Difference between pages "SFTP Only Access" and "PXE Network Windows Installation"

From Funtoo
(Difference between pages)
Jump to: navigation, search
(Quick start)
 
(Creating a Setup Instruction File)
 
Line 1: Line 1:
== Context ==
+
''Howto use your Funtoo machine to serve a MS Windows installation over the network''
 +
In this guide we will assume that you have followed the [[PXE network boot server]] Wiki article and have a working network/pxe boot setup. As of now this guide will cover Windows XP. Soon it will be expanded to also cover Windows 7.
 +
==Prerequisites==
 +
#A working Funtoo installation
 +
#A working PXE Setup (DHCP, TFTP, PXELinux)
 +
#app-arch/cabextract
 +
#A legitimate copy of Microsoft Windows
 +
#Driver for your NIC - ''Suggested to use a complete driver pack with all major supported NIC hardware for the version of Windows to be installed.''
 +
#RIS Linux toolkit >=0.4
 +
#A working Samba server setup
  
In some cases, it can be useful to set up an access on your Funtoo box such as a user:
+
== Creating the Windows XP Image ==
* does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
+
* is able to transfer files back and forth on the box via SFTP
+
* does not have access to a shell
+
  
Such a SFTP only access is easy to setup:
+
*In the previous guide, [http://www.funtoo.org/wiki/PXE_network_boot_server PXE Network Boot Server], we used /tftproot as the working directory so we will also use it in this guide for convenience. If you chose to use a different working directory then please apply it where needed in place of the /tftproot we will be going by here.
  
# Assign a group (e.g. ''sftponly'') to users that must be restricted to a SFTP-only account
+
First you will need to create an ISO from your Windows XP installation disc. If you already have the ISO image you may skip this step.
# Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
+
# Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)
+
  
== Quick start ==
+
<console>
 +
###i## dd if=/dev/sr0 of=/tftproot/winxp.iso
 +
</console>
 +
If your cdrom device isn't ''<code>/dev/sr0</code>'' please use the appropriate device in this command.
  
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:
+
== Mount the ISO and Prepare Installation Sources ==
 +
Mount the image to ''<code>/tftproot/cdrom</code>'':  
 
<console>
 
<console>
###i## groupadd sftponly
+
###i## mkdir /tftproot/cdrom; mount -o loop /tftproot/winxp.iso /tftproot/cdrom
 +
</console>
 +
Create the new directory for the network installation files and copy the needed files to it:
 +
<console>
 +
###i## mkdir /tftproot/winxp; cp -R /tftproot/cdrom/i386 /tftproot/winxp/i386
 +
</console>
 +
Depending on your CD/DVD copy of windows the directory name may be I386 as opposed to i386, if that is the case you will just need to change the first part of the command, keeping the new directory name i386 - this is going to be very important later on when creating the remap file!
 +
Check the contents of your newly created i386 directory to see if the filenames are in all CAPS or if they are already in lowercase.
 +
<console>
 +
###i## ls /tftproot/winxp/i386
 +
</console>
 +
If you happen to have all UPPERCASE filenames, lets go ahead and run a script to convert it to all lowercase:
 +
<console>
 +
###i## cd /tftproot/winxp/i386;ls | awk '$0!=tolower($0){printf "mv \"%s\" \"%s\"\n",$0,tolower($0)}' | sh
 
</console>
 
</console>
  
Next in the configuration of OpenSSH (located in <code>/etc/sshd/sshd_config</code>) locate:
+
==Extracting and Modifying the Required Boot Files ==
 +
Install {{Package|app-arch/cabextract}}
 +
<console>
 +
###i## emerge -av app-arch/cabextract
 +
</console>
 +
Extract the prepackaged drivers:
 +
<console>
 +
###i## cd /tftproot/winxp/i386;cabextract driver.cab
 +
</console>
 +
Install support for a large list of network cards:
 +
<console>
 +
###i## cd /tftproot/;wget http://downloads.sourceforge.net/project/bootfloppy/pxefiles.tar.gz
 +
###i## tar zxvf pxefiles.tar.gz; cp pxefiles/drivers/* winxp/i386/
 +
</console>
 +
Copy the BINLSRV /INFParser tools to /tftproot:
 +
<console>
 +
###i## cp pxefiles/script/* /tftproot/
 +
</console>
 +
Extract the netboot startrom:
 +
<console>
 +
###i## cd /tftproot; cabextract winxp/i386/startrom.n1_
 +
</console>
 +
Fix the startrom for netbooting xp:
 +
<console>
 +
###i## sed -i -e 's/NTLDR/XPLDR/gi' startrom.n12
 +
###i## mv startrom.n12 winxp.0
 +
</console>
 +
Fix XPLDR:
 +
<console>
 +
###i## cabextract winxp/i386/setupldr.ex_
 +
###i## sed -i -e 's/winnt\.sif/winxp\.sif/gi' setupldr.exe
 +
###i## sed -i -e 's/ntdetect\.com/ntdetect\.wxp/gi' setupldr.exe
 +
###i## mv setupldr.exe xpldr
 +
###i## cp winxp/i386/ntdetect.com ntdetect.wxp
 +
</console>
 +
 
