RE: Modify the ipxe Advanced login menu

@george1421 said in Modify the ipxe Advanced login menu:

clear username
clear password
prompt --key y --timeout 5000 For IT Only, press ‘y’ to enter the secret IT cave && login || goto fog.local
params
param username ${username}
param password ${password}
chain ${boot-url}/service/ipxe/advanced.php##params

This ipxe menu entry worked, but only after I logged in via that blue advanced login page. Its alright, there is also a timeout on that blue login, so if an end-user accidentally goes there, they’ll just call our helpdesk, and we handle it from there moving forward.

@george1421 No dice. Didn’t see the echo’d text. This suggestion might complicate things, but what if before loading that login menu, we load another custom menu, that warns the user that “This menu is for IT only, if you are not authorized, please wait 5 seconds until Windows boots…” then from there chain the login page. That’s a stretch I know, but we are beginning to explore making FOG accessible from other VLANs and departments to make our lives easier. Better than bringing a drive or a whole PC back to the shop to reimage it. I may be overthinking this, because even some of my collegues miss the “press ESC to load FOG” prompt during the initial PXE boot, so this might not even be necessary as most people will overlook it.

@junkhacker Ah okay. So the text on that screen are baked into a file somewhere right? The ipxe.efi image?

@sebastian-roth It seems like I can put an echo command somewhere

  login
  echo Hello ${username}

But I don’t know where. The /var/www/fog/service/ipxe/boot.php file is what loads this menu right?

We have it set up where during the ipxe boot process, we are prompted to press ESC to load the FOG menu, otherwise the PC will boot to the first drive. Once we press ESC we are greeted with this login screen. I want to know where the source is for this menu so I can add some text for some end users that may accidentally land at this page. Like “echo Press CTRL+ALT+DEL to exit” or “reboot”.

Just wondering if there is a way to secure the NFS share on the FOG server. I can mount from just about any Linux system without credentials. I’m pretty sure there is an app for Windows that can mount NFS shares. Even though the images are in the IMG format and can’t exactly be browsed easily, anyone with the know-how and proper tools can download them and access the contents of the images.

@george1421 said in Possible to secure /var/www/* ipxe boot contents?:

apache stop file browsing

Yes I will place this here to save a search for anyone who stumbles upon this post.
https://www.vultr.com/docs/how-to-disable-directory-browsing-on-apache/

I have a couple of ipxe items and their contents reside in /var/www. I noticed that I can browse to those web shares without authentication. I know FOG needs them shared, but I thought the FOG ipxe kernel is already authenticated. Is there a way to block web browsing to these specific shares and only allow access via FOG pxe?

@sebastian-roth Where do I “use –recreate-CA and –recreate-keys keys” switches? Like this?
.\installfog.sh --recreate-CA --recreate-keys?

@george1421 Actually since I added a standard boot.wim file from a Windows install disc, pxe booting works as it did before we disabled PXE on the WDS server. Now its just a matter of finding the original custom boot.wim we had in place. Then we can move on to modifying the os.WDS-Boot parameters to make it work from FOG. If I remember correctly, FOG also works with the autoboot command. I remember I saw this when I was experimenting at the ipxe shell from a remote location when I loaded ipxe from USB. I typed autoboot and since the next-server was predefined as my FOG IP, it loaded FOG.

As far as finding the efi file, I did find it. I see this error now followed by two No such file or directory errors when attempting to load from the FOG menu:
tftp://wds ip/SMSBoot/x64/wdsmgfw.efi…Error 0x3d126083

Followed the link and it is “Error: Inappropriate I/O control operation”.

So while the script @george1421 made in that post didn’t work right and threw errors, I have FOG scripted to allow to drop to shell if an error occurs. Once I got into the shell, i just typed “autoboot” and hit enter. I then got prompted to press Enter to boot WDS. Then it stopped here. I think I still have to define a boot.wim on the WDS Properties. But I feel like I am getting closer. I could just throw in the “autoboot” command under the FOG’s ipxe item setting parameters.

I think when we disabled PXE on the WDS it also removed everything else that made it work. I think that includes the proxyDHCP service. Our prod DHCP server had our WDS server’s IP listed as DHCP Relay. But I don’t think we still need PXE if we chain from FOG.

@george1421 We just re-enabled PXE on the SCCM server so it takes a minute to reinstall the features. I was going to run Wireshark to see what is being requested from where. I did that testing ipxe in my lab and found out that ipxe requests autoexec.ipxe if you don’t embed or specify a menu file. Learn something new everyday.

Actually found the files but it keeps saying the same error message. I corrected the path in the script. We disabled the PXE service on the SCCM server, so I am wondering if that also disabled TFTP which is why the files can’t be found.

@george1421
Just tested it with my USB boot method to load ipxe in a vm, the menu item was present but when I tried to boot it, I got this error:

These are the parameters I have set as per the your post:
set next-server our SCCM server

iseq ${platform} efi && goto is_wds_efi || goto is_wds_bios

:is_wds_efi
set wds-bootfile \boot\x64\wdsmgfw.efi
goto wds_boot

:is_wds_bios
set wds-bootfile \boot\x64\wdsnbp.com

:wds_boot
set filename ${wds-bootfile}
set net0.dhcp/filename ${wds-bootfile}
set proxydhcp/filename ${wds-bootfile}
chain tftp://${next-server}${wds-bootfile} || goto Menu

After looking at the folder structure, I see a folder that our sysadmin setup that has a folder called Boot, but no file called “wdsmgfw.efi” exists.

@george1421 Would it be easier to re-run the FOG setup script and just change the FOG IP and disable DHCP? I could also define our existng DHCP server during the setup.

@george1421 Yes and there is also the nfs server that would have to bind to the other interface. Looking at the boot.php I see the “set fog-ip 10.0.0.10” string. I’d have to change any instance of “10.0.0.10” to my prod network interface IP address. Or is it not that simple?

EDIT: So NFS isn’t affected. I just mounted my FOG’s NFS share via prod interface.

@george1421 Yeah I’ll just keep the FOG server as the primary PXE server. Question though: Since my primary FOG server has two interfaces in use, one for imaging (offline imaging switch) the other for management (prod network), I’d have to first disable DHCP and I’d have to tell dnsmasq to serve tftp on the prod interface right?