[syslinux] problem with PXElinux and security of local LAN

Jason Keltz jas at cs.yorku.ca
Mon Dec 19 13:32:12 PST 2005 

Hi Murali,
I like the challenge response idea a lot, but even the other idea is 
good..  I just don't know how to implement either :(

jas.

Murali Krishnan Ganapathy wrote:
> Any kind of security protocol, will require some exchange of information 
> between the local client and the purported DHCP server, which can be 
> verified by both parties. Since this verification needs to be done prior 
> to booting into a kernel, you will have use COMBOOT like stuff to 
> implement the verification.
> 
> More detail of what I had in mind
> 
> (1) Local machine boots into SYSLINUX and runs COMBOOT code stored on 
> local machine
> (2) Local machine asks for DHCP server
> (3) Server S responds
> (4) Local machine asks S for the value of string X (can be implemented 
> as an option-string in DHCP configuration)
> (5) Local machine encrypts "MAGIC STRING" with key Current Date and 
> checks if it equals string X
> (6) If so, trust S and PXE boot from S (using the DHCP server S -- 
> identified by its MAC Address say)
> 
> Yes. Implementing something like this would require a cron job on the 
> server which changes the value of X on a daily basis (or more frequently 
> if you are more paranoid). If this is not done, the bad guy can just 
> intercept the value of X sent by the DHCP server to a client and then 
> mimic the behavior of the DHCP server in the future without knowing the 
> "MAGIC STRING".
> 
> Alternatively, if you dont like the idea of changing the configuration 
> on a regular basis, you should change the protocol to a challenge 
> response protocol, i.e. the local client generates and sends a string to 
> the server which then encrypts it using the MAGIC STRING as key and 
> sends back the result. But this cannot be acheived within the DHCP 
> framework, so the COMBOOT code will be a lot more complicated.
> 
> I guess the question you need to ask is if you want to secure your setup 
> against a casual bad guy or a person determined to hack into your 
> system. If it is the latter, you will need to implement more robust 
> measures, which unfortunately would require more complex work.
> 
> - Murali
> 
> Jason Keltz wrote:
> 
>> That solution sounds interesting albeit a bit complex for me to 
>> implement.   I'm not sure that I quite understand 3.  If the comboot 
>> code asks for a DHCP value, and that value is sent across the wire 
>> encrypted, that seems to require adjusting that code on the DHCP 
>> configuration on a regular basis as well...  further, I also wonder if 
>> it would be possible for a machine to insert itself between step 3 and 
>> 4... but definately food for thought.
>>
>> Jason.
>>
>> Murali Krishnan Ganapathy wrote:
>>
>>> Here is an ideal solution. I dont know how much of this is really 
>>> possible.
>>>
>>> (1) Set your BIOS to boot from the local hard disk.
>>> (2) Use SYSLINUX as your boot loader and run a COMBOOT code (stored 
>>> in your hard disk)
>>> (3) The COMBOOT Code figures out Who the DHCP server it is talking 
>>> to, and has some kind of check.
>>> (4) If check works out, then chain boot your PXE ROM
>>>
>>> First this is essentially security by obscurity, i.e. in step (3), I 
>>> am assuming that the DHCP server sends an additional string X
>>> (actually COMBOOT code asks the DHCP server for X). There is some 
>>> magic string hard wired into the COMBOOT code,
>>> which gets encrypted using the current date as the key. If the 
>>> encrypted string is X then you can trust the DHCP server.
>>> If the bad guy finds out the magic string (which is never sent over 
>>> the network), then there is no security left.
>>>
>>> It would be cool if this can be implemented. One real life situation 
>>> where SYSLINUX on HDD beats other boot loaders.
>>>
>>> - Murali
>>>
>>> Jason Keltz wrote:
>>>
>>>> Hi.
>>>>
>>>> I want to use PXELinux to build a dynamic boot menu for a computer 
>>>> lab.  Sometimes, the machines need to be in Linux mode/Windows 
>>>> mode/allow the option of Linux/Windows.  I configured this all fine 
>>>> with PXELinux.  My problem is really one of security.  Someone can 
>>>> plug in a laptop with a DHCP server, and tftp server and fake a lab 
>>>> machine to boot into any mode they desire, or even worse, they could 
>>>> configure the local machine to boot Linux in single user mode, and 
>>>> hence allow access to root, local ssh keys, etc.  I can't really 
>>>> think of any easy way how to solve this problem since there is no 
>>>> way to authenticate the PXELinux instance that is loading or the 
>>>> configuration files.   Any ideas?  A locally configured grub could 
>>>> do the same thing, of course, but using pxelinux, I can change the 
>>>> configuration of machines that are off so that when they come back 
>>>> on, they are in the mode that I desire.
>>>>
>>>> :(
>>>>
>>>> Jason.
>>>>
>>>> _______________________________________________
>>>> SYSLINUX mailing list
>>>> Submissions to SYSLINUX at zytor.com
>>>> Unsubscribe or set options at:
>>>> http://www.zytor.com/mailman/listinfo/syslinux
>>>> Please do not send private replies to mailing list traffic.
>>>>
>>>>
>>>
>>
>>
>

More information about the Syslinux mailing list