Bug#931413: fetch-ldap-cert renews Debian Edu PKI on clients on every reboot

To: submit@bugs.debian.org
Subject: Bug#931413: fetch-ldap-cert renews Debian Edu PKI on clients on every reboot
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Thu, 04 Jul 2019 10:16:29 +0000
Message-id: <[🔎] 20190704101629.Horde.tTQMmY2joCI8KDIoYJrAfeC@mail.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 931413@bugs.debian.org

Package: debian-edu-config
Severity: serious
Version: 2.10.65

The former version of fetch-ldap-cert (stretch and before) retrievedthe LDAP servers pub cert only once, that is on first boot on theDebian Edu network. A machine booted in one network would not havebeen reusable in some other Debian Edu network.


The reasoning behind this was:

```

11:54 < sunweaver> pere: the original approach of fetch-ldap-cert was:retrieve the cert from TJENER on first usage on the network and thenremember it, right?11:54 < sunweaver> So that a prepped notebook would belong to thefirst TJENER where it was first booted with. Right?11:55 < sunweaver> The new fetch-ldap-cert always overwrites the LDAPcert and Debian Edu machines can migrate from one school to another.

11:55 < sunweaver> at least from what I read from the code...
11:55 < sunweaver> I found the previous approach more charming and "secure".

11:56 < sunweaver> in a world where GRUB is md5 protected, you wouldnot be able to retrieve local data from the notebook.

11:57 < pere> sunweaver: yes.

11:58 < pere> sunweaver: the idea was that a stolen machine would notpass out and validate password from whoever happened to be able toprovide a certificate, but stick to the one it was using duringinstallation.

```

For migrating a Debian Edu workstation from one D-E network toanother, one would have had to remove the/etc/ldap/ssl/ldap-server-pubkey.pem and reboot the machine at the newlocation.

With the latest (Debian Edu buster) implementation, thedebian-edu-bundle.crt file is retrieved on every reboot and replacesthe previously fetch cert file. IMHO, we should consider this as asevere regression that needs to be fixed.


Feedback? Opinions?

@Wolfgang: don't get me wrong, I am so happy about the new Debian EduPKI stuff. That was really well done. I am just nitpicking on bits andpieces I stumble over while migrating a customer's network and reportthings here. Please don't take my "complaints" personally, onlytechnically. Thank you!


Thanks+Greets,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgp3nO2l0hzkB.pgp
Description: Digitale PGP-Signatur

Reply to:

Follow-Ups:
- Bug#931413: fetch-ldap-cert renews Debian Edu PKI on clients on every reboot
  - From: Holger Levsen <holger@layer-acht.org>
- Processed: Re: Bug#931413: fetch-ldap-cert renews Debian Edu PKI on clients on every reboot
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Bug#931413 marked as pending in debian-edu-config
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#931413: [debian-edu-commits] [Git][debian-edu/debian-edu-config][master] debian/debian-edu-config.fetch-ldap-cert: Retrieve TJENER's PKI server...
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Processed: Re: Bug#931366: krb5-admin-server nor krb5-kdc service cannot write their log files
Next by Date: Bug#931413: fetch-ldap-cert renews Debian Edu PKI on clients on every reboot
Previous by thread: Processed: Bug#931366 marked as pending in debian-edu-config
Next by thread: Bug#931413: fetch-ldap-cert renews Debian Edu PKI on clients on every reboot
Index(es):
- Date
- Thread