1748181 Members
4110 Online
108759 Solutions
New Discussion

Re: iLO access

 
HP-UX-OS
Occasional Contributor

iLO access

For a Linux system, root is set to logon only through the console. If the hardware is Proliant DL 380, how does one login as root?

3 REPLIES 3
Jimmy Vance
HPE Pro

Re: iLO access

If you don't have access to the physical console, you can use the remote console feature in iLO. What generation is the DL380? so we can point you to the right iLO documentation

No support by private messages. Please ask the forum! 
HP-UX-OS
Occasional Contributor

Re: iLO access

The root can not logon except from the console. The iLO remote access is not console, so iLO is not let root logon. I have ubs directly connected to the server, still it will not allow root logon. I have to logon as regular user account. one can verify with "tty" command, it does not show "console" once one logon through iLO or direct ubs connection. I don't have serial cable, so in this case, I wonder where is the console?

Matti_Kurkela
Honored Contributor

Re: iLO access

It depends on what is defined as a console. By default on PC hardware, this will be a VGA display, but it can be switched to one of the serial ports by using kernel boot options.

 

If your /etc/securetty contains only the word "console", it may be impossible to login directly as root without booting the system to single-user mode: in regular multi-user mode, most Linux distributions use VGA virtual consoles, whose TTY devices are not /dev/console but /dev/tty1 .. /dev/tty12. If something is sent to /dev/console, it appears on the currently-active virtual console.

 

If there's even one functioning regular user account on the system, there is normally no need to log in directly as root: you can log in as a regular user, then use the "su" command to become root. This allows the system logs to record "user N.N logged in with his regular user account, then became root" instead of "an unidentified person that knew the root password logged in as root". Security auditors greatly prefer the first form over the second one, as it enables the privileged actions to be traced to a person, instead of an anonymous root account. Therefore, on systems under strict audit requirements, the standard features that allow logging on directly as root may be restricted or even disabled. If you find that is the case in the system you're concerned with, you should find out the required (administrative) procedures for root access: violating the audit conditions might cause a lot of trouble for your organization, and might cause you to lose your job if the system is important enough. You might be required to submit a written action plan for approval, and/or have a second person around to verify your actions. Usually, some form of documentation of the operations you do is the key requirement.

 

Jimmy already asked you the generation number of your DL380. There are 7 generations of DL380's, all different. Some have the original first-generation iLO, some have iLO2, the newest ones have iLO3. It would be easier to give you the information you need if we knew the exact model. I'd also like to know the exact method you're using to access iLO: are you using a web browser (Microsoft Internet Explorer, or something else?), telnetting to it, or perhaps using SSH?

 

The first-generation iLO can access the VGA display in text mode by snooping the write operations to the VGA memory, and injecting keystrokes to the keyboard controller's buffer after remapping the ASCII characters back to low-level keyboard scancodes. With BIOS involvement and/or proper drivers, a cleaner access method would be possible, but I don't think HP ever made Linux drivers for that. In Linux use, this mode can have difficulties with keyboard language selections and garbage characters; it can also be overwhelmed by rapidly-scrolling text.

 

iLO2 allows VGA console access only when accessed through a web browser: I cannot check at the moment, but I think iLO3 has the same requirement.

 

All generations of iLO also have a Virtual Serial Port mode, which typically appears in Linux systems as /dev/ttyS1 by default. (The oldest models used a custom I/O address for the virtual serial port, which makes the set-up a bit more complicated.) It works well, but requires a bit of set-up on the OS side.

 

In general, to fully use the iLO VSP mode as a true console, you need four things:

  • the bootloader must be configured to receive commands from the serial port
  • the kernel boot options must specify the serial port as the primary console device
  • a "getty" process must be started on the serial port in regular multi-user modes, to allow logins
  • root logins must be allowed by adding "ttyS1" to /etc/securetty

 

MK