Bug#1008672: debian-edu-config: Only fetch Debian Edu rootca once

To: submit@bugs.debian.org
Subject: Bug#1008672: debian-edu-config: Only fetch Debian Edu rootca once
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Wed, 30 Mar 2022 11:25:12 +0000
Message-id: <[🔎] 20220330112512.Horde.4lai82GPd-ObQVxnowBpiVT@mail.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 1008672@bugs.debian.org

Package: debian-edu-config
Version: 2.12.20
Severity: important

I noticed a change on Debian Edu clients between Debian 9 and 11(unsure currently about Debian 10). In previous times, Debian Educlients got prepared for LDAP connectivity to TJENER on first boot viaobtaining the LDAP server's certificate. From then on the Debian Educlient would refuse talking to any other TJENER.

Migrating a Debian Edu client from one Debian Edu network to another,one would have to manually remove /etc/ldap/ssl/ldap-server-cert.pem(or what its name was).

With the new Debian Edu rootCA certificate (introduced with Debian Edu10) being used as a base for authorizing the relationship betweenclients and the network server TJENER, I observe that when pluggingone Debian Edu machine from one Debian Edu network into some otherDebian Edu network the Debian Edu client machine would adjust itselfto the new network (update Debian-Edu_rootCA.crt) during boot time.

For roaming workstations, this could indeed compromise home directorydata stored on roaming workstations.

Attack scenario: your school provides you with a Debian Edu notebook(roaming workstation). This Debian Edu notebook was previously used byyour teacher. Your teacher possibly copied over some exam documents orsome such to that home (e.g. via a Nextcloud syncing app or some such).

The student takes this notebook home, sets up their own Debian Eduserver, creates a user account with same userId of the student or theteacher itself, adds sudo permissions for this account and boom, thestudent has admin privileges on that notebook.

I'd suggest going back to the previous behaviour where a notebookwould only attach itself to one Debian Edu TJENER on first boot andfrom then on be only authorized to talk to the LDAP server of thatinitial Debian Edu network it was booted in.


Comments? Feedback?

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpUXgVvx0eJs.pgp
Description: Digitale PGP-Signatur

Reply to:

Prev by Date: Bug#1008597: debian-edu-install: Ask for hostname during standalone installation
Previous by thread: Bug#1008602: debian-edu-config: Xfce/MATE in X2Go sessions very sluggish with Compositing enabled in xfwm
Index(es):
- Date
- Thread