On Wed, Jul 10, 2019 at 06:31:32PM +0200, Wolfgang Schweer wrote:
> On Wed, Jul 10, 2019 at 02:50:19PM +0000, Mike Gabriel wrote:
> > On Mi 10 Jul 2019 15:15:53 CEST, Petter Reinholdtsen wrote:
> > > [Mike Gabriel]
> > > > Another error in reasoning... A diskless machine doesn't probably have
> > > > any values/assets to protect, so why deploy the LDAP server cert at
> > > > all to the diskless chroot? It is sufficient (and fully works) to
> > > > retrieve the LDAP cert during the diskless machine's boot process.
> > >
> > > The LDAP server cert is placed inside diskless chroots to protect the
> > > users (for example their passwords) from man-in-the-middle attacks on
> > > the LDAP directory. The point is not to keep the read only files safe,
> > > but the users logging into them.
> >
> > oh yeah, this is indeed a highly valid point. Without that, an attacker
> > could fake a TJENER on the network (or pseudo-rollout another Debian Edu
> > like network to clients) and collect login credentials.
>
> This is supposed to be a problem since the time LTSP uses NBD, but only
> for LTSP chroots that never got an update.
>
> For Buster we should make sure that the LDAP certificate gets copied
> into the LTSP chroot before the initial NBD image is built at
> installation time to avoid another NBD build just after the first reboot.
>
> This would require changes to /etc/ltsp/ltsp-build-client.conf and
> cf3/cf.finalize (building the client without NBD image generation,
> copying the certificate, then run ltsp-update-image).
Maybe another option could be to only change
/etc/ltsp/ltsp-build-client.conf (building the client without NBD image
generation) and generate the NBD image via xdebian-edu-firstboot.
Imo the fetch-ldap-cert script should be changed in any case like this
to get the certificate into the LTSP chroot:
diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..2d68d318 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -29,7 +29,7 @@ do_start() {
LDAPSERVER=$(debian-edu-ldapserver)
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
@@ -40,7 +40,7 @@ do_start() {
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+ gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
chmod 644 $CERTFILE.new
@@ -79,13 +79,7 @@ do_start() {
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
Please check.
Wolfgang
Attachment:
signature.asc
Description: PGP signature