On Thu, Jul 11, 2019 at 10:14:01AM +0000, Mike Gabriel wrote:
> I don't see a reason for updating the LDAP cert in the chroot on every boot
> of the ltspserver, either.
Correct, it should only be fetched once. Thanks to Petter for explaining
how the LDAP server certificate prevents potential credential exposure and
that the 'fetch only once' is important for both host and chroot location.
Multiple issues here, please correct me if I'm wrong.
Since LTSP uses NBD instead of NFS (i.e. since Stretch), the LDAP server
certificate is no longer contained in the initial SquashFS image that
NBD uses. This is because this image is generated at the end of the
installation process when the certificate is missing in the LTSP chroot.
The certificate is copied into the chroot on the first boot of the main
server. It will be included into the NBD image only after this is updated.
Until then the explained security hole exists.
I have tested a solution that puts the LDAP certificate into the image
right at installation time.
(1) Skip generating the SquashFS image.
Related file: etc/ltsp/ltsp-build-client.conf
(2) Use Cfengine to copy the certificates once generated.
Related file: cf3/cf.finalize
(3) Adjust rights for NBD image dir and image file, which are wrong if the
image file is generated in this unusual 'forced' way.
Related file: cf3/cf.finalize
(4) Drop global condition for fetching the certificate and go back to the
condition like used with Stretch.
Related file: debian/debian-edu-config.fetch-ldap-cert
Other changes to debian/debian-edu-config.fetch-ldap-cert:
- Use variable instead of explicit ldap server name.
- Copy also the bundle certificate into the LTSP chroot.
This is the complete diff:
diff --git a/cf3/cf.finalize b/cf3/cf.finalize
index d77a284e..73b70580 100644
--- a/cf3/cf.finalize
+++ b/cf3/cf.finalize
@@ -52,6 +52,20 @@ files:
link_from => ln_s("/usr/share/debian-edu/menu/menus/xfce-applications.menu"),
move_obstructions => "true";
+ # Make sure the LDAP server certificate is available in the LTSP chroot before
+ # the SqushFS image gets generated and make the image(s) accessible.
+
+ debian.ltspserver.installation::
+
+ "/opt/ltsp/amd64/etc/ssl/certs/debian-edu-server.crt"
+ copy_from => local_cp("/etc/ssl/certs/debian-edu-server.crt");
+ "/opt/ltsp/amd64/etc/ssl/certs/debian-edu-bundle.crt"
+ copy_from => local_cp("/etc/ssl/certs/debian-edu-bundle.crt");
+ "/opt/ltsp/i386/etc/ssl/certs/debian-edu-server.crt"
+ copy_from => local_cp("/etc/ssl/certs/debian-edu-server.crt");
+ "/opt/ltsp/i386/etc/ssl/certs/debian-edu-bundle.crt"
+ copy_from => local_cp("/etc/ssl/certs/debian-edu-bundle.crt");
+
commands:
debian.server.installation::
@@ -97,6 +111,15 @@ commands:
"/usr/sbin/pam-auth-update --package"
contain => in_shell;
+
+ debian.ltspserver.installation::
+
+ "/usr/sbin/ltsp-update-image --config-nbd"
+ contain => in_shell;
+ "/bin/chmod 0755 /opt/ltsp/images/"
+ contain => in_shell;
+ "/bin/chmod 0644 /opt/ltsp/images/*.img"
+ contain => in_shell;
}
bundle edit_line profile
diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..1f555f18 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -29,7 +29,7 @@ do_start() {
LDAPSERVER=$(debian-edu-ldapserver)
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
@@ -40,7 +40,7 @@ do_start() {
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+ gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
chmod 644 $CERTFILE.new
@@ -64,6 +64,7 @@ do_start() {
log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
+ cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
@@ -79,13 +80,7 @@ do_start() {
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
diff --git a/etc/ltsp/ltsp-build-client.conf b/etc/ltsp/ltsp-build-client.conf
index 17b34f67..58120088 100644
--- a/etc/ltsp/ltsp-build-client.conf
+++ b/etc/ltsp/ltsp-build-client.conf
@@ -7,7 +7,7 @@
# Uncomment the next two entries, if NFS instead of NBD should be used for a
# manually created LTSP chroot.
#NFS_ROOT="True"
-#SQUASHFS_IMAGE="False"
+SQUASHFS_IMAGE="False"
# This setting is needed to be able to install a chroot using the BD ISO image.
TRUST_FILE_MIRROR="True"
> Furthermore, we should not forget discussing the issue about deploying the
> rootCA instead of the LDAP server cert. What do you think about that?
IIRC the ldap server certificate is fetched directly from the LDAP server, just like
it has been done before and then validated against the rootCA one.
The $BUNDLECRT file contains the rootCA certificate and the server
certificate. It has been made downloadable from the internal web server
so that this certificate chain could be imported by other machines
inside the Debian Edu network (Windows, Mac), avoiding to accept
insecure (aka self-signed) certificates.
But it might be that I fail to understand your question.
Please check.
Wolfgang
Attachment:
signature.asc
Description: PGP signature