

Netboot.me - Turning netboot into internetboot - gdp
http://blog.notdot.net/2009/8/netbootme-Turning-netboot-into-internetboot

======
iigs
Hot dog this is excellent. PXE/Kickstart servers are something I'm sick of
implementing over and over at home and work. I can't wait to try this out.

~~~
gdp
That was exactly my reaction when I read it: "Maybe I'll never have to setup
netbooting ever again!"

------
chadaustin
Wow, what a great tool. Are there any security concerns?

~~~
swolchok
I don't see why this is modded down. /menu.gpxe seems to be the entry point.
Looking at that page shows us that /menu.cfg is the next hop, which points
directly to kernel inages, such as /3018/boot.gpxe. I don't see anything that
would allow you to authenticate netboot.me in these files, and given the
recent null-prefix flaws in SSL (linked from
<http://www.thoughtcrime.org/software/sslsniff/>), I wouldn't feel confident
that the netboot code has got SSL implemented correctly, _if_ it's even used
for netboot.me. I would consider MITM attacks on netboot.me to be worthy of
investigation before using netboot.me, especially if they add WiFi support.

The gPXE security page (<http://www.etherboot.org/wiki/safebootmode>) seems to
indicate that security for gPXE in general is a work in progress.

~~~
arachnid
MitM attacks are a legitimate concern. I have an open bug to implement
straightforward RSA signing of menu responses, with validation in the gPXE
code, as well as to have gPXE hash check downloaded images. The reason I don't
simply want to use SSL is because I don't trust gPXE's SSL implementation -
you wouldn't either if you'd seen it - or my ability to fix it properly.

~~~
swolchok
Don't forget to sign the hashes.

------
dfranke
I know the author of this; he's a good hacker. He also happens to be the
author of LOLCode.NET :-)

