Hi, has anyone ever tried (or thought of) implementing some kind of password protected menu entries? Like: __MENU__ * Boot from local disk * Boot remote image * Install Linux to local disk (Password required!) * Test Hardware (Password required!) Yes, I know that this is not a trivial task. There are several competing design goals: 1. The password should be required as soon as possible in the boot pocess. 2. The password should not be hardcoded in the code 3. Ideally there should be a username/password authentication to an external server (ldap?) 4. Remote logging would be fine As far as I can see, it would be the best to insert a chain boot image that does the authentication and then boots the images which actually does the work. Any ideas? Thanks, Thomas
ganapathy murali krishnan
2004-Nov-22 21:55 UTC
[syslinux] PXE-Linux: password protected menus?
If you are willing to settle for one password (no username), and this password is not a super secret one, you can do the following: * Call menu.com with a simple hash of the "current password" (command line argument) * Install a handler for those options which require password protection. * The handler, displays the password prompt and validates against the given hash (and cleans up after itself) * The handler returns ACTION_VALID or ACTION_INVALID depending on whether the password checks out. * The menu system pretends the choice was never made (if ACTION_INVALID) or actually executes the image (if ACTION_VALID) This requires minor changes to the handler framework (handler returning value instead of the previous void), and can be easily accomodated. The main question then is the security: * Are you willing to live with the fact that the password hash will be sniffable? * The password is specific to the service rather than the user. - Murali Gebhardt Thomas wrote:>Hi, > >has anyone ever tried (or thought of) implementing some kind >of password protected menu entries? Like: > >__MENU__ >* Boot from local disk >* Boot remote image >* Install Linux to local disk (Password required!) >* Test Hardware (Password required!) > >Yes, I know that this is not a trivial task. There are several >competing design goals: > >1. The password should be required as soon as possible > in the boot pocess. >2. The password should not be hardcoded in the code >3. Ideally there should be a username/password authentication > to an external server (ldap?) >4. Remote logging would be fine > >As far as I can see, it would be the best to insert a chain boot >image that does the authentication and then boots the images >which actually does the work. > >Any ideas? > >Thanks, Thomas > >_______________________________________________ >SYSLINUX mailing list >Submissions to SYSLINUX at zytor.com >Unsubscribe or set options at: >http://www.zytor.com/mailman/listinfo/syslinux >Please do not send private replies to mailing list traffic. > > > >
Hi,> * Are you willing to live with the fact that the password hash will be > sniffable? > * The password is specific to the service rather than the user.thank you very much for you suggestions. Yes this is a first step and I can live with it for now. I a larger deployment I certainly want to log who has installed a specific machine and when. Thanks for your help! Thomas