On Wed, Jul 10, 2019 at 06:31:32PM +0200, Wolfgang Schweer wrote: > On Wed, Jul 10, 2019 at 02:50:19PM +0000, Mike Gabriel wrote: > > On Mi 10 Jul 2019 15:15:53 CEST, Petter Reinholdtsen wrote: > > > [Mike Gabriel] > > > > Another error in reasoning... A diskless machine doesn't probably have > > > > any values/assets to protect, so why deploy the LDAP server cert at > > > > all to the diskless chroot? It is sufficient (and fully works) to > > > > retrieve the LDAP cert during the diskless machine's boot process. > > > > > > The LDAP server cert is placed inside diskless chroots to protect the > > > users (for example their passwords) from man-in-the-middle attacks on > > > the LDAP directory. The point is not to keep the read only files safe, > > > but the users logging into them. > > > > oh yeah, this is indeed a highly valid point. Without that, an attacker > > could fake a TJENER on the network (or pseudo-rollout another Debian Edu > > like network to clients) and collect login credentials. > > This is supposed to be a problem since the time LTSP uses NBD, but only > for LTSP chroots that never got an update. > > For Buster we should make sure that the LDAP certificate gets copied > into the LTSP chroot before the initial NBD image is built at > installation time to avoid another NBD build just after the first reboot. > > This would require changes to /etc/ltsp/ltsp-build-client.conf and > cf3/cf.finalize (building the client without NBD image generation, > copying the certificate, then run ltsp-update-image). Maybe another option could be to only change /etc/ltsp/ltsp-build-client.conf (building the client without NBD image generation) and generate the NBD image via xdebian-edu-firstboot. Imo the fetch-ldap-cert script should be changed in any case like this to get the certificate into the LTSP chroot: diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert index dfec40da..2d68d318 100755 --- a/debian/debian-edu-config.fetch-ldap-cert +++ b/debian/debian-edu-config.fetch-ldap-cert @@ -29,7 +29,7 @@ do_start() { LDAPSERVER=$(debian-edu-ldapserver) ERROR=false - if [ -f /etc/nslcd.conf ] && + if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] && grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then if [ -z "$LDAPSERVER" ] ; then msg="Failed to locate LDAP server" @@ -40,7 +40,7 @@ do_start() { fi [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate." if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then - gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null + gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null else /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new chmod 644 $CERTFILE.new @@ -79,13 +79,7 @@ do_start() { case "$1" in start) - # do absolutely nothing, if this host is already "attached" to - # a Debian Edu network - if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then - : - else - do_start - fi + do_start ;; stop) ;; Please check. Wolfgang
Attachment:
signature.asc
Description: PGP signature