Hi, as I am aware that there is no out-of-the-box solution for the inherent PXE/DHCP security problem I am trying to find out how to at least make the second stage more secure. At the moment, since DHCP is broadcast, everybody with physical access to a network can install a fake DHCP server serving his or her own kernel images with back doors. As long as there is no cryptographically secure authentication on the server side a client can never be sure about the DHCP server's identity. Unfortunately, Intel dropped BIS development and support, and no hardware vendor actually supports BIS. That said, does anybody have a good idea to at least identify the install server reliably before YaST starts its work? I was thinking about using a preinstall script which uses SSH/SSL to talk to a server but the preinstall script will (or will not) be provided by a fake DHCP server so there's a catch-22 situation. Any idea? I suspect we have to abandon PXE/DHCP altogether and go for a boot CD in each server, with the install server's address hardwired. A client could use DHCP but only for getting its IP address and network parameters, but then identify the install server using SSL (in a YaST pre-install script) and then go ahead. The AutoYaST config XML file(s) would have to be on the CD as well to prevent hackers from tampering. Any comments? TIA!! Mit freundlichen Gruessen - Best regards Harald Milz Consultant Enterprise Computing Solutions CC CompuNet AG & Co. oHG