Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
appnotes:authmenus [2009/02/18 10:52]
mcb30
appnotes:authmenus [2013/03/04 15:34]
genec Fix cmd.c32 -> gpxecmd.c32
Line 13: Line 13:
     SSLRequireSSL     SSLRequireSSL
  
-and a file "menu.gpxe" ​containing+You must choose between being able to load vesamenu.c32 directly ​and loading the current version of vesamenu.c32. 
 +==== vesamenu.c32 current ==== 
 +The current version of vesamenu.c32 can not be loaded directly from gPXE and requires PXELINUX as an intermediate layer. ​ You will need two PHP files, ​boot.php containing
  
-    ​#!gpxe +  <?php 
-     +   
-    ​imgfree +  header ( "​Content-type:​ text/​plain"​ ); 
-    ​login +  echo "#!gpxe\n"; 
-    ​kernel -menu https://​${username:​uristring}:​${password:​uristring}@my.web.server/​boot/​vesamenu.c32 menu.php +   
-    boot menu+  $proto = "​https";​ 
 +  // Comment out/remove the following if strictly using HTTPS 
 +  if (!isset($_SERVER["​HTTPS"​])) 
 +    ​$proto = "​http";​ 
 +   
 +  // This assigns the host that gPXE should use using the most logical variables 
 +  if ( $_SERVER["​HTTP_HOST"​] != ""​ ) { 
 +    ​$host=$_SERVER["​HTTP_HOST"​];​ 
 +  } else { 
 +    ​if ( $_SERVER["​SERVER_NAME"​] != 0) { 
 +  $host=$_SERVER["​SERVER_NAME"​];​ 
 +    ​} else { 
 +  $host=$_SERVER["​SERVER_ADDR"​];​ 
 +    } 
 +  } 
 +   
 +  // Comment out/remove the following if you are running on a standard port 
 +  if (!((! isset($_SERVER["​HTTPS"​]) ) && ($_SERVER["​SERVER_PORT"​] == 80)) 
 +    && !(isset($_SERVER["​HTTPS"​]) && ($_SERVER["​SERVER_PORT"​] == 443)) ){ 
 +      if (strrpos($host,​ ":"​) == FALSE) 
 +        $host=$host.":"​.$_SERVER["​SERVER_PORT"​];​ 
 +  } 
 +   
 +  $uri=$_SERVER["​REQUEST_URI"​];​ 
 +  $dir=substr ( $uri, 0, strrpos ($uri, "/"​) + 1); 
 +   
 +  echo "#​!gpxe\n"; 
 +  echo "​imgfree\n";​ 
 +  echo "​login\n";​ 
 +  echo "set 209:string bootcfg.php\n";​ 
 +  echo "set 210:string ". 
 +       ​$proto."​://\${username:​uristring}:​\${password:​uristring}@". 
 +       $host.$dir."​\n";​ 
 +  echo "chain \${210:​string}pxelinux.0\n";​ 
 +  ?> 
 + 
 +and a bootcfg.php containing 
 + 
 +  <?php 
 +   
 +  header ( "​Content-type:​ text/plain" ); 
 +   
 +  echo "UI runmenu\n\n";​ 
 +  echo "LABEL runmenu\n";​ 
 +  echo "COM32 vesamenu.c32\n";​ 
 +  echo "​APPEND menu.php\n";​ 
 +  ?> 
 + 
 +Selecting this method will require that you use gpxecmd.c32 to execute gPXE commands and scripts. 
 +==== vesamenu.c32 directly ==== 
 +You will need a file "boot.php" containing 
 + 
 +  <?php 
 +   
 +  header ( "​Content-type:​ text/plain" ); 
 +   
 +  $uri=$_SERVER["​REQUEST_URI"​];​ 
 +  $dir=substr ( $uri, 0, strrpos ($uri, "/"​) + 1); 
 +   
 +  echo "#​!gpxe\n";​ 
 +  echo "​imgfree\n";​ 
 +  echo "​login\n";​ 
 +  echo "chain ". 
 +       "​https://​\${username:​uristring}:​\${password:​uristring}@"​. 
 +       ​$_SERVER["​HTTP_HOST"​].$dir. 
 +       "​vesamenu.c32 menu.php\n"; 
 +  ?>​ 
 + 
 +In order to use vesamenu.c32 directly from gPXE, you must use Syslinux-3.86 from [[http://​www.kernel.org/​pub/​linux/​utils/​boot/​syslinux/​3.xx/​]] and not the latest version.
  
