Redfish plugin was not handling the various socket error
behaviors correctly.
Additionally, the attribschanged handler was failing to actually
do anything, so commands would gladly reuse an old redfish
object if it were working.
XCC firmware will start mandating a password change before use.
Additionally, IPMI will be unavailable and will be needed for enabling SMM.
TODO:
-Discover USERID/TempW0rd42 nodes that weren't preconfigged
-Enable IPMI on non-SD530 if hardwaremanagement.method is not redfish.
SMM discovery behavior has seemingly gotten more picky with time.
First switch to an IPMI-free if the user has custom password. The
web based approach is much less problematic than SMM IPMI stack in
this context.
If user specifies they want to use default credentials, we have
no choice but to use IPMI. Omit things and shuffle order of operations
to mitigate problems. It isn't perfect, but it does work eventually.
Continue to support read using the old scheme, but even when
an integrity key is available, only use it to aid in decrypting
classic format, and always write in new format.
When generating key material from scratch, skip HMAC and
activate GCM mode.
When using existing CBC/HMAC keys, start covering the IV value
in the HMAC. For compatibility, HMAC validity is checked with
and without IV.
Some BMCs are incapable of handling concurrent requests.
This is a blow particularly to high latency management given
Redfish's tendency to require a lot of resource fetches, but
we don't have a particularly discoverable strategy for knowing
in advance whether an implementation is up for some optimization.
Password rules may be relevant to some scenarios. In such a case, this
can provide guidance if the BMC does not have such a facility or
alternatively provide friendlier warnings than the BMC provides
around shortcomings of the password.
It was frequent that a token expiration would impact attempt to convert
an account. Suppress the token based authentication to more reliably
have a fresh login.
Additionally, mitigate chance of exhausting user login limit.
Finally, switch to a generated password for the temporary account. Should something go awry
between deleting the third-party account and recreating it, this
means the system will have to be reset through OS or F1 menu. However this is better
than the risk of a well known backdoor account being inadvertently
created.