 +
== Creating a remapping file ==
 +
Create the file <code>/tftproot/tftpd.remap</code> and add the following to it:
 
{{File
 
{{File
|/etc/sshd/sshd_config|<pre>
+
|/tftproot/tftpd.remap|<pre>
Subsystem      sftp    /usr/lib64/misc/sftp-server
+
ri ^[az]: # Remove “drive letters”
 +
rg \\ / # Convert backslashes to slashes
 +
rg \# @ # Convert hash marks to @ signs
 +
rg /../ /..no../ # Convert /../ to /..no../
 +
rg A a
 +
rg B b
 +
rg C c
 +
rg D d
 +
rg E e
 +
rg F f
 +
rg G g
 +
rg H h
 +
rg I i
 +
rg J j
 +
rg K k
 +
rg L l
 +
rg M m
 +
rg N n
 +
rg O o
 +
rg P p
 +
rg Q q
 +
rg R r
 +
rg S s
 +
rg T t
 +
rg U u
 +
rg V v
 +
rg W w
 +
rg X x
 +
rg Y y
 +
rg Z z
 +
r ^/(.*) \1
 +
r ^xpldr xpldr
 +
r ^ntdetect.wxp ntdetect.wxp
 +
r ^winxp.sif winxp.sif
 
</pre>}}
 
</pre>}}
and change it to:
 
  
 +
==Install/Configure Samba ==
 +
If you don't already have {{Package|net-fs/samba}} installed, then:
 +
<console>
 +
###i## emerge -av net-fs/samba
 +
</console>
 +
Create a Samba share for your tftp server in <code>/etc/samba/smb.conf</code>
 +
 +
{{Note}} Be sure you have the other required samba settings configured in the file
 
{{File
 
{{File
|/etc/sshd/sshd_config|<pre>
+
|/etc/samba/smb.conf|<pre>
Subsystem      sftp    internal-sftp
+
[Global]
 +
interfaces = lo eth0 wlan0
 +
bind interfaces only = yes
 +
workgroup = WORKGROUP
 +
security = user
 +
 
 +
[tftproot]
 +
path = /tftproot
 +
browsable = true
 +
read only = yes
 +
writable = no
 +
guest ok = yes
 
</pre>}}
 
</pre>}}
 +
Start Samba:
 +
<console>
 +
###i## /etc/init.d/samba start
 +
</console> 
 +
or if samba has already been started:
 +
<console>
 +
###i## /etc/init.d/samba restart
 +
</console>
  
Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! Assuming that ''sftponly'' is the group you use for for your restricted users, just add to the file <code>/etc/sshd/sshd_config</code> the following statement:
+
== Creating a Setup Instruction File ==
 
+
Create the file <code>/tftproot/winxp.sif</code> and add the following, replacing <tt>SAMBA_SERVER_IP</tt> with the local IP address of your samba server:
 
{{File
 
{{File
|/etc/sshd/sshd_config|<pre>
+
|/tftproot/winxp.sif|<pre>
# Restricted users, no TCP connexions bouncing, no X tunneling.
+
[data]
Match group sftponly
+
floppyless = "1"
        ChrootDirectory /home/%u
+
msdosinitiated = "1"
        X11Forwarding no
+
; Needed for second stage
        AllowTcpForwarding no
+
OriSrc = "\\SAMBA_SERVER_IP\tftproot\winxp\i386"
        ForceCommand internal-sftp
+
OriTyp = "4"
 +
LocalSourceOnCD = 1
 +
DisableAdminAccountOnDomainJoin = 1
 +
 
