[syslinux] PXE and Security Issues

Nazo nazosan at gmail.com
Wed May 23 01:49:46 PDT 2007


On 5/23/07, Plaul, Markus <Markus.Plaul at vng.de> wrote:
> Hi guys,
>
>
>
> im about write a project about pxe. How it works etc but im stucking at
> the security thing. Well pxe has this menu password feature using SHA-1,
> but since sha-1 is hacked, i cant stick with it saying sha-1 is safe
> ..etc. What else could i add when it comes to network boot, pxe and
> security besides BIS? I would really appricate some ideas or help. Thx
> in advance
>
>
>
> _______________________________________________
> SYSLINUX mailing list
> Submissions to SYSLINUX at zytor.com
> Unsubscribe or set options at:
> http://www.zytor.com/mailman/listinfo/syslinux
> Please do not send private replies to mailing list traffic.
>
>

SHA1 may be hacked, but you have to ask yourself just how important
this is.  Are you expecting outside hackers getting into your LAN
(perhaps with wireless?)  If so, some things such as access controls
and network encryption are a must anyway for your own safety
(encryption is a must, but my favorite option is the access control
list where you can set it such that only certain MAC addresses are
ever allowed to connect.  Most wireless routers have this option, but
I should add here that PXELinux also has the ability to do this to
some extent as well.)  If not, I have to wonder how many legitimate
users are going to be employing SHA1 encryption breaker tools just to
get past your password.  In a more normal work environment, most users
simply balk at the sight of a password, try a few basics, and give up
if they fail rather than employing password hacking methods.  Are you
providing some sort of direct access to something highly sensitive?
If so, it may be more advisable to limit that access further than just
by password.

If all else fails, there's safety in obscurity.  Make people manually
type out the full command line to get to whatever you wish to password
protect.  If it's complex enough, chances are that only those who know
exactly what to type can get in...




More information about the Syslinux mailing list