Modify the ipxe Advanced login menu

DBCountMan

We have it set up where during the ipxe boot process, we are prompted to press ESC to load the FOG menu, otherwise the PC will boot to the first drive. Once we press ESC we are greeted with this login screen. I want to know where the source is for this menu so I can add some text for some end users that may accidentally land at this page. Like “echo Press CTRL+ALT+DEL to exit” or “reboot”.

Sebastian Roth

@brakcounty Unfortunately it’s not as easy to add text to this screen because it’s the plain login command iPXE provides: https://ipxe.org/cmd/login

DBCountMan

@sebastian-roth It seems like I can put an echo command somewhere

  login
  echo Hello ${username}

But I don’t know where. The /var/www/fog/service/ipxe/boot.php file is what loads this menu right?

Junkhacker

@brakcounty that would not alter that screen. that would display “Hello <contents of first field>” on the next screen after hitting enter

DBCountMan

@junkhacker Ah okay. So the text on that screen are baked into a file somewhere right? The ipxe.efi image?

george1421

@brakcounty Understand I’m not a programmer so the info I might give you could be wrong. But what you see there on the screen is being displayed by ipxe with its logon command. So iPXE has control of the screen at this moment.

This is the ipxe script that is executing to create the screen above.

#!ipxe
clear username
clear password
login
params
param username ${username}
param password ${password}
chain ${boot-url}/service/ipxe/advanced.php##params

The login command instructs iPXE to display that screen. It may not be possible to display anything on this screen from the FOG perspective.

To test to see if its possible, I might adjust the above script as

clear username
clear password
echo FOG is Cool
login
params
param username ${username}
param password ${password}
chain ${boot-url}/service/ipxe/advanced.php##params

Create a new FOG iPXE menu item and add that (above script) in the parameter block. When you pxe boot and select that test menu item does it display FOG is Cool on the login page or does FOG is Cool get erased by the login page?

If it works and the FOG is Cool text is displayed I’ll give you instructions on how to tweak the FOG code to is added.

DBCountMan

@george1421 No dice. Didn’t see the echo’d text. This suggestion might complicate things, but what if before loading that login menu, we load another custom menu, that warns the user that “This menu is for IT only, if you are not authorized, please wait 5 seconds until Windows boots…” then from there chain the login page. That’s a stretch I know, but we are beginning to explore making FOG accessible from other VLANs and departments to make our lives easier. Better than bringing a drive or a whole PC back to the shop to reimage it. I may be overthinking this, because even some of my collegues miss the “press ESC to load FOG” prompt during the initial PXE boot, so this might not even be necessary as most people will overlook it.

george1421

@brakcounty I think you are close to a solution.

Simply in fog set your advanced menu to an intro menu. That intro menu will say exactly that this page is for IT only if they wait it will then boot into the OS, if they make the menu selection for IT only they will be prompted to login, the login will then get them to the real ipxe advanced menu.

So if you want to reverse engineer how the FOG menus work (will be a good template for you to start with) just call the ipxe menu with a browser http://<fog_server_ip>/fog/service/boot.php?mac=00:00:00:00:00:00 That will send the text behind the ipxe menu to your browser.

With that said I just had a new/different idea. Lets create a new iPXE menu entry, it will function as the gateway into the Advanced menu. (understand I did not debug this only glued the bits together.

clear username
clear password
prompt --key y --timeout 5000 For IT Only, press 'y' to enter the secret IT cave && login || goto fog.local
params
param username ${username}
param password ${password}
chain ${boot-url}/service/ipxe/advanced.php##params

This will display a prompt for 5 seconds, if the user presses y then they will be prompted to login otherwise it will exit to boot to the hard drive.

You could also chain to a ipxe script on the fog server and just not mess with the advanced option in fog. The advanced menu basically puts the login front end in front of the ipxe menu you added to the advanced field in fog.

DBCountMan

@george1421 said in Modify the ipxe Advanced login menu:

clear username
clear password
prompt --key y --timeout 5000 For IT Only, press ‘y’ to enter the secret IT cave && login || goto fog.local
params
param username ${username}
param password ${password}
chain ${boot-url}/service/ipxe/advanced.php##params

This ipxe menu entry worked, but only after I logged in via that blue advanced login page. Its alright, there is also a timeout on that blue login, so if an end-user accidentally goes there, they’ll just call our helpdesk, and we handle it from there moving forward.

george1421

@brakcounty In the web configuration disable the advanced menu login setting. You are now doing this via your custom menu. BUT its also possible that it might just accept any value for the user ID and password.

DBCountMan

@george1421 Right. I won’t mess with it since we have it set up and working.