-Configure your DHCP server to hand out //menu.gpxe// as the boot file, using something like (for ISC dhcpd)((If you are using PXE-chaining,​ you may want to investigate the various methods for avoiding infinite loops described in the [[:​pxechaining|PXE chainloading]] HowTo.)):+==== Setup part 1 continued ==== 
 +Configure your DHCP server to hand out //boot.php// as the boot file, using something like (for ISC dhcpd)((If you are using PXE-chaining,​ you may want to investigate the various methods for avoiding infinite loops described in the [[:​pxechaining|PXE chainloading]] HowTo.)):
  
-    filename "​https://​my.web.server/​boot/​menu.gpxe";+    filename "​https://​my.web.server/​boot/​boot.php";
  
-Download the latest //​syslinux//​ tarball from [[http://​www.kernel.org/​pub/​linux/​utils/​boot/​syslinux/​]] and build it.  Copy the files //​com32/​menu/​vesamenu.c32//​ and //​com32/​modules/​cmd.c32//((At the time of writing, //cmd.c32// is not yet integrated into a //​syslinux//​ release; you will need to apply the patch from [[http://​rom.etherboot.org/​share/​mcb30/​syslinux-cmd.patch]] before building //​syslinux//,​ or just grab the prebuilt //cmd.c32// binary from [[http://​rom.etherboot.org/​share/​mcb30/​cmd.c32]].)) ​into the "​boot"​ directory on the web server.+Download the latest //​syslinux//​ tarball from [[http://​www.kernel.org/​pub/​linux/​utils/​boot/​syslinux/​]] and extract ​it.  Copy the files //​com32/​menu/​vesamenu.c32//​ and //​com32/​modules/​gpxecmd.c32// into the "​boot"​ directory on the web server.
  
 ===== Setup (interesting part) ===== ===== Setup (interesting part) =====
Line 38: Line 109:
     <?php     <?php
     ​     ​
-    header ( 'Content-type:​ text/plain' ​);+    header ( "Content-type:​ text/plain" ​);
     ​     ​
     $username = $_SERVER["​PHP_AUTH_USER"​];​     $username = $_SERVER["​PHP_AUTH_USER"​];​
Line 63: Line 134:
     function sanboot ( $label, $root_path ) {     function sanboot ( $label, $root_path ) {
       label ( $label );       label ( $label );
-      echo " ​ kernel ​cmd.c32\n";​+      echo " ​ kernel ​gpxecmd.c32\n";​
       echo " ​ append sanboot "​.$root_path."​\n";​       echo " ​ append sanboot "​.$root_path."​\n";​
       echo "​\n";​       echo "​\n";​
Line 79: Line 150:
       echo " ​ menu label Authentication Failed\n";​       echo " ​ menu label Authentication Failed\n";​
       echo " ​ menu disable\n";​       echo " ​ menu disable\n";​
-      uriboot ( "Try again",​ "menu.gpxe", ""​ );+      uriboot ( "Try again",​ "boot.php", ""​ );
     }     }
     ​     ​
Line 164: Line 235:
     label item1     label item1
       menu label ^1 MS-DOS 6.22       menu label ^1 MS-DOS 6.22
-      kernel ​cmd.c32+      kernel ​gpxecmd.c32
       append sanboot iscsi:​chipmunk.tuntap::::​iqn.2007-07.chipmunk:​msdos622       append sanboot iscsi:​chipmunk.tuntap::::​iqn.2007-07.chipmunk:​msdos622
     ​     ​
     label item2     label item2
       menu label ^2 Windows 2k3       menu label ^2 Windows 2k3
-      kernel ​cmd.c32+      kernel ​gpxecmd.c32
       append sanboot iscsi:​chipmunk.tuntap::::​iqn.2007-07.chipmunk:​win2k3       append sanboot iscsi:​chipmunk.tuntap::::​iqn.2007-07.chipmunk:​win2k3
     ​     ​
Line 188: Line 259:
 The credentials do get passed to the loaded OS via the iBFT, so we get single sign-on through to the iSCSI runtime stage for free. The credentials do get passed to the loaded OS via the iBFT, so we get single sign-on through to the iSCSI runtime stage for free.
  
-For extra bonus points, it would be possible to write a Windows driver (very similar in structure to [[http://​git.etherboot.org/?​p=sanbootconf.git;​a=summary|sanbootconf]]) that would pick up the username and password from the iBFT, and store them in the registry as the autologon credentials;​ this would give you single sign-on right through to the desktop. ​ The relevant registry entries are all found in //​HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon//,​ and should be set as follows:+For extra bonus points, it would be possible to write a Windows driver (very similar in structure to [[:​sanbootconf|sanbootconf]]) that would pick up the username and password from the iBFT, and store them in the registry as the autologon credentials;​ this would give you single sign-on right through to the desktop. ​ The relevant registry entries are all found in //​HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon//,​ and should be set as follows:
  
   * //​DefaultUserName//​ - set to user name from iBFT   * //​DefaultUserName//​ - set to user name from iBFT
Line 196: Line 267:
   * //​AutoAdminLogon//​ - set to 1   * //​AutoAdminLogon//​ - set to 1
  
-  * //​AutoLogonCount//​ - set to 1, so that Windows erases the credentials from the registry as soon as they have been used+  * //​AutoLogonCount//​ - set to 1, so that Windows erases((Hopefully Windows will erase the credentials. ​ If it doesn'​t then this single sign-on approach would be a really bad idea, since the //​Winlogon//​ key is by default readable by all users on the system.)) ​the credentials from the registry as soon as they have been used.
  
 +Note that Windows imposes a minimum password length of 12 characters, and a maximum of 16 characters, for iSCSI authentication;​ this scheme will silently break unless your password policy enforces an appropriate min/max password length of 12<​-->​16 characters.

QR Code
QR Code appnotes:authmenus (generated for current page)