FAI and sensitive installation data

Henning Glawe glaweh at physik.fu-berlin.de
Fri Apr 11 13:07:50 CEST 2003 

On Fri, Apr 11, 2003 at 12:18:41PM +0200, luzian.scherrer at id.unizh.ch wrote:
> data to be copied before actually installing it. This per host private
> key is stored on a floppy or CD-ROM residing in the clients drive. I
> think this would be the only way to be able to really authenticate FAI
> clients. (This assumes of course, that those using the clients do not
> have physical access to the machines).
> 
> What do you think about it?
We started implementing a secure fai concept some time ago... and didn't
really finish ;) Basic concept was:

1) GPG key on bootfloppy, its public key on fai-server
2) client is installed, generates its ssh hostkey, signs the public 
   hostkey with the floppie's private GPG key and transmits it to the 
   fai server.
3) fai server verifies the signature and on success it throws away the
   public _gpg_ key, keeps the public ssh-host-key as authorized_key for
   further data transmission (logfile copying, passwd manipulation etc.)
   If the verify fails, it rings the alarm bells.

The patch for the gpg-bootfloppy is attached to this mail (doesn't apply
on actual versions, lost interest a bit ;) ) other code doesn't exist.

This system is not at all perfect, but you have at least a approved
secure channel to your client (because the gpg-key is one-time-only).

Maybe a better concept: Authorized On-demand-export of the nfsroot:

- Daemon on fai-server, running under UID root, calls
  /usr/sbin/exportfs, giving the nfsroot to an authenticated client

- Bootfloppy: has to include minimal root fs which sends a file signed
  with the floppie's gpg-key to fai-server, waits for an answer and
  mounts the nfsroot...

-- 
c u
henning
-------------- next part --------------
--- fai/scripts/make-fai-bootfloppy	Wed May 15 11:41:00 2002
+++ pfai/pfai/scripts/make-fai-bootfloppy	Wed Jun 12 22:08:00 2002
@@ -90,6 +90,34 @@
 }
 
 # - - - - - - - - - - - - - - - - - - - - - - - - - -
+makeGpgKey() {
+ HOST=`host -e "$TARGETIP" | grep 'Name:' |awk '{print $2}'`
+ mkdir -p "$GPG_KEYDIR"
+ chown 0.0 "$GPG_KEYDIR"
+ chmod 0755 "$GPG_KEYDIR"
+ [ -f "$GPG_KEYDIR/$HOST.pub" ] \
+   && echo "Warning: Overwriting key files for $HOST!"
+ (cat << EOF
+%echo Generating GPG Key
+Key-Type: DSA
+Key-Length: 1024
+Subkey-Type: ELG-E
+Subkey-Length: 1024
+Name-Real: $HOST
+Name-Comment: FAI installation key for $HOST
+Name-Email: root@$HOST
+# Expire after two days!
+Expire-Date: 2
+%pubring $GPG_KEYDIR/$HOST.pub
+%secring $MOUNTPOINT/fai.sec
+%commit
+%echo done
+EOF
+ ) | gpg --batch --gen-key
+}
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - -
 # main part
 while getopts "f:s:m:h" opt ; do
         case "$opt" in
@@ -183,6 +211,8 @@
 EOF
 
 $NFSROOT/sbin/lilo -C $MOUNTPOINT/etc/lilo.conf
+
+[ -n "$GPG_AUTH" ] && makeGpgKey
 
 cat <<EOF
 Writing boot data to floppy.

More information about the linux-fai mailing list