Booting over the network to install the system (improved, with iPXE instead of PXE)

A few month ago, I provided my setup using pxelinux, isc-dhcpd and tftdp-hpa in order to make possible boot on lan. I improved this setup to chainload iPXE instead. I’m not interested in overwrite ROMs of ethernet devices I have so I still use PXE but only in order to get to iPXE that is way more powerful, as it allows direct access over http and much more.

The README in the my PXE directory explains the whole (quite short actually) install from scratch process. If you had the previous version running, note that the DHCPD configuration and update script changed (and the case of subdirectories changed too).

Providing temporary password access over http

I’m not exactly proud about this one in many regards (security, for instance) by was actually something needed by a relative that, from time to time, go to some random shop to print PDFs. Having to put them on a device like a USB Key or hard disk is some kind of a nuisance, especially when your own workstation is behind a static IP.

The way it works is that it asks you for a password. If you have none, then it’ll send you a random one by mail. This password will be erased after an hour.

Security notes: this could be subject to packet sniffing so I don’t suggest to use it as it is for any sensitive data. It can easily be improved in regards of security depending on the end user you’re targetting, in my case it had to remain as basic as possible. It logs everything so fail2ban and other tools can easily be set in motion.

It’s composed a perl script, a cronjob and a nginx example config file. The perl script will ask the user for a valid user name and set up the temporary access accordingly. The cronjob will be used to reset passwords. The sample nginx shows how to run the perl script as appropriate error page and provided access either by basic auth or IP.

Install guide from the README :

1) It assumes your nginx supports perl like in

apt-get install nginx libfcgi-perl wget
wget -O /usr/bin/
wget -O /etc/init.d/perl-fcgi
chmod +x /usr/bin/
chmod +x /etc/init.d/perl-fcgi
update-rc.d perl-fcgi defaults
insserv perl-fcgi

2) Copy and edit the nginx sample and crontab sample into the appropriate places:
– something like /etc/nginx/site-available/transit symlinked to /etc/nginx/site-enabled
– /etc/cron.d/transit

3) Then you must create a group named transit and add to it users that
are entitled to use this.

4) You must also make sure nginx (www-data?) can write to the directory where
you store the .passwd file. In the default case here, it’s /etc/nginx/passwd/