print_lan_set_bad_pass_thresh_usage();
+			return (-1);
+		}
+		rc = set_lan_param(intf, chan, IPMI_LANP_BAD_PASS_THRESH, data, 6);
+	}
 	else {
 		print_lan_set_usage();
 		return (-1);
@@ -2228,6 +2306,9 @@ print_lan_set_usage(void)
 "    O = OEM");
 	lprintf(LOG_NOTICE,
 "");
+	lprintf(LOG_NOTICE,
+"  bad_pass_thresh <thresh_num> <1|0> <reset_interval> <lockout_interval>\n"
+"                                Set bad password threshold");
 }
 
 static void
@@ -2383,6 +2464,8 @@ ipmi_lanp_main(struct ipmi_intf * intf, int argc, char ** argv)
 				lprintf(LOG_ERR, "Invalid channel: %s", argv[1]);
 				return (-1);
 			}
+		} else {
+			chan = find_lan_channel(intf, 1);
 		}
 		if (!is_lan_channel(intf, chan)) {
 			lprintf(LOG_ERR, "Invalid channel: %d", chan);
@@ -2402,6 +2485,8 @@ ipmi_lanp_main(struct ipmi_intf * intf, int argc, char ** argv)
 				lprintf(LOG_ERR, "Invalid channel: %s", argv[2]);
 				return (-1);
 			}
+		} else {
+			chan = find_lan_channel(intf, 1);
 		}
 		if (!is_lan_channel(intf, chan)) {
 			lprintf(LOG_ERR, "Invalid channel: %d", chan);