Question about AMT password chang and Kerberos enablement

Andy_Z · ‎12-16-2014

Greetings guys. Recently I've been composing a simple python based tool for remote WS management based on wsman and AMT.

I'd like to firstly use digest as the authentication method. If so It's demanded that admin pw can be remotely changed. I know BIOS access or webUI can do this but both approaches are not applicable for bulk operation.

Have u got a nice plan for pw bulk change? It'll be best if certain wsman schema could cover this request.

On the other hand, however, Kerberos will be the best and it's the desirable choice for access authentication. So the last pledge from me is about the guidance of AMT Kerberos enabling and deployment.

To summarize, Q1: how to change AMT password in bulk? (wsman cli preferred); Q2: how to enable kerberos on AMT?

Colleen_C_Intel · ‎12-16-2014

In general, AMT passwords are not meant to be changed in bulk but there are some management tools (such as LanDesk) that have the capability (see Synchronize to all managed vPro machines when password is modified.)
For kerberos, please see https://communities.intel.com/community/itpeernetwork/vproexpert/blog/2010/01/04/configuring-kerberos-for-vpro-role-based-authentication

Andy_Z · ‎12-17-2014

Hi Colleen, I've reviewed some links related to your points, one Landesk userguide book, another Symantec mgmt console Kbros steps. Those functions do work within 3rd party mgmt suite but require either purchase or license.

Is there any opensource approach for this? So far I've tried open manageability tool from Open sw Foundation, and Intel vPro PSM. It fits the most if this can be done via just linux shell.

Gael_H_Intel · ‎12-17-2014

You can set the admin password during a configuration process using the Intel SCS (Set up and Configuration Server).

Actually, it looks like you *can* change the admin password if you implement the Digest Master Pasword - here is some information on that.

https://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configuration-service-scs/

This is from the AMT Implementation and Reference Guide:

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fdigestmasterpassword.htm

Set Admin User Information

The following steps describe how to set the admin username and password.

1. Retrieve the value of the AMT_GeneralSettings.DigestRealm property:

a. Find the instance of CIM_ComputerSystem representing the Intel AMT, as described in Discovering CIM_ComputerSystem.

b. From the CIM_ComputerSystem instance, traverse the CIM_ElementSettingData association class to find the instance ofAMT_GeneralSettings.

2. If the Admin Password will be changed, compute DigestPassword by using MD5 Hashing function:

DigestPassword = MD5 (username + “:” + AMT_GeneralSettings.DigestRealm + “:” + plaintextPassword);