Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
appnotes:authmenus [2009/02/25 01:16] mcb30 |
appnotes:authmenus [2013/03/04 15:34] (current) genec Fix cmd.c32 -> gpxecmd.c32 |
||
---|---|---|---|
Line 13: | Line 13: | ||
SSLRequireSSL | SSLRequireSSL | ||
- | and a file "boot.php" containing | + | You must choose between being able to load vesamenu.c32 directly and loading the current version of vesamenu.c32. |
+ | ==== vesamenu.c32 current ==== | ||
+ | The current version of vesamenu.c32 can not be loaded directly from gPXE and requires PXELINUX as an intermediate layer. You will need two PHP files, a boot.php containing | ||
- | <?php | + | <?php |
- | + | ||
- | header ( 'Content-type: text/plain' ); | + | header ( "Content-type: text/plain" ); |
- | + | echo "#!gpxe\n"; | |
- | echo "#!gpxe\n"; | + | |
- | echo "imgfree\n"; | + | $proto = "https"; |
- | echo "login\n"; | + | // Comment out/remove the following if strictly using HTTPS |
- | echo "kernel -n menu ". | + | if (!isset($_SERVER["HTTPS"])) |
- | "https://${username:uristring}:${password:uristring}@". | + | $proto = "http"; |
- | $_SERVER["SERVER_NAME"]. | + | |
- | dirname ( $_SERVER["REQUEST_URI"] ). | + | // This assigns the host that gPXE should use using the most logical variables |
- | "/vesamenu.c32 menu.php\n"; | + | if ( $_SERVER["HTTP_HOST"] != "" ) { |
- | echo "boot menu\n"; | + | $host=$_SERVER["HTTP_HOST"]; |
- | ?> | + | } else { |
+ | if ( $_SERVER["SERVER_NAME"] != 0) { | ||
+ | $host=$_SERVER["SERVER_NAME"]; | ||
+ | } else { | ||
+ | $host=$_SERVER["SERVER_ADDR"]; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | // Comment out/remove the following if you are running on a standard port | ||
+ | if (!((! isset($_SERVER["HTTPS"]) ) && ($_SERVER["SERVER_PORT"] == 80)) | ||
+ | && !(isset($_SERVER["HTTPS"]) && ($_SERVER["SERVER_PORT"] == 443)) ){ | ||
+ | if (strrpos($host, ":") == FALSE) | ||
+ | $host=$host.":".$_SERVER["SERVER_PORT"]; | ||
+ | } | ||
+ | |||
+ | $uri=$_SERVER["REQUEST_URI"]; | ||
+ | $dir=substr ( $uri, 0, strrpos ($uri, "/") + 1); | ||
+ | |||
+ | echo "#!gpxe\n"; | ||
+ | echo "imgfree\n"; | ||
+ | echo "login\n"; | ||
+ | echo "set 209:string bootcfg.php\n"; | ||
+ | echo "set 210:string ". | ||
+ | $proto."://\${username:uristring}:\${password:uristring}@". | ||
+ | $host.$dir."\n"; | ||
+ | echo "chain \${210:string}pxelinux.0\n"; | ||
+ | ?> | ||
+ | |||
+ | and a bootcfg.php containing | ||
+ | |||
+ | <?php | ||
+ | |||
+ | header ( "Content-type: text/plain" ); | ||
+ | |||
+ | echo "UI runmenu\n\n"; | ||
+ | echo "LABEL runmenu\n"; | ||
+ | echo "COM32 vesamenu.c32\n"; | ||
+ | echo "APPEND menu.php\n"; | ||
+ | ?> | ||
+ | |||
+ | Selecting this method will require that you use gpxecmd.c32 to execute gPXE commands and scripts. | ||
+ | ==== vesamenu.c32 directly ==== | ||
+ | You will need a file "boot.php" containing | ||
+ | |||
+ | <?php | ||
+ | |||
+ | header ( "Content-type: text/plain" ); | ||
+ | |||
+ | $uri=$_SERVER["REQUEST_URI"]; | ||
+ | $dir=substr ( $uri, 0, strrpos ($uri, "/") + 1); | ||
+ | |||
+ | echo "#!gpxe\n"; | ||
+ | echo "imgfree\n"; | ||
+ | echo "login\n"; | ||
+ | echo "chain ". | ||
+ | "https://\${username:uristring}:\${password:uristring}@". | ||
+ | $_SERVER["HTTP_HOST"].$dir. | ||
+ | "vesamenu.c32 menu.php\n"; | ||
+ | ?> | ||
+ | |||
+ | In order to use vesamenu.c32 directly from gPXE, you must use Syslinux-3.86 from [[http://www.kernel.org/pub/linux/utils/boot/syslinux/3.xx/]] and not the latest version. | ||
+ | ==== Setup part 1 continued ==== | ||
Configure your DHCP server to hand out //boot.php// as the boot file, using something like (for ISC dhcpd)((If you are using PXE-chaining, you may want to investigate the various methods for avoiding infinite loops described in the [[:pxechaining|PXE chainloading]] HowTo.)): | Configure your DHCP server to hand out //boot.php// as the boot file, using something like (for ISC dhcpd)((If you are using PXE-chaining, you may want to investigate the various methods for avoiding infinite loops described in the [[:pxechaining|PXE chainloading]] HowTo.)): | ||
filename "https://my.web.server/boot/boot.php"; | filename "https://my.web.server/boot/boot.php"; | ||
