Intel® Business Client Software Development
Support for Intel® vPro™ software development and the technologies associated with Intel vPro platforms.
Announcements
This community is designed for sharing of public information. Please do not share Intel or third-party confidential information here.
1363 Discussions

Question about AMT password chang and Kerberos enablement

Andy_Z
Beginner
196 Views

Greetings guys. Recently I've been composing a simple python based tool for remote WS management based on wsman and AMT.

I'd like to firstly use digest as the authentication method. If so It's demanded that admin pw can be remotely changed. I know BIOS access or webUI can do this but both approaches are not applicable for bulk operation.

Have u got a nice plan for pw bulk change? It'll be best if certain wsman schema could cover this request.

On the other hand, however, Kerberos will be the best and it's the desirable choice for access authentication. So the last pledge from me is about the guidance of AMT Kerberos enabling and deployment.

To summarize, Q1: how to change AMT password in bulk? (wsman cli preferred); Q2: how to enable kerberos on AMT?

0 Kudos
3 Replies
Colleen_C_Intel
Employee
196 Views

In general, AMT passwords are not meant to be changed in bulk but there are some management tools (such as LanDesk) that have the capability (see Synchronize to all managed vPro machines when password is modified.)
For kerberos, please see https://communities.intel.com/community/itpeernetwork/vproexpert/blog/2010/01/04/configuring-kerber...

Andy_Z
Beginner
196 Views

Hi Colleen, I've reviewed some links related to your points, one Landesk userguide book, another Symantec mgmt console Kbros steps. Those functions do work within 3rd party mgmt suite but require either purchase or license.

Is there any opensource approach for this? So far I've tried open manageability tool from Open sw Foundation, and Intel vPro PSM. It fits the most if this can be done via just linux shell.

Gael_H_Intel
Moderator
196 Views

You can set the admin password during a configuration process using the Intel SCS (Set up and Configuration Server). 

 

Actually, it looks like you *can* change the admin password if you implement the Digest Master Pasword - here is some information on that.

https://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configu...

 

This is from the AMT Implementation and Reference Guide:

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?tu...

Set Admin User Information

The following steps describe how to set the admin username and password.

1.  Retrieve the value of the AMT_GeneralSettings.DigestRealm property:

a.   Find the instance of CIM_ComputerSystem representing the Intel AMT, as described in Discovering CIM_ComputerSystem.

b.   From the CIM_ComputerSystem instance, traverse the CIM_ElementSettingData association class to find the instance ofAMT_GeneralSettings.

2.  If the Admin Password will be changed, compute DigestPassword by using MD5 Hashing function:

DigestPassword = MD5 (username + “:” + AMT_GeneralSettings.DigestRealm + “:” + plaintextPassword);

 

Reply