 +
[SetupData]
 +
OsLoadOptions = "/fastdetect"
 +
; Needed for first stage
 +
SetupSourceDevice = "\Device\LanmanRedirector\SAMBA_SERVER_IP\tftproot\winxp"
 +
 
 +
[UserData]
 +
ComputerName = *
 
</pre>}}
 
</pre>}}
  
To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:
+
== Editing the pxelinux.cfg/default boot menu ==
* a shell => ssh <code>login@host</code>
+
Edit your boot menu so that it contains the following entry:
* a kind of dedicated ftp daemon (sftp-server) => sftp <code>user@host</code>
+
<console>
 +
LABEL WinXP
 +
MENU LABEL Install MS Windows XP
 +
KERNEL winxp.0
 +
</console>
 +
 
 +
== Re-Start all required daemons ==
 +
If the daemon isn't already running use start instead or restart in the following commands
 +
<console>
 +
###i## /etc/init.d/dnsmasq restart
 +
###i## /etc/init.d/in.tftpd restart
 +
</console>
 +
 
 +
== Modify Binlsrv, update driver cache, and start driver hosting service ==
 +
Change the BASEPATH= variable at or around line #62 of ''<code>binlsrv.py</code>'' so that it is:
 +
<console>
 +
###i## nano binlsrv.py
 +
BASEPATH='/tftproot/winxp/i386/'
 +
</console>
 +
Generate driver cache:
 +
<console>
 +
###i## cd /tftproot;./infparser.py winxp/i386/
 +
</console>
 +
Start binlservice:
 +
<console>
 +
###i## ./binlsrv.py
 +
</console>
  
{{Note}}TBC
+
== Booting the client ==
 +
If all is well, you should be able to boot the client choosing to ''boot from network'' in the boot options, you should get to your PXELinux bootloader, and see the Install Windows XP option after pressing enter you *should* kick off your XP installation via network!! Congratulations!
  
 
[[Category:HOWTO]]
 
[[Category:HOWTO]]

Revision as of 23:52, 14 January 2014

Howto use your Funtoo machine to serve a MS Windows installation over the network In this guide we will assume that you have followed the PXE network boot server Wiki article and have a working network/pxe boot setup. As of now this guide will cover Windows XP. Soon it will be expanded to also cover Windows 7.

Contents

Prerequisites

  1. A working Funtoo installation
  2. A working PXE Setup (DHCP, TFTP, PXELinux)
  3. app-arch/cabextract
  4. A legitimate copy of Microsoft Windows
  5. Driver for your NIC - Suggested to use a complete driver pack with all major supported NIC hardware for the version of Windows to be installed.
  6. RIS Linux toolkit >=0.4
  7. A working Samba server setup

Creating the Windows XP Image

  • In the previous guide, PXE Network Boot Server, we used /tftproot as the working directory so we will also use it in this guide for convenience. If you chose to use a different working directory then please apply it where needed in place of the /tftproot we will be going by here.

First you will need to create an ISO from your Windows XP installation disc. If you already have the ISO image you may skip this step.

# dd if=/dev/sr0 of=/tftproot/winxp.iso

If your cdrom device isn't /dev/sr0 please use the appropriate device in this command.

Mount the ISO and Prepare Installation Sources

Mount the image to /tftproot/cdrom:

# mkdir /tftproot/cdrom; mount -o loop /tftproot/winxp.iso /tftproot/cdrom

Create the new directory for the network installation files and copy the needed files to it:

# mkdir /tftproot/winxp; cp -R /tftproot/cdrom/i386 /tftproot/winxp/i386

Depending on your CD/DVD copy of windows the directory name may be I386 as opposed to i386, if that is the case you will just need to change the first part of the command, keeping the new directory name i386 - this is going to be very important later on when creating the remap file! Check the contents of your newly created i386 directory to see if the filenames are in all CAPS or if they are already in lowercase.

