Hide password or Prompt for password

[Prunk Dump]

2014-02-03 Toomas Tamm <tt-fai at kky.ttu.ee>:
> Hello!
>
> On Sat, 2014-02-01 at 09:43 +0100, Prunk Dump wrote:
>
>> It's true that there is no 100% secure way to send passwords to
>> clients ! But SSH key are very secure and they are greatly sufficient
>> for my network.
>
> That was not my point. What I was trying to say was, that if you can not
> physically trust your network (eg you are installing workstations in
> computer classrooms where in principle a student can plug in his own
> computer), then you can not keep any information delivered during the
> FAI install secret either.
>
> Think of it this way: you start with bare hardware with no pre-installed
> secrets. Any keys or passwords need to be delivered via the network (to
> get the premise of "fully automatic", "no human intervention needed"
> install). And thus the intruder also has access to these secrets.
>
> Let me elaborate this via an extreme example.
>
> The intruder (eg the clever student at the classroom) can configure his
> PC (or a virtual machine inside it) to look exactly like the workstation
> you are going to install. This includes MAC address, disk size, etc. Now
> he can install a "private copy" of the workstation, and get all the
> secrets you would have sent to the real workstation over the network.
> Later at home he breaks into the system (because it is his hardware, it
> will always be possible), learns the secrets and, depending on their
> nature, may get unauthorized access to your servers or other resources.
>
> In real life, depending on how you planned to send the secrets, the
> intruder probably will not need to perform a full install. It may be a
> lot easier to harvest the secrets from the install server via NFS, SVN,
> cfengine, or other similar mechanisms by faking a computer being
> installed, or possibly by simply querying the appropriate servers.
>
> Which brings us back to the original point: if you need to operate on
> such open networks, your need to resort to out-of-band delivery of the
> secrets (at least a master key/password to access the rest), such as use
> of USB stick, typing in a password, ssh'ing into the host during install
> (which involves manual check of the hosts' identity) etc. Alternatively,
> use timing-and-logging based approaches: the secret is available for a
> limited time, and/or any access to the secret is logged and possibly
> reported, so you at least know when someone stole the key.
>
> Regards,
>
> Toomas Tamm
>

Thank you Toomas !

I am a new network administrator so any advice on security helps me a
lot improve my skills !

What do you thinks about this method ?

1) I generate a ssh public key on the FAI server.
2) I make a hook that query the FAI server's root password when the
install start on the client. This hook copy the FAI server's public
key on the host.
3) When the install is finished. A script on the server query the SSH
passphrase and the samba4 password and send it to the clients through
SSH.

The advantage is that a can put the password just after the PXE boot.
And this is unsure the identity of the host.

Is there a security issue that I forget ?

Thank you very much for your help. And excuse my English.

Baptiste.