How to recover forgotten IPMI credentials on pfSense

I’ve been using a pair of Netgate XG-1541 in HA for some months as a test perimeter firewall and so far it’s been a smooth ride. This model comes with a dedicated onboard IPMI interface (Realtek RTL8201N) and while you can configure the IP parameters from the BIOS, once you changed the default credentials and then forgot them, you are pretty much locked out.

Warning – This procedure is valid only for pfSense version 2.2 and up. In previous versions, the IPMI tool had to be installed as a package and could be used from the GUI. From 2.2 and up it’s exclusive to the shell.

Luckily the ipmitool package is available for pfSense which is the key to recover forgotten IPMI credentials if you still have access to the GUI. The IPMI tool requires root access, to avoid using the root account login with your administrator user to the pfSense GUI.

1 In the GUI there’s a tool that allows you to interface directly with the underlying shell. This tool is at Diagnostics/Command Prompt.

2If you try to use the  ipmitool  command you will get an error prompt. This is because the IPMI driver is not yet loaded in Kernel.

3Temporarily load the IPMI driver using the  kldload ipmi  command. You can also force the driver to load in Kernel at startup modifying the “ipmi_load” parameter at /boot/loader.conf but for this how-to is not really necessary.

4Now you can use the ipmitool command with its options. The first step is to force the IPMI interface to use a static IP address with the  ipmitool lan set 1 ipsrc static  command (the 1 makes reference to the IPMI interface number).

5Next, use the  ipmitool lan set 1 ipaddr  command to set the new IP address.

6 Next, use the  ipmitool lan set 1 netmask  command to set the new subnet mask.

7Then use the  ipmitool lan set 1 defgw ipaddr  command to set the IP address of the IPMI default gateway.

8 For the access credentials, you first need to check which users are already created in the BMC database using the  ipmitool user list  command; take note of the ID of the user you want to modify.

9Finally, use the  ipmitool user set password 2  command to reset the access password for that user. In this case, the “ADMIN” user password was reset because it allows to regain access to the IPMI GUI with administrator privileges and continue with any further changes from there instead of using the “command prompt” tool from the pfSense GUI.

If you have questions about how IPMI works, here is an excellent article from Thomas-Krenn: IPMI Basics. And remember, while IPMI is very useful, it can also be the worst of your cybersecurity nightmares.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.