Secure deploy of keys

tt-fai at kky.ttu.ee tt-fai at kky.ttu.ee
Thu Dec 15 18:15:25 CET 2022 

Hello,

In the case of public network and no access to the machine at time of installation, I think this is unsolvable in principle.

Imagine the following scenario, say on a school on university network: an attacker (perhaps just a curious student) sets up a virtual machine with the MAC address and emulated hardware identical to a physical machine that would be installed by FAI. Then he disconnects the actual machine (say, in a computer classroom) and initiates a FAI install on his VM. Any exchange of secrets that would take place with the real machine now takes place with the student's VM. Afterwards, he takes the VM image home and can extract any secrets that were transferred to it during install.

Some things that I can imagine that could mitigate such risks would be:
- Inputting some secret on the physical machine during install (from the keyboard, USB stick, etc). This would defeat the idea of "fully automatic" install.
- Pre-loading a secret onto hardware (is this what you mean by using TPM?).
- Time-limiting the availability of secrets and/or some component of FAI. Most of us probably do not install clients every day, all day.
- Monitoring of installation processes and flagging abnormal activities. This would not prevent successful attacks, but possible breaches could be patched up, eg keys replaced afterwards.

BR,
Toomas




-----Original Message-----
From: linux-fai <linux-fai-bounces at uni-koeln.de> On Behalf Of Diego Zuccato
Sent: kolmapäev, 14. detsember 2022 07:40
To: linux-fai at uni-koeln.de
Subject: Re: Secure deploy of keys

Tks.
Too bad I fear it's not applicable to my scenario.
First because the network is public. Second because ssh is just one of 
the secrets I have to distribute (others are usually SaltStack key and 
Gluster certificate).
I'm thinking that probably this is one of the few cases where a TPM is 
actually useful...
GPG encrypted tarballs can be a good solution if there's a trusted 
person that can insert the password (or a tpm that can decrypt it) to 
complete the install...

Diego

Il 13/12/2022 20:44, Andrew Ruthven ha scritto:
> Hey,
> 
> On Tue, 2022-12-13 at 14:47 +0100, Diego Zuccato wrote:
>> What's the recommended way to deploy (or re-deploy) security-sensitive
>> objects (just to say one: private ssh key to avoid client warnings when
>> redeploying a server)?
> 
> For things like ssh host keys I have a command that we run which copies 
> them into the NFSROOT, and then a cron job that runs every minute that 
> removes "expired" files from the NFSROOT. Given our NFSROOT is on a 
> restricted network I feel that is sufficient.
> 
> I know someone who had GPG encrypted tarballs, but that required 
> entering a passphrase during the build process.
> 
> Another option for ssh which I am considering is using PKI for it. Then 
> servers and clients just need to trust a CA.
> 
> Cheers,
> Andrew
> 
> -- 
> 
> Andrew Ruthven, Wellington, New Zealand
> andrew at etc.gen.nz         |
> Catalyst Cloud:           | This space intentionally left blank
>   https://catalystcloud.nz |
> 

-- 
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786

More information about the linux-fai mailing list