# ls /tftproot/winxp/i386

If you happen to have all UPPERCASE filenames, lets go ahead and run a script to convert it to all lowercase:

# cd /tftproot/winxp/i386;ls | awk '$0!=tolower($0){printf "mv \"%s\" \"%s\"\n",$0,tolower($0)}' | sh

Extracting and Modifying the Required Boot Files

Install app-arch/cabextract

# emerge -av app-arch/cabextract

Extract the prepackaged drivers:

# cd /tftproot/winxp/i386;cabextract driver.cab

Install support for a large list of network cards:

# cd /tftproot/;wget http://downloads.sourceforge.net/project/bootfloppy/pxefiles.tar.gz
# tar zxvf pxefiles.tar.gz; cp pxefiles/drivers/* winxp/i386/

Copy the BINLSRV /INFParser tools to /tftproot:

# cp pxefiles/script/* /tftproot/

Extract the netboot startrom:

# cd /tftproot; cabextract winxp/i386/startrom.n1_

Fix the startrom for netbooting xp:

# sed -i -e 's/NTLDR/XPLDR/gi' startrom.n12
# mv startrom.n12 winxp.0

Fix XPLDR:

# cabextract winxp/i386/setupldr.ex_
# sed -i -e 's/winnt\.sif/winxp\.sif/gi' setupldr.exe
# sed -i -e 's/ntdetect\.com/ntdetect\.wxp/gi' setupldr.exe
# mv setupldr.exe xpldr
# cp winxp/i386/ntdetect.com ntdetect.wxp

Creating a remapping file

Create the file /tftproot/tftpd.remap and add the following to it:

ri ^[az]: # Remove “drive letters”
rg \\ / # Convert backslashes to slashes
rg \# @ # Convert hash marks to @ signs
rg /../ /..no../ # Convert /../ to /..no../
rg A a
rg B b
rg C c
rg D d
rg E e
rg F f
rg G g
rg H h
rg I i
rg J j
rg K k
rg L l
rg M m
rg N n
rg O o
rg P p
rg Q q
rg R r
rg S s
rg T t
rg U u
rg V v
rg W w
rg X x
rg Y y
rg Z z
r ^/(.*) \1
r ^xpldr xpldr
r ^ntdetect.wxp ntdetect.wxp
r ^winxp.sif winxp.sif

Install/Configure Samba

If you don't already have net-fs/samba installed, then:

# emerge -av net-fs/samba

Create a Samba share for your tftp server in /etc/samba/smb.conf

Note Note: Be sure you have the other required samba settings configured in the file

[Global]
interfaces = lo eth0 wlan0
bind interfaces only = yes
workgroup = WORKGROUP
security = user

[tftproot]
path = /tftproot
browsable = true
read only = yes
writable = no
guest ok = yes

Start Samba:

# /etc/init.d/samba start

or if samba has already been started:

# /etc/init.d/samba restart

Creating a Setup Instruction File

Create the file /tftproot/winxp.sif and add the following, replacing SAMBA_SERVER_IP with the local IP address of your samba server:

[data]
floppyless = "1"
msdosinitiated = "1"
; Needed for second stage
OriSrc = "\\SAMBA_SERVER_IP\tftproot\winxp\i386"
OriTyp = "4"
LocalSourceOnCD = 1
DisableAdminAccountOnDomainJoin = 1

[SetupData]
OsLoadOptions = "/fastdetect"
; Needed for first stage
SetupSourceDevice = "\Device\LanmanRedirector\SAMBA_SERVER_IP\tftproot\winxp"

[UserData]
ComputerName = *

Editing the pxelinux.cfg/default boot menu

Edit your boot menu so that it contains the following entry:

LABEL WinXP
	MENU LABEL Install MS Windows XP
	KERNEL winxp.0

Re-Start all required daemons

If the daemon isn't already running use start instead or restart in the following commands

# /etc/init.d/dnsmasq restart
# /etc/init.d/in.tftpd restart

Modify Binlsrv, update driver cache, and start driver hosting service

Change the BASEPATH= variable at or around line #62 of binlsrv.py so that it is:

# nano binlsrv.py
BASEPATH='/tftproot/winxp/i386/'

Generate driver cache:

# cd /tftproot;./infparser.py winxp/i386/

Start binlservice:

# ./binlsrv.py

Booting the client

If all is well, you should be able to boot the client choosing to boot from network in the boot options, you should get to your PXELinux bootloader, and see the Install Windows XP option after pressing enter you *should* kick off your XP installation via network!! Congratulations!