Wed, Dec 24, 2025 at 09:58:34AM +0200, Saku Ytti:
Personally, I don't care about BMC security, it's not important. People are asking it to be CLI only, it was, so was CMP, BMC and CMP were what we wanted, we just didn't bother figuring it out.
bs, saku. complexity and cost of bmcs are not valid arguments imo, but security must be addressed, as must usability and compatability. It is not sufficient to isolate the bmc network; if it is accessible to you, then it is accessible to other internal threats, whatever their motivation. Ignoring FIPS bs, to which some are subjected; if the mfg never supplies updates or the owner never applies them, it could have security issues or issues that affect your use/mgmt of it. eg: only supports 3des-cbc. yet, if it can be disabled or simply not connected to the network, the security issue is mostly addressed, and voids the security argument. SMC literally creates a BMC & its s/w version, it is added to many models, and is unlikely to ever receive an update. Any bugs or holes are yours to cherish for the duration of the product's life. To name a few SMC gems: java, OoD java, backdoors, EoL ssh ciphers, ... I want the bmc, and a list of features. Minimally, it seems very reasonable to ask that bugs be fixed, bundled s/w be updated, and an automatable update procedure be supplied (that does not require rebooting the host). They're super useful for the lab & testing too. And, yes, some are cli, but far from all. The gui ones are really terrible. Not just network gear, all devices.