ssh - no added security?
Sune Rastad Bahn
srb at dmi.dk
Tue Mar 25 17:09:39 CET 2003
pll at lanminds.com skrev:
> In a message dated: Mon, 24 Mar 2003 17:40:04 EST
>
> Mark Hedges said:
> >There would need to be away to encrypt the NFS mount.
> >Is this possible?
>
> You can tunnel NFS over ssh if you want to, but it might be rather
> slow, I don't know, I've never tried it.
Another problem is that it is the kernel which mounts the nfsroot.
So, either you have to compile the encryption into the kernel or make a very
large initrd so you can start up ssh from that.
Anyway you still have the problem that the kernel is from tftp which as the
name say is a very trivial (and hence very insecure) protocol, leaving plenty
of space for an attacker to fool you machine into using his kernel instead of
your own. You have to figure out some very clever boot process to avoid that!
Basically you need to have security build in already in the boot process,
which means no PXE/dhcp, no bootp etc.. you'll probably end up booting from a
cd... so why use fai in the first place?
Sune
--
Sune Rastad Bahn
Systemadministrator
Danmarks Meteorologiske Institut
Lyngbyvej 100
2100 København Ø
Direkte tlf. : 39157562
Email: srb at dmi.dk
More information about the linux-fai
mailing list