[REGRESSION] Broken User Authentication in i... https://www.dell.com/community/Systems-Mana...

Products Solutions & Services Support

Community

Browse Community Language EN Sign In

Help

Systems Management
General
Dell Community / Servers / Systems Management
/ Systems Management General
/ [REGRESSION] Broken User Authentication in iDRAC7, firmware 2.10

Search this board

Last reply by qurvax 07-01-2015 UNSOLVED

Start a Discussion

ckpl-msta
2 Bronze
05-25-2015 05:46 AM

[REGRESSION] Broken User Authentication

in iDRAC7, firmware 2.10  Top

1 of 8 27/04/22, 4:11 PM
[REGRESSION] Broken User Authentication in i... https://www.dell.com/community/Systems-Mana...

We've observed problem with new R320 that came with pre-
loaded firmware 2.10.10.10. After setting password in iDRAC7 it
was rejected on login. After spending some time on diagnosis
we've discovered that only first 20 characters of full password (40
characters) were stored and can be used to login.

Dell R720 with old firmware (1.57.57) works fine - full length
password (40 characters) is properly stored and accepted on
login.

Password was changed in iDRAC Settings -> User Authentication

section.

Kudos ( 0 )

Reply

All forum topics  Previous Topic Next Topic 

Replies (5)

DELL-Shine K
DellEMC
05-25-2015 10:40 PM

iDRAC only support up to 20 characters for local user password.

You will not be able to set password above 20 character. (GUI will
only allow to type 20 character for password field and any
characters after 20 will be ignored. This is true for 1.57.57
also). In 2.10.10.10 there is a enhancement done where
authentication will fail if user enter more than 20 character for
local user password. You are mostly seeing the failure because of  Top
this. 

2 of 8 27/04/22, 4:11 PM
[REGRESSION] Broken User Authentication in i... https://www.dell.com/community/Systems-Mana...

Thanks,
DELL-Shine K
#IWork4Dell

Kudos ( 0 )

Reply

ckpl-msta
2 Bronze
05-26-2015 01:16 AM

Dell-Shine I am sorry, but you're wrong. We're currently using

40-characters long password to login to iDRAC7 on R720 with
firmware 1.57.57, and it works just fine. So, from our perspective
there are 2 problems:

1. We can't use 40-chars passwords in R320 with firmware

2.10.10.10. This needs to be FIXED.

2. We don't know if upgrading the firmware on R720 won't cause

the same issue we've observed on R320. This should be checked
on the Dell side.

Kudos ( 0 )

Reply

 Top
DELL-Shine K

3 of 8 27/04/22, 4:11 PM
[REGRESSION] Broken User Authentication in i... https://www.dell.com/community/Systems-Mana...

DellEMC
05-26-2015 02:38 AM

Can you try login with first 20 character of password with

1.57.57. From your first post it looks like you are setting password
using iDRAC GUI. While setting password for local user using
iDRAC GUI Local User Configuration page, iDRAC will not accept
more than 20 characters for password field.(Even if you copy
paste a password which is more than 20 character GUI will only
accept first 20 character).

iDRAC support for password length is 20 characters. You can see

this on Help page.

Thanks,
DELL-Shine K
#IWork4Dell

Kudos ( 0 )

Reply

ckpl-msta
2 Bronze
05-26-2015 04:17 AM

Dell-Shine We've checked your statement and indeed, it seems

that iDRAC7 on R720 with firmware 1.57 is silently truncating
passwords to first 20 characters on both user configuration and
login screen, giving administrators illusion that long password is
properly handled...
 Top
If Dell had even worse policy, like silently truncating passwords to

4 of 8 27/04/22, 4:11 PM
[REGRESSION] Broken User Authentication in i... https://www.dell.com/community/Systems-Mana...

first 5 characters, then everyone would have easily breakable

password and most of administrators wouldn't even notice that...

In my opinion you should correct two things:

1. Stop silently truncating passwords. No matter of what limit you

pick (5, 20, 40 or 100) clear information should be presented on
user configuration screen and passwords that exceed that limit be
blocked until they fit that limit.

2. Allow using stronger passwords. 40 characters with upper- and

lower-case alphanumeric and special characters is about 256 bits
of entropy - should be enough to protect from any kind of brute-
force attacks using currently known technologies.

Kudos ( 0 )

Reply

qurvax
2 Bronze
07-01-2015 05:47 AM

Confirmed on R720 S/T<ADMIN NOTE: Service tag removed per

privacy policy>

by updating iDrac from 1.57.57  to  2.10.10.10

Password was truncated from 40 chars to 20.

This almost made my balls go white. Good thing i remembered

something similar on iDrac6 a long time ago.  So... Don't do THIS
kind of stuff, ppl, please!

 Top

5 of 8 27/04/22, 4:11 PM
[REGRESSION] Broken User Authentication in i... https://www.dell.com/community/Systems-Mana...

Kudos ( 0 )

Reply

 Top

6 of 8 27/04/22, 4:11 PM
[REGRESSION] Broken User Authentication in i... https://www.dell.com/community/Systems-Mana...

Top Contributor

brentp-cedarcreek.tv

Kudo (1)

Dell Support Resources

Diagnostics & Tools

Drivers & Downloads

Warranty & Contracts

Contact Support

Product Support

Dispatch Status

Dell Official Support Videos

Latest Solutions

Systems Management General

linux.dell.com down or decomissioned

Views 2354 Kudos 0

Systems Management General

BIOS and iDRAC upgrade paths for T630

Views 1697  Top0

Kudos

Systems Management General

7 of 8 27/04/22, 4:11 PM
[REGRESSION] Broken User Authentication in i... https://www.dell.com/community/Systems-Mana...

About Dell Careers Community Events Partner Program Premier Dell Technologies

© 2021 Dell Terms of Sales Privacy Statement Ads & Emails Legal & Regulatory Corporate Social Responsibility

Contact

 Top

8 of 8 27/04/22, 4:11 PM