Le 06/05/2017 à 01:03, Mario Abajo a écrit : > Hello, > Playing with unattended deployments of debian using foreman > (https://theforeman.org/) i found out that debian-installer doesn't > support loading the preseeding file from a https server. It do it well > from a http url but using ssl never works. I have found an old question > in stackoverflow about this > (https://serverfault.com/questions/320019/how-to-use-debug-debian-preseed-with-ssl-using-startssl-certs) > explaining that the problem comes from the wget in busybox not compiled > with SSL support, it's old, but it's still true with the actual stable > and testing releases. I would like to know how to fill a bug (wishlist) > for this, also, i would like to hear some opinions about it; other > distros have this support even with the fact that it's not perfect > (because you trust all certificates, and that's not good) but at least > you avoid simple sniffers for tacking your installation data (and hash > passwords). > > Thanks in advance, > Mario Abajo Hi Mario, It seems there is a open bug report already: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698528 Preseeding over HTTPS would be a very interesting feature, but if you do just a minimal installation and then use The Foreman for everything else (I have never used it), avoiding sniffers does not seem crucial to me. Just use The Foreman to: - check that important installation steps were properly done (correct partitionning, only required packages installed, correct source.list, correct time zone…) - change password - configure your machine But unfortunately you are right, running over HTTP can be a problem: if an attacker is able to modify the preseed.cfg, he could run any command (see bottom of the preseed file example). Checking installation log might not even be sufficient… Best regards, Yvan
Attachment:
signature.asc
Description: OpenPGP digital signature