[syslinux] PXE-Linux: password protected menus?

ganapathy murali krishnan gmurali at cs.uchicago.edu
Mon Nov 22 13:55:30 PST 2004 

If you are willing to settle for one password (no username), and this 
password is not a super secret one, you can do the following:

* Call menu.com with a simple hash of the "current password" (command 
line argument)
* Install a handler for those options which require password protection.
* The handler, displays the password prompt and validates against the 
given hash (and cleans up after itself)
* The handler returns ACTION_VALID or ACTION_INVALID depending on 
whether the password checks out.
* The menu system pretends the choice was never made (if ACTION_INVALID) 
or actually executes the image (if ACTION_VALID)

This requires minor changes to the handler framework (handler returning 
value instead of the previous void), and can be easily accomodated. The 
main question then is the security:

* Are you willing to live with the fact that the password hash will be 
sniffable?
* The password is specific to the service rather than the user.

- Murali

Gebhardt Thomas wrote:

>Hi,
>
>has anyone ever tried (or thought of) implementing some kind
>of password protected menu entries? Like:
>
>__MENU__
>* Boot from local disk
>* Boot remote image
>* Install Linux to local disk (Password required!)
>* Test Hardware (Password required!)
>
>Yes, I know that this is not a trivial task. There are several
>competing design goals:
>
>1. The password should be required as soon as possible
>  in the boot pocess.
>2. The password should not be hardcoded in the code
>3. Ideally there should be a username/password authentication
> to an external server (ldap?)
>4. Remote logging would be fine
>
>As far as I can see, it would be the best to insert a chain boot
>image that does the authentication and then boots the images
>which actually does the work.
>
>Any ideas?
>
>Thanks, Thomas
>
>_______________________________________________
>SYSLINUX mailing list
>Submissions to SYSLINUX at zytor.com
>Unsubscribe or set options at:
>http://www.zytor.com/mailman/listinfo/syslinux
>Please do not send private replies to mailing list traffic.
>
>
>  
>

More information about the Syslinux mailing list