- | Download the latest //syslinux// tarball from [[http://www.kernel.org/pub/linux/utils/boot/syslinux/]] and build it. Copy the files //com32/menu/vesamenu.c32// and //com32/modules/cmd.c32//((At the time of writing, //cmd.c32// is not yet integrated into a //syslinux// release; you will need to apply the patch from [[http://rom.etherboot.org/share/mcb30/syslinux-cmd.patch]] before building //syslinux//, or just grab the prebuilt //cmd.c32// binary from [[http://rom.etherboot.org/share/mcb30/cmd.c32]].)) into the "boot" directory on the web server. | + | Download the latest //syslinux// tarball from [[http://www.kernel.org/pub/linux/utils/boot/syslinux/]] and extract it. Copy the files //com32/menu/vesamenu.c32// and //com32/modules/gpxecmd.c32// into the "boot" directory on the web server. |
===== Setup (interesting part) ===== | ===== Setup (interesting part) ===== | ||
Line 46: | Line 109: | ||
<?php | <?php | ||
| | ||
- | header ( 'Content-type: text/plain' ); | + | header ( "Content-type: text/plain" ); |
| | ||
$username = $_SERVER["PHP_AUTH_USER"]; | $username = $_SERVER["PHP_AUTH_USER"]; | ||
Line 71: | Line 134: | ||
function sanboot ( $label, $root_path ) { | function sanboot ( $label, $root_path ) { | ||
label ( $label ); | label ( $label ); | ||
- | echo " kernel cmd.c32\n"; | + | echo " kernel gpxecmd.c32\n"; |
echo " append sanboot ".$root_path."\n"; | echo " append sanboot ".$root_path."\n"; | ||
echo "\n"; | echo "\n"; | ||
Line 172: | Line 235: | ||
label item1 | label item1 | ||
menu label ^1 MS-DOS 6.22 | menu label ^1 MS-DOS 6.22 | ||
- | kernel cmd.c32 | + | kernel gpxecmd.c32 |
append sanboot iscsi:chipmunk.tuntap::::iqn.2007-07.chipmunk:msdos622 | append sanboot iscsi:chipmunk.tuntap::::iqn.2007-07.chipmunk:msdos622 | ||
| | ||
label item2 | label item2 | ||
menu label ^2 Windows 2k3 | menu label ^2 Windows 2k3 | ||
- | kernel cmd.c32 | + | kernel gpxecmd.c32 |
append sanboot iscsi:chipmunk.tuntap::::iqn.2007-07.chipmunk:win2k3 | append sanboot iscsi:chipmunk.tuntap::::iqn.2007-07.chipmunk:win2k3 | ||
| | ||
Line 196: | Line 259: | ||
The credentials do get passed to the loaded OS via the iBFT, so we get single sign-on through to the iSCSI runtime stage for free. | The credentials do get passed to the loaded OS via the iBFT, so we get single sign-on through to the iSCSI runtime stage for free. | ||
- | For extra bonus points, it would be possible to write a Windows driver (very similar in structure to [[http://git.etherboot.org/?p=sanbootconf.git;a=summary|sanbootconf]]) that would pick up the username and password from the iBFT, and store them in the registry as the autologon credentials; this would give you single sign-on right through to the desktop. The relevant registry entries are all found in //HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon//, and should be set as follows: | + | For extra bonus points, it would be possible to write a Windows driver (very similar in structure to [[:sanbootconf|sanbootconf]]) that would pick up the username and password from the iBFT, and store them in the registry as the autologon credentials; this would give you single sign-on right through to the desktop. The relevant registry entries are all found in //HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon//, and should be set as follows: |
* //DefaultUserName// - set to user name from iBFT | * //DefaultUserName// - set to user name from iBFT | ||
Line 204: | Line 267: | ||
* //AutoAdminLogon// - set to 1 | * //AutoAdminLogon// - set to 1 | ||
- | * //AutoLogonCount// - set to 1, so that Windows erases((Hopefully Windows will erase the credentials. If it doesn't then this single sign-on approach would be a really bad idea, since the //Winlogon// key is by default readable by all users on the system.)) the credentials from the registry as soon as they have been used | + | * //AutoLogonCount// - set to 1, so that Windows erases((Hopefully Windows will erase the credentials. If it doesn't then this single sign-on approach would be a really bad idea, since the //Winlogon// key is by default readable by all users on the system.)) the credentials from the registry as soon as they have been used. |
+ | Note that Windows imposes a minimum password length of 12 characters, and a maximum of 16 characters, for iSCSI authentication; this scheme will silently break unless your password policy enforces an appropriate min/max password length of 12<-->16 characters. |