chain with "$macros" does not work anymore - Printable Version +- iPXE discussion forum (https://forum.ipxe.org) +-- Forum: iPXE user forums (/forumdisplay.php?fid=1) +--- Forum: General (/forumdisplay.php?fid=2) +--- Thread: chain with "$macros" does not work anymore (/showthread.php?tid=7437) |
chain with "$macros" does not work anymore - mvogt1 - 2014-08-28 14:19 Hello, I'm currently using gpxe 0.9.7+ and tried today the git repository. After enabling COMBOOT again I found out that the following script does not work anymore: Code: #!gpxe This works in gpxe 0.9.7+, but not in git from 22.08. Code: tcpdump -A -s 1024 shows that no authorisation is transmitted to "server.com". I suppose there is an "uri_parse" missing somewhere for the imageexec command. But I cannot figure out where. regards, Martin RE: chain with "$macros" does not work anymore - robinsmidsrod - 2014-08-31 10:11 I think the uristring encoder has been removed in recent versions of iPXE, as it should no longer be needed with the new URL parser. Do you get the same problem if you just use ${username} in your URL? Are you also sure that the username/password variables actually contain data? I'm assuming you didn't press ESC at the login prompt. What does the URL look like in your web server access log? RE: chain with "$macros" does not work anymore - mvogt1 - 2014-09-02 14:09 Hello, I have modified the script: Code: #!gpxe In the shell Code: echo "${username}" then I entered the "chain" command on the commandline. This is what I get from tcpdump Code: $.-.GET /netboot/public/menu.c32 HTTP/1.1 And afterwards the generated pxelinux menu is the one for "not authorized" case. After reading through the source I have added a "private/forbidden" section on the server with htpasswd/htaccess. The url now is: Code: chain http://${username:uristring}:${password:uristring}@server.com/private/a.txt and a.txt contains a sample pxelinux menu. The captured tcpdump now contains: Code: GET /netboot/private/a.txt HTTP/1.1 So here the Basic authorisation works, the a.txt files is delivered, after the first GET command fails with "401". As a result I would say: The old gpxe code always send the Basic Auth, reagardless if the server "needs" is or not. The new ipxe code needs a 401, before it adds the authorisation. I now have modified the php script and added a Code: if (! authenticated() ) { But now it looks that the menu.c32 is active, because it does not send the "Basic Auth" in a second attempt. There is no second attempt at all. It looks that if I'm using COMBOOT and http://${username}:${password}/ ipxe must always send the Basic Auth. Maybe this can be done as a config option? For example in a script Code: force_http_auth 1 which then sets a global setting. I think I must prepare a patch for this. regards, Martin RE: chain with "$macros" does not work anymore - sebastian - 2014-09-04 04:56 I dont Think thats is needed. Just configure your server to send a 401 everytime Authorization field is BLANK. Then you configure your PXE server to Always authenticate using some arbitary details (like username = guest, password = guest) So when iPXE is loaded for first time, it will be asked to load like http://guest:guest@server.com/menu.php This will result in iPXE firing off a blank GET request for menu.php which will be replied with a 401. Then iPXE will authenticate using guest:guest. menu.php will then reply with the "Please login yourself" menu. User authenticates. iPXE will now fire off a second blank request, which iPXE will get a 401 for. Then iPXE will fire off the request containing the auth from the user (let say username = admin, password = rootroot) If auth is incorrect, your menu.php simply returns "Your username/password is incorrect" and a new login menu. If auth is correct, your menu.php simply returns the admin menu or a chaining to a protected iSCSI resource or what you want to do. Also, dont use menu.c32 and menu.php to select between unauthenticated and authenticated requests. Instead, use only a "chain" to menu.php, and let menu.php return the content of menu.c32 when user are unauthenticated. I Think this mandatory 401 is intentional to make sure to select correctly between basic auth and digest auth. To correctly select between these, you need to Query the server for the WWW-Authenticate header to know what the server request, like a browser does. |