This presentation presents a secure alternative to the IPMI lanplus protocol for remote server management, employing an HTTPS interface with WebSocket technology. This design eliminates the need to store plaintext passwords on the BMC, thus mitigating credential leakage risks, and this presentation will demonstrate how this enables completely password-free access to the BMC. By integrating IPMI command passthrough into the bmcweb Redfish implementation, the design reuses Redfish session authentication and privilege models, enabling advanced authentication methods like mutual TLS and SSO. Performance evaluations show that this binary protocol over HTTPS-WebSocket matches native lanplus speed while improving security. The modifications to ipmitool, bmcweb, and ipmid provide a practical, secure, and scalable remote server management solution.
The design doc and the implementation are open-sourced and submitted to OpenBMC and ipmitool for review.