Hi Petter, On Mi 10 Jul 2019 15:15:53 CEST, Petter Reinholdtsen wrote:
[Mike Gabriel]Another error in reasoning... A diskless machine doesn't probably have any values/assets to protect, so why deploy the LDAP server cert at all to the diskless chroot? It is sufficient (and fully works) to retrieve the LDAP cert during the diskless machine's boot process.The LDAP server cert is placed inside diskless chroots to protect the users (for example their passwords) from man-in-the-middle attacks on the LDAP directory. The point is not to keep the read only files safe, but the users logging into them.
oh yeah, this is indeed a highly valid point. Without that, an attacker could fake a TJENER on the network (or pseudo-rollout another Debian Edu like network to clients) and collect login credentials.
Time to secure our customers' diskless machines, I guess. Thanks for clarifying this point.
Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpyxrjthN9Yy.pgp
Description: Digitale PGP-Signatur