use encryption+authentication during configuring clients?
tt-fai at kky.ttu.ee
Fri Sep 19 15:06:21 CEST 2014
On Fri, 2014-09-19 at 13:52 +0200, Jan Bredereke wrote:
> As for the initial installation process, I suppose it cannot be
> secured fully. You would have to transfer the crypto keys to the
> clients without using the network, i.e., manually. As far as I have
> seen, FAI does not provide mechanisms for this.
Please have a look at the list archives - this has been discussed
several times over recent years.
The bottom line is that a fully automatic transfer of secrets (eg
passwords) over an uncontrolled network seems impossible. Imagine an
attacker impersonating one of your clients, for example. FAI would
perform an installation onto the attacker's hardware, which he can later
analyze and learn the secrets. Other types of attacks can be thought of
as subsets of this.
However, users have come up with "nearly secure" solutions which can be
used without physical access to the clients. One is setting up a key
provider and logging all attempts to access it. Normally you know the
times when installations occur, so you can later account for all key
request attempts and map them to individual installations (successful or
failed). In case of any suspicious entries in the logs, just repeat the
installation with new keys.
Of course, if you have physical access or can establish out-of-band
communication with the client (such as plugging in a USB stick or CD),
you can use these to provide any necessary secrets.
More information about the linux-fai