[syslinux] problem with PXElinux and security of local LAN

Murali Krishnan Ganapathy gmurali at cs.uchicago.edu
Mon Dec 19 10:12:36 PST 2005 

Here is an ideal solution. I dont know how much of this is really possible.

(1) Set your BIOS to boot from the local hard disk.
(2) Use SYSLINUX as your boot loader and run a COMBOOT code (stored in 
your hard disk)
(3) The COMBOOT Code figures out Who the DHCP server it is talking to, 
and has some kind of check.
(4) If check works out, then chain boot your PXE ROM

First this is essentially security by obscurity, i.e. in step (3), I am 
assuming that the DHCP server sends an additional string X
(actually COMBOOT code asks the DHCP server for X). There is some magic 
string hard wired into the COMBOOT code,
which gets encrypted using the current date as the key. If the encrypted 
string is X then you can trust the DHCP server.
If the bad guy finds out the magic string (which is never sent over the 
network), then there is no security left.

It would be cool if this can be implemented. One real life situation 
where SYSLINUX on HDD beats other boot loaders.

- Murali

Jason Keltz wrote:
> Hi.
>
> I want to use PXELinux to build a dynamic boot menu for a computer 
> lab.  Sometimes, the machines need to be in Linux mode/Windows 
> mode/allow the option of Linux/Windows.  I configured this all fine 
> with PXELinux.  My problem is really one of security.  Someone can 
> plug in a laptop with a DHCP server, and tftp server and fake a lab 
> machine to boot into any mode they desire, or even worse, they could 
> configure the local machine to boot Linux in single user mode, and 
> hence allow access to root, local ssh keys, etc.  I can't really think 
> of any easy way how to solve this problem since there is no way to 
> authenticate the PXELinux instance that is loading or the 
> configuration files.   Any ideas?  A locally configured grub could do 
> the same thing, of course, but using pxelinux, I can change the 
> configuration of machines that are off so that when they come back on, 
> they are in the mode that I desire.
>
> :(
>
> Jason.
>
> _______________________________________________
> SYSLINUX mailing list
> Submissions to SYSLINUX at zytor.com
> Unsubscribe or set options at:
> http://www.zytor.com/mailman/listinfo/syslinux
> Please do not send private replies to mailing list traffic.
>
>

More information about the Syslinux mailing list