search

cobbler / koan

koan - kickstart over a network
https://koan.readthedocs.io/en/latest/
GNU General Public License v2.0
42 stars 32 forks source link

Need to add http_port to app.py #63

Open wanghaiqing2015 opened 4 years ago

wanghaiqing2015 commented 4 years ago

Port missing -> http://%s/cblr/svc/op/ks/profile

            if not self.system:
                profile_data["autoinst"] = "http://%s/cblr/svc/op/ks/profile/%s" % (
                    profile_data['http_server'], profile_data['name'])
            else:
                profile_data["autoinst"] = "http://%s/cblr/svc/op/ks/system/%s" % (
                    profile_data['http_server'], profile_data['name'])
wanghaiqing2015 commented 4 years ago

https://github.com/cobbler/koan/blob/master/koan/app.py

opoplawski commented 4 years ago

We really need to be able to support https: as well

mpdehaan commented 4 years ago

While that sounds good for servers that don't offer things up over http (cobbler already did), it's important to understand the greatest security implications of a PXE network.

TFTP is already a wide open protocol and it is easy to spoof and access information for other systems. At this point, you really have to trust the network because the system could already be offering you up a fake installer, or the client could be lying about a MAC.

In short, there's no way to authenticate the https:// client so no "secret" content can be put in the kickstart, because there's no way to put a username/password in there safely.

At this point, https:// only defends against MITM, but you can already compromise the earlier stage of the install process.

I'm not sure of the level of certificate checking done by the installer these days - it might have some value for external systems - but can't be used with authentication.