7 comments

[ 3.3 ms ] story [ 14.2 ms ] thread
Hot dog this is excellent. PXE/Kickstart servers are something I'm sick of implementing over and over at home and work. I can't wait to try this out.
That was exactly my reaction when I read it: "Maybe I'll never have to setup netbooting ever again!"
I know the author of this; he's a good hacker. He also happens to be the author of LOLCode.NET :-)
Wow, what a great tool. Are there any security concerns?
I don't see why this is modded down. /menu.gpxe seems to be the entry point. Looking at that page shows us that /menu.cfg is the next hop, which points directly to kernel inages, such as /3018/boot.gpxe. I don't see anything that would allow you to authenticate netboot.me in these files, and given the recent null-prefix flaws in SSL (linked from http://www.thoughtcrime.org/software/sslsniff/), I wouldn't feel confident that the netboot code has got SSL implemented correctly, if it's even used for netboot.me. I would consider MITM attacks on netboot.me to be worthy of investigation before using netboot.me, especially if they add WiFi support.

The gPXE security page (http://www.etherboot.org/wiki/safebootmode) seems to indicate that security for gPXE in general is a work in progress.

MitM attacks are a legitimate concern. I have an open bug to implement straightforward RSA signing of menu responses, with validation in the gPXE code, as well as to have gPXE hash check downloaded images. The reason I don't simply want to use SSL is because I don't trust gPXE's SSL implementation - you wouldn't either if you'd seen it - or my ability to fix it properly.
Don't forget to sign the hashes.