Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
appnotes:authmenus [2009/02/17 20:57]
mcb30
appnotes:authmenus [2011/05/06 20:09]
genec [vesamenu.c32 current] space; clarity
Line 13: Line 13:
     SSLRequireSSL     SSLRequireSSL
  
-and a file "menu.gpxe" ​containing+You must choose between being able to load vesamenu.c32 directly ​and loading the current version of vesamenu.c32. 
 +==== vesamenu.c32 current ==== 
 +The current version of vesamenu.c32 can not be loaded directly from gPXE and requires PXELINUX as an intermediate layer. ​ You will need two PHP files, ​boot.php containing
  
-    ​#!gpxe +  <?php 
-     +   
-    ​imgfree +  header ( "​Content-type:​ text/​plain"​ ); 
-    ​login +  echo "#!gpxe\n"; 
-    ​kernel -menu https://​${username:​uristring}:​${password:​uristring}@my.web.server/​boot/​vesamenu.c32 menu.php +   
-    boot menu+  $proto = "​https";​ 
 +  // Comment out/remove the following if strictly using HTTPS 
 +  if (!isset($_SERVER["​HTTPS"​])) 
 +    ​$proto = "​http";​ 
 +   
 +  // This assigns the host that gPXE should use using the most logical variables 
 +  if ( $_SERVER["​HTTP_HOST"​] != ""​ ) { 
 +    ​$host=$_SERVER["​HTTP_HOST"​];​ 
 +  } else { 
 +    ​if ( $_SERVER["​SERVER_NAME"​] != 0) { 
 +  $host=$_SERVER["​SERVER_NAME"​];​ 
 +    ​} else { 
 +  $host=$_SERVER["​SERVER_ADDR"​];​ 
 +    } 
 +  } 
 +   
 +  // Comment out/remove the following if you are running on a standard port 
 +  if (!((! isset($_SERVER["​HTTPS"​]) ) && ($_SERVER["​SERVER_PORT"​] == 80)) 
 +    && !(isset($_SERVER["​HTTPS"​]) && ($_SERVER["​SERVER_PORT"​] == 443)) ){ 
 +      if (strrpos($host,​ ":"​) == FALSE) 
 +        $host=$host.":"​.$_SERVER["​SERVER_PORT"​];​ 
 +  } 
 +   
 +  $uri=$_SERVER["​REQUEST_URI"​];​ 
 +  $dir=substr ( $uri, 0, strrpos ($uri, "/"​) + 1); 
 +   
 +  echo "#​!gpxe\n"; 
 +  echo "​imgfree\n";​ 
 +  echo "​login\n";​ 
 +  echo "set 209:string bootcfg.php\n";​ 
 +  echo "set 210:string ". 
 +       ​$proto."​://\${username:​uristring}:​\${password:​uristring}@". 
 +       $host.$dir."​\n";​ 
 +  echo "chain \${210:​string}pxelinux.0\n";​ 
 +  ?> 
 + 
 +and a bootcfg.php containing 
 + 
 +  <?php 
 +   
 +  header ( "​Content-type:​ text/plain" ); 
 +   
 +  echo "UI runmenu\n\n";​ 
 +  echo "LABEL runmenu\n";​ 
 +  echo "COM32 vesamenu.c32\n";​ 
 +  echo "​APPEND menu.php\n";​ 
 +  ?> 
 + 
 +Selecting this method will require that you use gpxecmd.c32 to execute gPXE commands and scripts. 
 +==== vesamenu.c32 directly ==== 
 +You will need a file "boot.php" containing 
 + 
 +  <?php 
 +   
 +  header ( "​Content-type:​ text/plain" ); 
 +   
 +  $uri=$_SERVER["​REQUEST_URI"​];​ 
 +  $dir=substr ( $uri, 0, strrpos ($uri, "/"​) + 1); 
 +   
 +  echo "#​!gpxe\n";​ 
 +  echo "​imgfree\n";​ 
 +  echo "​login\n";​ 
 +  echo "chain ". 
 +       "​https://​\${username:​uristring}:​\${password:​uristring}@"​. 
 +       ​$_SERVER["​HTTP_HOST"​].$dir. 
 +       "​vesamenu.c32 menu.php\n"; 
 +  ?>​ 
 + 
 +In order to use vesamenu.c32 directly from gPXE, you must use Syslinux-3.86 from [[http://​www.kernel.org/​pub/​linux/​utils/​boot/​syslinux/​3.xx/​]] and not the latest version.
  
