Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Authentication via iPXE when using boot, chain, kernel, initrd etc.
2019-08-20, 19:55
Post: #1
Authentication via iPXE when using boot, chain, kernel, initrd etc.
My question is around authentication when using boot, chain, kernel, initrd etc. My use case is if I have an url that returns a boot image that needs an API key header or an OAuth token.

http://ipxe.org/cmd/kernel - From what I understand here, I can pass a timeout, a name, and other arguments that go straight to the image. How do I pass authentication headers?

Additionally, I have a question about best practices regarding secrets as well. What's the alternative to keeping them in the ipxe script in plaintext? I'm actually fine with that but would be useful to know best practices.
Find all posts by this user
Quote this message in a reply
2019-08-20, 22:24
Post: #2
RE: Authentication via iPXE when using boot, chain, kernel, initrd etc.
I would like to think that kernel works the same as chain, which means that:
http://ipxe.org/cmd/login

Should work for kernel as well, that is not api keys, so if you want it to be server, then you should have to have in an iPXE
that iPXE script itself could be protected from outside download by some kind of other secret or login.

Read FAQ before first post!
Are relevant ipxe.org error urls and PCIIDs included?
Visit this user's website Find all posts by this user
Quote this message in a reply
2019-08-21, 20:06
Post: #3
RE: Authentication via iPXE when using boot, chain, kernel, initrd etc.
Thanks, could you potentially point me to an example using http headers? It's not clear to me how to use them in conjunction with boot, etc.?
Find all posts by this user
Quote this message in a reply
2019-08-22, 04:59
Post: #4
RE: Authentication via iPXE when using boot, chain, kernel, initrd etc.
You can not control headers, more than via the standard http basic auth, the examples that exists is on the linked page

Read FAQ before first post!
Are relevant ipxe.org error urls and PCIIDs included?
Visit this user's website Find all posts by this user
Quote this message in a reply
2019-08-22, 08:15
Post: #5
RE: Authentication via iPXE when using boot, chain, kernel, initrd etc.
I can see the benefit to adding something similar to the curl -H parameter (add arbitrary HTTP header) to the chain command, but unsure how complicated it would be. That would allow all sorts of different interaction, including setting the Authorization header for token-based authentication.
Visit this user's website Find all posts by this user
Quote this message in a reply
2019-08-23, 21:15
Post: #6
RE: Authentication via iPXE when using boot, chain, kernel, initrd etc.
Thanks for the insights. I'm currently struggling with designing a boot system from an iPXE usb and the OS I'm loading has potentially sensitive information/ binaries on it. Do you know an example security architecture in conjunction with iPXE boot that seems to be the standard?
Find all posts by this user
Quote this message in a reply
2019-08-26, 09:18
Post: #7
RE: Authentication via iPXE when using boot, chain, kernel, initrd etc.
The most standard is basic http authentiocation as described above and on the iPXE login page,
Actual implementation on the server depends on what you are running there, but a search for ".htaccess password" would show how to set up apache for these kind of things, but there is many other ways as well.

annother option is to use iPXEs params and do a normal http POST to a webserver with a script that does the authentication.

Read FAQ before first post!
Are relevant ipxe.org error urls and PCIIDs included?
Visit this user's website Find all posts by this user
Quote this message in a reply
2019-08-27, 03:58
Post: #8
RE: Authentication via iPXE when using boot, chain, kernel, initrd etc.
Thanks, I appreciate the follow-upw on this.
Find all posts by this user
Quote this message in a reply
Post Reply 




User(s) browsing this thread: 1 Guest(s)