How to prevent new installations when I have already installed my client through LAN boot?

Thomas Neumann blacky+fai at
Thu Feb 9 10:41:26 CET 2012

Please note: I haven't used fai-chboot to automatically disable
fai-installation yet because the manpage scares me too much. What is
described in this mail is an attack scenario that seems to be possible
judging from the manpage.

> have a look there:

There should be a big fat flashing warning sign attached to fai-chboot + ssh.

Does nobody see the fault in having

 - a NFS-share mountable by any client [on a specific network]
 - a SSH-Key without a passphrase stored in that NFS-share
 - a login account allowing (at least) the manipulation of other hosts

Please at least hint that one should consider implementing some security
measures. What happens if J. Random User decides he doesn't like you
anymore, mounts the nfsroot and executes "fai-chboot -e" for every host in
your network? Or decides to play really nasty and execute 'fai-chboot -e
-i <my own nfsroot>' which may completely wipe the system, install some
kind of rootkit or do other unpleasant stuff?

There's even a ready-to-use example given in the manpage:

  fai-chboot −IFv −u nfs://faiserver/srv/fai/clusterconf node03

"node03 will be installed using the configuration space
/srv/fai/clusterconf, which is mounted from faiserver via NFS."

It gets worse.

NFS traffic is not even encrypted. This means the private key is
transmitted in plaintext over the wire. From a security point of view
there's not much difference if one simply uses telnet instead of ssh.

This is probably not relevant if using fai to install a compute-cluster in
a trusted network environment. If the environment is not trusted (training
classroom? datacenter?) then please implement appropriate measures.

More information about the linux-fai mailing list