[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#931413: marked as done (fetch-ldap-cert should not renew Debian Edu PKI on clients on every reboot to improve security)

Your message dated Sat, 10 Aug 2019 10:08:08 +0000
with message-id <E1hwOIC-000DXU-UO@fasolo.debian.org>
and subject line Bug#931413: fixed in debian-edu-config 2.10.66
has caused the Debian Bug report #931413,
regarding fetch-ldap-cert should not renew Debian Edu PKI on clients on every reboot to improve security
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

931413: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931413
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: debian-edu-config
Severity: serious
Version: 2.10.65

The former version of fetch-ldap-cert (stretch and before) retrieved the LDAP servers pub cert only once, that is on first boot on the Debian Edu network. A machine booted in one network would not have been reusable in some other Debian Edu network.

The reasoning behind this was:

11:54 < sunweaver> pere: the original approach of fetch-ldap-cert was: retrieve the cert from TJENER on first usage on the network and then remember it, right? 11:54 < sunweaver> So that a prepped notebook would belong to the first TJENER where it was first booted with. Right? 11:55 < sunweaver> The new fetch-ldap-cert always overwrites the LDAP cert and Debian Edu machines can migrate from one school to another.
11:55 < sunweaver> at least from what I read from the code...
11:55 < sunweaver> I found the previous approach more charming and "secure".
11:56 < sunweaver> in a world where GRUB is md5 protected, you would not be able to retrieve local data from the notebook.
11:57 < pere> sunweaver: yes.
11:58 < pere> sunweaver: the idea was that a stolen machine would not pass out and validate password from whoever happened to be able to provide a certificate, but stick to the one it was using during installation.

For migrating a Debian Edu workstation from one D-E network to another, one would have had to remove the /etc/ldap/ssl/ldap-server-pubkey.pem and reboot the machine at the new location.

With the latest (Debian Edu buster) implementation, the debian-edu-bundle.crt file is retrieved on every reboot and replaces the previously fetch cert file. IMHO, we should consider this as a severe regression that needs to be fixed.

Feedback? Opinions?

@Wolfgang: don't get me wrong, I am so happy about the new Debian Edu PKI stuff. That was really well done. I am just nitpicking on bits and pieces I stumble over while migrating a customer's network and report things here. Please don't take my "complaints" personally, only technically. Thank you!


c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgp5YmxToQBeG.pgp
Description: Digitale PGP-Signatur

--- End Message ---
--- Begin Message ---
Source: debian-edu-config
Source-Version: 2.10.66

We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 931413@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Holger Levsen <holger@debian.org> (supplier of updated debian-edu-config package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA512

Format: 1.8
Date: Sat, 10 Aug 2019 11:41:47 +0200
Source: debian-edu-config
Architecture: source
Version: 2.10.66
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Holger Levsen <holger@debian.org>
Closes: 926933 928756 929964 930122 931366 931413 931680 932828 933183 933580
 debian-edu-config (2.10.66) unstable; urgency=medium
   [ Wolfgang Schweer ]
   * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes: #928756)
     - Use PXE option 'ipappend 2' for LTSP client boot. This option makes sure
       that all DHCP server information is getting through to LTSP clients.
       (LTSP used this option before, but switched to 'ipappend 3' during the
       Buster development cycle to ease setups with ProxyDHCP.)
   * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964)
     - Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.)
   * Set environment variable to deal with Firefox profile. (Closes: #930122)
     This is a workaround for bug #930125, preventing firefox-esr startup issues
     if the mozilla profile is on an NFS share).
     - Ship share/debian-edu-config/edu-firefox-nfs with NSS_SDB_USE_CACHE="yes"
       as content. Thanks to Mike Gabriel for spotting the issue and providing
       this information.
     - Add instructions to cf3/cf.workarounds to link the 'edu-firefox-nfs' file
       to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'.
   * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680)
     - While the reported arch is i686, LTSP uses i386. Set arch accordingly.
   * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366)
     - Remove outdated (and now wrong) logging section.
   * Add LDAP server certificate to the initial LTSP NBD image. (Closes: #932828)
     - etc/ltsp/ltsp-build-client.conf: Don't create the image by default.
     - cf3/edu.cf: Define new class 'ltspimages'.
     - cf3/cf.finalize: Add code to include the LDAP server certificate for all
       possible use cases, to generate the image and to adjust various rights.
   * Provide Debian Edu RootCA certificate for download. (Closes: #933183)
     - Adjust share/debian-edu-config/tools/create-debian-edu-certs to copy the
       rootCA file to the web server directory at certificate generation time.
     - Adjust cf3/cf.finalize to care for the rootCA file as well.
     - Adjust cf3/cf.workarounds to copy the rootCA file to the web server
       directory upon main server upgrade.
   * Fix loss of dynamically allocated v4 IP address. (Closes: #933580)
     - Drop etc/network/if-up.d/hostname. This script doesn't work anymore due
       to changed behaviour of the ifupdown/dhclient/systemd combination and now
       also causes the loss of a dynamically allocated ipv4 IP address after 20
       to 30 minutes after booting.
     - Add code to d/debian-edu-config.postinstall to implement the intended
       hostname update just after rebooting the system after a change.
     - Adjust Makefile.
   [ Mike Gabriel ]
   * debian/debian-edu-config.fetch-ldap-cert: Make the script (and with it
     Debian Edu buster workstations) work in a Debian Edu environment where
     the main server (TJENER) is still on Debian Edu 8 or 9. (Closes: #926933)
   * debian/debian-edu-config.fetch-ldap-cert: Retrieve TJENER's PKI server
     certificate only once per host to improve security. This re-introduces
     the behaviour of fetch-ldap-cert in stretch and earlier. (Closes: #931413).
   [ Holger Levsen ]
   * Drop obsolete code in d-i/finish-install now that d-i uses haveged (via a
     newly introduced udeb) or a hardware RNG. (See #923675).
   * Bump standards version to 4.4.0, no changes needed.
 04f13395ffcd3497ced2b6416d43326c80abb521 1918 debian-edu-config_2.10.66.dsc
 cdb03702ea336c096ea83a1299d1f101c74bd865 342532 debian-edu-config_2.10.66.tar.xz
 3500f5cf337338572ea9d54571d30268032955a1 5232 debian-edu-config_2.10.66_source.buildinfo
 3ae5532ded3a02e30e84131feba33a8a53a516da562a11fdebbbf37eb08861d0 1918 debian-edu-config_2.10.66.dsc
 f05b1de98fe91db73e26cdafb48295c8893e1f712453b4ab287f098c37c4d1d0 342532 debian-edu-config_2.10.66.tar.xz
 218fc276448d872a81d6ad3a5117a0ad30f71ec1ac565e67e85434af8315062a 5232 debian-edu-config_2.10.66_source.buildinfo
 e098730c4c8f29837c230f0c8db5a06a 1918 misc optional debian-edu-config_2.10.66.dsc
 99a8f115b4fa8f67f073f0bccee6f9fa 342532 misc optional debian-edu-config_2.10.66.tar.xz
 28301807f531b70fedeabb2e6404e289 5232 misc optional debian-edu-config_2.10.66_source.buildinfo



--- End Message ---

Reply to: