iPXE discussion forum
Multiple user auth for ipxe menu - possible? - Printable Version

+- iPXE discussion forum (https://forum.ipxe.org)
+-- Forum: iPXE user forums (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: Multiple user auth for ipxe menu - possible? (/showthread.php?tid=7350)



Multiple user auth for ipxe menu - possible? - bunoc - 2014-06-14 19:16

Hi,

On my ipxe menu i have like the following:

:test01
login || goto start
iseq ${username} testuser || goto start
iseq ${password} testpass || goto start
(and then moves on to sanhook stuff)

I use this to enforce user/pass authentication before proceeding to a sanhook statement. This is to ensure only a given user can access a given iscsi lun. So far so good, everything works as intended.

Now, the reason why i opened this forum thread is to ask if/how i can setup authentication that accepts more than 1 user.
Something around these lines:

if ((iseq ${username} testuser && iseq ${password} testpass) or ((iseq ${username} seconduser && iseq ${password} secondpass)) || goto start


Would this be possible with ipxe? If so, what would the actual command look like?

Thanks,
Bruno


RE: Multiple user auth for ipxe menu - possible? - Torgeir - 2014-06-14 22:14

Hi!

Why not use something unique for each "lun", macaddress, serialnumber or something like that.

This way, machine X can only access it's rightful "lun".

However, if you want real auth, you could use http auth, and/or a php script to accomplish this...

--
Torgeir


RE: Multiple user auth for ipxe menu - possible? - bunoc - 2014-06-15 00:49

My setup is something on the sorts of virtual desktop infrastructure; a given computer can boot multiple LUNs (depending on who is logging on on the pc); in other words, there's no mapping between a given pc and a lun. All depends on who logs in.

The contents of each LUN is actually a full windows installation (windows over iscsi).
Basically, pc pxe boots, ipxe loads and presents a menu. User chooses his own entry in the menu, ipxe asks for the user credentials and if good sanboot's the LUN that belongs to the user.

Everything works fine but what i'm looking to achieve is to add a second user/pass account (like an admin account) that the IT Team could use without having to know the user actual credentials.

If this is not something i can do with ipxe then i guess i might have to move user auth to something like a php script as you suggested; chainload into it or something. Though it would be preferred to me if i could do this with ipxe.

Thanks,
Bruno


(2014-06-14 22:14)Torgeir Wrote:  Hi!

Why not use something unique for each "lun", macaddress, serialnumber or something like that.

This way, machine X can only access it's rightful "lun".

However, if you want real auth, you could use http auth, and/or a php script to accomplish this...

--
Torgeir



RE: Multiple user auth for ipxe menu - possible? - mcb30 - 2014-06-15 12:55

(2014-06-14 19:16)bunoc Wrote:  :test01
login || goto start
iseq ${username} testuser || goto start
iseq ${password} testpass || goto start
(and then moves on to sanhook stuff)

I use this to enforce user/pass authentication before proceeding to a sanhook statement. This is to ensure only a given user can access a given iscsi lun. So far so good, everything works as intended.

It's generally not a good idea to perform authentication entirely on the client side. There's nothing preventing a random user from downloading your iPXE script and thus obtaining the entire username and password list.

iSCSI does support optional authentication via CHAP. You can use this to ensure that the iSCSI target will refuse to allow a connection without the correct username and password.

Michael