-Configure your DHCP server to hand out //menu.gpxe// as the boot file, using something like (for ISC dhcpd)((If you are using PXE-chaining,​ you may want to investigate the various methods for avoiding infinite loops described in the [[:​pxechaining|PXE chainloading]] HowTo.)):+==== Setup part 1 continued ==== 
 +Configure your DHCP server to hand out //boot.php// as the boot file, using something like (for ISC dhcpd)((If you are using PXE-chaining,​ you may want to investigate the various methods for avoiding infinite loops described in the [[:​pxechaining|PXE chainloading]] HowTo.)):
  
-    filename "​https://​my.web.server/​boot/​menu.gpxe";+    filename "​https://​my.web.server/​boot/​boot.php";
  
-Download the latest //​syslinux//​ tarball from [[http://​www.kernel.org/​pub/​linux/​utils/​boot/​syslinux/​]] and build it.  Copy the files //​com32/​menu/​vesamenu.c32//​ and //​com32/​modules/​cmd.c32//​((At the time of writing, //cmd.c32// is not yet integrated into a //​syslinux//​ release; you will need to apply the patch from [[http://​rom.etherboot.org/​share/​mcb30/​syslinux-cmd.patch]] before building //​syslinux//,​ or just grab the prebuilt //cmd.c32// binary from [[http://​rom.etherboot.org/​share/​mcb30/​cmd.c32]].)) ​into the "​boot"​ directory on the web server.+Download the latest //​syslinux//​ tarball from [[http://​www.kernel.org/​pub/​linux/​utils/​boot/​syslinux/​]] and extract ​it.  Copy the files //​com32/​menu/​vesamenu.c32//​ and //​com32/​modules/​cmd.c32//​ into the "​boot"​ directory on the web server.
  
 ===== Setup (interesting part) ===== ===== Setup (interesting part) =====
Line 38: Line 109:
     <?php     <?php
     ​     ​
-    header ( 'Content-type:​ text/plain' ​);+    header ( "Content-type:​ text/plain" ​);
     ​     ​
     $username = $_SERVER["​PHP_AUTH_USER"​];​     $username = $_SERVER["​PHP_AUTH_USER"​];​
Line 79: Line 150:
       echo " ​ menu label Authentication Failed\n";​       echo " ​ menu label Authentication Failed\n";​
       echo " ​ menu disable\n";​       echo " ​ menu disable\n";​
-      uriboot ( "Try again",​ "menu.gpxe", ""​ );+      uriboot ( "Try again",​ "boot.php", ""​ );
     }     }
     ​     ​
Line 188: Line 259:
 The credentials do get passed to the loaded OS via the iBFT, so we get single sign-on through to the iSCSI runtime stage for free. The credentials do get passed to the loaded OS via the iBFT, so we get single sign-on through to the iSCSI runtime stage for free.
  
-For extra bonus points, it would be possible to write a Windows driver (very similar in structure to [[http://​git.etherboot.org/?​p=sanbootconf.git;​a=summary|sanbootconf]]) that would pick up the username and password from the iBFT, and store them in the registry as the autologon credentials;​ this would give you single sign-on right through to the desktop.+For extra bonus points, it would be possible to write a Windows driver (very similar in structure to [[:​sanbootconf|sanbootconf]]) that would pick up the username and password from the iBFT, and store them in the registry as the autologon credentials;​ this would give you single sign-on right through to the desktop. ​ The relevant registry entries are all found in //​HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon//,​ and should be set as follows: 
 + 
 +  * //​DefaultUserName//​ - set to user name from iBFT 
 + 
 +  * //​DefaultPassword//​ - set to password from iBFT 
 + 
 +  * //​AutoAdminLogon//​ - set to 1 
 + 
 +  * //​AutoLogonCount//​ - set to 1, so that Windows erases((Hopefully Windows will erase the credentials. ​ If it doesn'​t then this single sign-on approach would be a really bad idea, since the //​Winlogon//​ key is by default readable by all users on the system.)) the credentials from the registry as soon as they have been used. 
 + 
 +Note that Windows imposes a minimum password length of 12 characters, and a maximum of 16 characters, for iSCSI authentication;​ this scheme will silently break unless your password policy enforces an appropriate min/max password length of 12<​-->​16 characters. 
  

QR Code
QR Code appnotes:authmenus (generated for current page)