how do you distribute secrets ?

Haakon Humberset humbe at interagon.com
Thu Apr 22 13:15:45 CEST 2004



I also wondered about this..

Since I don't want ssh keys to change during each reinstallation, I want
to pregenerate these. Thus all computers automaticly installed have both
their private and public ssh keys available through the FAI nfsroot.

I also have users I would autocreate users for, all my users
md5 password entries can also be gotten through nfsroot.

I'm on an internal firewalled net that I have full control of, so I don't
worry too much, but only solution I can see, is to get the install client
to notify server when it's done, and then let the install server log into
the newly installed computer and add the secret files through a scripted
ssh connection.

The fai account on the install server used by clients to copy logs back is
also a security issue since keys are available through nfsroot such that
anyone can log in here without a password. There have been, and will be
more than enough root exploits given you already have a local user.

A solution might be to not let the install client log into the install
server. Share nfsroot with no secrets, if secrets are required, notify a
process listening to the network, triggering the install server to log
into the client and add the secrets, get the logs or whatever.

Well.. Reckon for now, you shouldn't use fai on/across untrusted
networks.

Haakon

On 22 Apr 2004, Holger Levsen wrote:
> Hi,
>
> in FAI's simple examples the root password is distributed to the install
> clients as a md5sum which is world-readable through the nfs-exported
> FAI_CONFIGDIR.
>
> It's a good solution as a starting point but not really sufficient for
> installations where you need real security.
>
> How do you distribute passwords, private ssh-host-keys and/or private
> ssl-certificates ?
>
> I can easily imagine solutions involving bootdiscs or usb-sticks which
> contain those keys - but this would not be very flexible nor is this a
> solution for many systems.
>
>
> thank you for any hints,
> regards,
> 	Holger
>
> --
>
> Hamburger Berater Team GmbH     Telefon: 040/369779-0
> Stadthausbrücke 3 (Fleethof)    Telefax: 040/369779-99
> 20355 Hamburg                   eMail  : hl at hbt.de
> 				Web    : http://www.hbt.de
>
>
>

-----------------------------------------------------------------------
Haakon Humberset, Research Scientist, Interagon AS.       +47 982 03875
http://www.interagon.com                            humbe at interagon.com
-----------------------------------------------------------------------





More information about the linux-fai mailing list