Keeping Students from meddling with the PXE Menu


by Ryan Veety

OES Linux SP2
ZENworks 7 Linux
Windows XP workstations

PROBLEM: ZENworks preboot services does not provide password protection for PXE menu options.

SOLUTION: In my K-12 school we use ZENworks 7 on an OES Linux server for workstation
imaging. All workstations are set to PXE boot by default, making life easy
for technicians to re-image or diagnose computers. Since upgrading to ZEN
7 the ability to edit the PXE menu has saved countless hours of technicians’
time. I setup menu options to test the computer’s memory and hard drive, so
now common problems are diagnosed in the field and fixed sooner. The one
problem I’ve had is the inability to keep students out of the PXE menu.

I solved this by using PXELINUX instead of the ZENworks preboot service.

WARNING: Using this method will disable automatic workstation imaging. This
is fine for my environment but may not be for yours. If you need automatic
imaging it should be possible by making the default option boot nvlnbp.sys
instead of localboot, but I haven’t tried this. Then disable the PXE menu
option in ConsoleOne.

I used syslinux version 3.20-pre6 because it supports the new “MENU
SHIFTKEY” option. Download the syslinux source on your SLES server, or get whatever is the latest version at the time. To compile it, do the

  tar xvfj syslinux-3.20-pre6.tar.bz2
  cd syslinux-3.20-pre6

Now create the directory tree for your imaging environment (as root):

mkdir -p /tftpboot/boot
  mkdir /tftpboot/pxelinux.cfg
  cp pxelinux.0 com32/modules/menu.c32 /tftpboot
  cp memdisk /tfpboot/boot

Copy the Linux imaging disk images from your existing ZENworks environment.
I copied mine from ZENworks 7 for Linux which had the files in /srv/tftp.

cp /srv/tftp/boot/* /tftpboot/boot

Install a tftp server on your SLES box. I used atftp 0.7cvs which is
installable from YaST. I also tried tftp 0.36 from YaST and that did not
work – the imaging environment failed to boot properly. The novell-tftp
server included with ZENworks also works fine. Just be sure to use the
runlevel editor to ensure only one tftp server is set to run.

Now setup your PXELINUX config file. Use your favorite text editor to create
/tftpboot/pxelinux.cfg/default. Mine looks like this (passwords and IPs
changed to protect the innocent):

DEFAULT menu.c32

MENU MASTER PASSWD $4$V/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

LABEL local
        MENU LABEL Local Boot
        localboot 0

LABEL imaging
        MENU LABEL ZENWorks Imaging
        MENU PASSWD $4$V/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        kernel boot/linux
        append 5 initrd=boot/initrd mode=2 rootimage=/root install=tftp://xx.xx.xx.xx/boot vga=0 tftptimeout=50

LABEL maint
        MENU LABEL ZENWorks Maintinance
        MENU PASSWD $4$V/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        kernel boot/linux
        append 5 initrd=boot/initrd mode=5 rootimage=/root install=tftp://xx.xx.xx.xx/boot vga=0 tftptimeout=50

LABEL memtest
        MENU LABEL Memory Tester
        kernel boot/memtest

LABEL hdtest
        MENU LABEL Physical Drive Test
        MENU PASSWD $4$V/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        kernel boot/memdisk
        append initrd=boot/drivetest.img

LABEL ntfspro
        MENU LABEL NTFS Utilities
        MENU PASSWD $4$V/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        kernel boot/memdisk
        append initrd=boot/ntfs_pro.img

The important parts for me are:



By doing this I didn’t have to re-train technicians. The computer will, by
default, boot from the hard drive and show the PXE menu if you hold down on
Ctrl-Alt (SYSLINUX considers any of Shift, Alt, Caps-Lock, or Scroll-Lock as
SHIFTKEY) just like Novell’s nvlnbp.sys. The password hash is generated by
sha1pass in syslinux. Go back to your syslinux compiled source directory
and run ./sha1pass “your password” and copy the output to the MENU PASSWD

The menu options I setup are the two usual ZENworks imaging options along with
some diagnostic tools. You can download them all for free:

The final step is to setup your DHCP server to provide the PXE options to
the workstations. Disable your ZENworks preboot services and setup these
options in your DHCP server. I use ISC DHCPD v3.02, so configuration for
your particular DHCP server may differ. I added the following to my
dhcpd.conf (again, IPs have been changed):

option space PXE;
option PXE.mtftp-ip               code 1 = ip-address;

option space pxelinux;
option pxelinux.magic      code 208 = string;
option pxelinux.configfile code 209 = text;
option pxelinux.pathprefix code 210 = text;
option pxelinux.reboottime code 211 = unsigned integer 32;

class "pxeclients" {
    match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";

    site-option-space "pxelinux";
    option pxelinux.magic f1:00:74:7e;
    if exists dhcp-parameter-request-list {
        # Always send the PXELINUX options (specified in hexadecimal)
        option dhcp-parameter-request-list = concat(option dhcp-parameter-request-list,d0,d1,d2,d3);
    option pxelinux.configfile "pxelinux.cfg/default";
    option pxelinux.reboottime 30;

    option vendor-class-identifier "PXEClient";
    vendor-option-space PXE;

    option PXE.mtftp-ip;
    filename "pxelinux.0";
    next-server xx.xx.xx.xx;

Make sure the next-server option has the IP of your tftp server. Also edit
/tftpboot/boot/settings.txt and set the PROXYADDR to the IP of your imaging

DISCLAIMER: This setup has worked for me, but it’s complicated to setup and many parts are customized for my environment. Please don’t attempt this
unless you are very comfortable working with config files in Linux and are
willing to troubleshoot problems.

(Visited 1 times, 1 visits today)


  • peterfroehlich says:

    Thanks, that help me a lot! =D

  • Leave a Reply

    Your email address will not be published. Required fields are marked *