Threaded Mode | Linear Mode

mvogt1 · 2014-08-28, 14:19

Hello,

I'm currently using gpxe 0.9.7+ and tried today the git repository.

After enabling COMBOOT again I found out that the following script
does not work anymore:

Code:

#!gpxe

login

chain http://${username:uristring}:${password:uristring}@server.com/menu.c32 menu.php

This works in gpxe 0.9.7+, but not in git from 22.08.

Code:

tcpdump -A -s 1024

shows that no authorisation is transmitted to "server.com".
I suppose there is an "uri_parse" missing somewhere for the imageexec
command.
But I cannot figure out where.

regards,

Martin

***robinsmidsrod*** · 2014-08-31, 10:11

I think the uristring encoder has been removed in recent versions of iPXE, as it should no longer be needed with the new URL parser. Do you get the same problem if you just use ${username} in your URL? Are you also sure that the username/password variables actually contain data? I'm assuming you didn't press ESC at the login prompt. Wink

What does the URL look like in your web server access log?

mvogt1 · 2014-09-02, 14:09

Hello,

I have modified the script:

Code:

#!gpxe

login

shell

chain http://${username:uristring}:${password:uristring}@server.com/menu.c32 menu.php

In the shell

Code:

echo "${username}"

martin

echo "${password}"

test123

then I entered the "chain" command on the commandline. This is what I get from tcpdump

Code:

$.-.GET /netboot/public/menu.c32 HTTP/1.1

User-Agent: iPXE/1.0.0+ (64dc)

Host: server.com

HTTP/1.1 200 OK

Date: Tue, 02 Sep 2014 11:30:39 GMT

Server: Apache/2.2.10 (Linux/SUSE)

Last-Modified: Mon, 08 Jun 2009 11:56:03 GMT

ETag: "f5e319-dfb4-46bd4ed297ac0"

Accept-Ranges: bytes

Content-Length: 57268

Content-Type: text/plain

And afterwards the generated pxelinux menu is the one for "not authorized" case. Sad

After reading through the source I have added a "private/forbidden" section on the server
with htpasswd/htaccess.

The url now is:

Code:

chain http://${username:uristring}:${password:uristring}@server.com/private/a.txt

and a.txt contains a sample pxelinux menu.
The captured tcpdump now contains:

Code:

GET /netboot/private/a.txt HTTP/1.1

User-Agent: iPXE/1.0.0+ (64dc)

Host: server.com

HTTP/1.1 401 Authorization Required

Date: Tue, 02 Sep 2014 11:41:15 GMT

Server: Apache/2.2.10 (Linux/SUSE)

WWW-Authenticate: Basic realm="Restricted Files"

Vary: accept-language,accept-charset

Accept-Ranges: bytes

Transfer-Encoding: chunked

Content-Type: text/html; charset=iso-8859-1

Content-Language: en

User-Agent: iPXE/1.0.0+ (64dc)

Host: server.com

Authorization: Basic c2xnOnRlc3QxMjM

So here the Basic authorisation works, the a.txt files is delivered,
after the first GET command fails with "401".

As a result I would say:

The old gpxe code always send the Basic Auth, reagardless if the
server "needs" is or not.
The new ipxe code needs a 401, before it adds the authorisation.

I now have modified the php script and added a

Code:

if (! authenticated() ) {

     header ("HTTP/1.1 401 Unauthorized",TRUE,401);

     exit(0);

}

But now it looks that the menu.c32 is active, because it does not
send the "Basic Auth" in a second attempt. There is no second
attempt at all. Sad

It looks that if I'm using COMBOOT and http://${username}:${password}/
ipxe must always send the Basic Auth.
Maybe this can be done as a config option?

For example in a script

Code:

force_http_auth 1

which then sets a global setting.
I think I must prepare a patch for this.

regards,

Martin

sebastian · (This post was last modified: 2014-09-04 05:02 by sebastian.)

I dont Think thats is needed. Just configure your server to send a 401 everytime Authorization field is BLANK. Then you configure your PXE server to Always authenticate using some arbitary details (like username = guest, password = guest)

So when iPXE is loaded for first time, it will be asked to load like http://guest:guest@server.com/menu.php
This will result in iPXE firing off a blank GET request for menu.php which will be replied with a 401.
Then iPXE will authenticate using guest:guest. menu.php will then reply with the "Please login yourself" menu.
User authenticates.
iPXE will now fire off a second blank request, which iPXE will get a 401 for.
Then iPXE will fire off the request containing the auth from the user (let say username = admin, password = rootroot)

If auth is incorrect, your menu.php simply returns "Your username/password is incorrect" and a new login menu.
If auth is correct, your menu.php simply returns the admin menu or a chaining to a protected iSCSI resource or what you want to do.

Also, dont use menu.c32 and menu.php to select between unauthenticated and authenticated requests.
Instead, use only a "chain" to menu.php, and let menu.php return the content of menu.c32 when user are unauthenticated.

I Think this mandatory 401 is intentional to make sure to select correctly between basic auth and digest auth. To correctly select between these, you need to Query the server for the WWW-Authenticate header to know what the server request, like a browser does.