[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian-installer preseeding over https

Le 06/05/2017 à 01:03, Mario Abajo a écrit :
> Hello,
>     Playing with unattended deployments of debian using foreman
> (https://theforeman.org/) i found out that debian-installer doesn't
> support loading the preseeding file from a https server. It do it well
> from a http url but using ssl never works. I have found an old question
> in stackoverflow about this
> (https://serverfault.com/questions/320019/how-to-use-debug-debian-preseed-with-ssl-using-startssl-certs)
> explaining that the problem comes from the wget in busybox not compiled
> with SSL support, it's old, but it's still true with the actual stable
> and testing releases. I would like to know how to fill a bug (wishlist)
> for this, also, i would like to hear some opinions about it; other
> distros have this support even with the fact that it's not perfect
> (because you trust all certificates, and that's not good) but at least
> you avoid simple sniffers for tacking your installation data (and hash
> passwords).
> Thanks in advance,
>       Mario Abajo

Hi Mario,

It seems there is a open bug report already:

Preseeding over HTTPS would be a very interesting feature, but if you do
just a minimal installation and then use The Foreman for everything else
(I have never used it), avoiding sniffers does not seem crucial to me.
Just use The Foreman to:
- check that important installation steps were properly done (correct
partitionning, only required packages installed, correct source.list,
correct time zone…)
- change password
- configure your machine

But unfortunately you are right, running over HTTP can be a problem: if
an attacker is able to modify the preseed.cfg, he could run any command
(see bottom of the preseed file example). Checking installation log
might not even be sufficient…

Best regards,

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: