On Thu, Jul 11, 2019 at 10:14:01AM +0000, Mike Gabriel wrote: > I don't see a reason for updating the LDAP cert in the chroot on every boot > of the ltspserver, either. Correct, it should only be fetched once. Thanks to Petter for explaining how the LDAP server certificate prevents potential credential exposure and that the 'fetch only once' is important for both host and chroot location. Multiple issues here, please correct me if I'm wrong. Since LTSP uses NBD instead of NFS (i.e. since Stretch), the LDAP server certificate is no longer contained in the initial SquashFS image that NBD uses. This is because this image is generated at the end of the installation process when the certificate is missing in the LTSP chroot. The certificate is copied into the chroot on the first boot of the main server. It will be included into the NBD image only after this is updated. Until then the explained security hole exists. I have tested a solution that puts the LDAP certificate into the image right at installation time. (1) Skip generating the SquashFS image. Related file: etc/ltsp/ltsp-build-client.conf (2) Use Cfengine to copy the certificates once generated. Related file: cf3/cf.finalize (3) Adjust rights for NBD image dir and image file, which are wrong if the image file is generated in this unusual 'forced' way. Related file: cf3/cf.finalize (4) Drop global condition for fetching the certificate and go back to the condition like used with Stretch. Related file: debian/debian-edu-config.fetch-ldap-cert Other changes to debian/debian-edu-config.fetch-ldap-cert: - Use variable instead of explicit ldap server name. - Copy also the bundle certificate into the LTSP chroot. This is the complete diff: diff --git a/cf3/cf.finalize b/cf3/cf.finalize index d77a284e..73b70580 100644 --- a/cf3/cf.finalize +++ b/cf3/cf.finalize @@ -52,6 +52,20 @@ files: link_from => ln_s("/usr/share/debian-edu/menu/menus/xfce-applications.menu"), move_obstructions => "true"; + # Make sure the LDAP server certificate is available in the LTSP chroot before + # the SqushFS image gets generated and make the image(s) accessible. + + debian.ltspserver.installation:: + + "/opt/ltsp/amd64/etc/ssl/certs/debian-edu-server.crt" + copy_from => local_cp("/etc/ssl/certs/debian-edu-server.crt"); + "/opt/ltsp/amd64/etc/ssl/certs/debian-edu-bundle.crt" + copy_from => local_cp("/etc/ssl/certs/debian-edu-bundle.crt"); + "/opt/ltsp/i386/etc/ssl/certs/debian-edu-server.crt" + copy_from => local_cp("/etc/ssl/certs/debian-edu-server.crt"); + "/opt/ltsp/i386/etc/ssl/certs/debian-edu-bundle.crt" + copy_from => local_cp("/etc/ssl/certs/debian-edu-bundle.crt"); + commands: debian.server.installation:: @@ -97,6 +111,15 @@ commands: "/usr/sbin/pam-auth-update --package" contain => in_shell; + + debian.ltspserver.installation:: + + "/usr/sbin/ltsp-update-image --config-nbd" + contain => in_shell; + "/bin/chmod 0755 /opt/ltsp/images/" + contain => in_shell; + "/bin/chmod 0644 /opt/ltsp/images/*.img" + contain => in_shell; } bundle edit_line profile diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert index dfec40da..1f555f18 100755 --- a/debian/debian-edu-config.fetch-ldap-cert +++ b/debian/debian-edu-config.fetch-ldap-cert @@ -29,7 +29,7 @@ do_start() { LDAPSERVER=$(debian-edu-ldapserver) ERROR=false - if [ -f /etc/nslcd.conf ] && + if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] && grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then if [ -z "$LDAPSERVER" ] ; then msg="Failed to locate LDAP server" @@ -40,7 +40,7 @@ do_start() { fi [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate." if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then - gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null + gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null else /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new chmod 644 $CERTFILE.new @@ -64,6 +64,7 @@ do_start() { log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot " if test -s $CERTFILE; then cp $CERTFILE $ltsp_chroot$CERTFILE + cp $BUNDLECRT $ltsp_chroot$BUNDLECRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_end_msg 1 @@ -79,13 +80,7 @@ do_start() { case "$1" in start) - # do absolutely nothing, if this host is already "attached" to - # a Debian Edu network - if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then - : - else - do_start - fi + do_start ;; stop) ;; diff --git a/etc/ltsp/ltsp-build-client.conf b/etc/ltsp/ltsp-build-client.conf index 17b34f67..58120088 100644 --- a/etc/ltsp/ltsp-build-client.conf +++ b/etc/ltsp/ltsp-build-client.conf @@ -7,7 +7,7 @@ # Uncomment the next two entries, if NFS instead of NBD should be used for a # manually created LTSP chroot. #NFS_ROOT="True" -#SQUASHFS_IMAGE="False" +SQUASHFS_IMAGE="False" # This setting is needed to be able to install a chroot using the BD ISO image. TRUST_FILE_MIRROR="True" > Furthermore, we should not forget discussing the issue about deploying the > rootCA instead of the LDAP server cert. What do you think about that? IIRC the ldap server certificate is fetched directly from the LDAP server, just like it has been done before and then validated against the rootCA one. The $BUNDLECRT file contains the rootCA certificate and the server certificate. It has been made downloadable from the internal web server so that this certificate chain could be imported by other machines inside the Debian Edu network (Windows, Mac), avoiding to accept insecure (aka self-signed) certificates. But it might be that I fail to understand your question. Please check. Wolfgang
Attachment:
signature.asc
Description: PGP signature