ssh - no added security?

Sune Rastad Bahn srb at
Tue Mar 25 17:09:39 CET 2003

pll at skrev:
> In a message dated: Mon, 24 Mar 2003 17:40:04 EST
> Mark Hedges said:
> >There would need to be away to encrypt the NFS mount.
> >Is this possible?
> You can tunnel NFS over ssh if you want to, but it might be rather
> slow, I don't know, I've never tried it.

Another problem is that it is the kernel which mounts the nfsroot.
So, either you have to compile the encryption into the kernel or make a very 
large initrd so you can start up ssh from that.
Anyway you still have the problem that the kernel is from tftp which as the 
name say is a very trivial (and hence very insecure) protocol, leaving plenty 
of space for an attacker to fool you machine into using his kernel instead of 
your own. You have to figure out some very clever boot process to avoid that!
Basically you need to have security build in already in the boot process, 
which means no PXE/dhcp, no bootp etc.. you'll probably end up booting from a 
cd... so why use fai in the first place?


Sune Rastad Bahn
Danmarks Meteorologiske Institut
Lyngbyvej 100
2100 København Ø
Direkte tlf. : 39157562
Email: srb at

More information about the linux-fai mailing list