Re: securing netboot
Greetings,
On Mon, Nov 16, 2009 at 10:44 AM, Ivan Shmakov <ivan@main.uusia.org> wrote:
> Do I understand correctly that the netbooting Debian Live is
> currently inherently insecure against both eavesdroppers and
> intruders?
>
> I see that even if the gPXE option to securily check the kernel
> and initramfs images after downloading is used, NFS has still to
> be secured separately.
>
> Anyway, the process of establishing the secure connection to the
> netboot server depends on a kind of secure ``token'' (say, a
> private key and an X.509 certificate.) Do I understand it
> correctly that, in principle, the availability of such a token
> early during the boot process may allow for the whole netboot
> process to be secure?
>
> The secure token may, e. g., be embedded into the initramfs
> image, which, together with the kernel, may be stored on a
> removable media, such as a USB Flash or a CD-R (DVD+R) disk.
>
> It may seem that the cost of maintenance of such a secure Debian
> Live installation is more than of an ordinary USB Flash drive
> loaded with Debian Live. However, it doesn't seem so anymore
> when the number of the hosts to be booted exceeds tens,
> considering the cost of using (and -- regularly updating!)
> multiple disks or USB Flash media.
>
> To put the last paragraph simple, the pro's of Debian Live
> configured for, e. g., booting from DVD+R(W):
>
> * works ``out of box''.
>
> But the cons. are:
>
> * the number of hosts up at the same moment cannot exceed the
> number of the disks burned;
>
> * each time a security fix is released, or a new package is
> needed, or the configuration is to be changed, all the boot
> media has to be re-written.
>
> For now, I'm considering using IKEv2 (as provided by the
> strongSwan implementation) embedded, along with a private key
> and a certificate, into the initramfs image. I'd be glad to
> hear any suggestions, ideas, or (well, there may be) success
> stories.
>
Well you could use mac addresses and dhcp for some layer of security
and also you could boot http.iso and only use pxe to get started. Back
when hook= was originally introduced I booted to boot prompt where
users had to use hook=http://username:password@hostname/ to pull in
the custom hooks for a given set of users. I am not sure if hook= is
working or not.
Anyhow hope this information assists.
> --
> FSF associate member #7257
>
>
> --
> To UNSUBSCRIBE, email to debian-live-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: