Open wanghaiqing2015 opened 4 years ago
We really need to be able to support https: as well
While that sounds good for servers that don't offer things up over http (cobbler already did), it's important to understand the greatest security implications of a PXE network.
TFTP is already a wide open protocol and it is easy to spoof and access information for other systems. At this point, you really have to trust the network because the system could already be offering you up a fake installer, or the client could be lying about a MAC.
In short, there's no way to authenticate the https:// client so no "secret" content can be put in the kickstart, because there's no way to put a username/password in there safely.
At this point, https:// only defends against MITM, but you can already compromise the earlier stage of the install process.
I'm not sure of the level of certificate checking done by the installer these days - it might have some value for external systems - but can't be used with authentication.
Port missing -> http://%s/cblr/svc/op/ks/profile