On Wed, Jul 10, 2019 at 06:31:32PM +0200, Wolfgang Schweer wrote: > On Wed, Jul 10, 2019 at 02:50:19PM +0000, Mike Gabriel wrote: > > On Mi 10 Jul 2019 15:15:53 CEST, Petter Reinholdtsen wrote: > > > [Mike Gabriel] > > > > Another error in reasoning... A diskless machine doesn't probably have > > > > any values/assets to protect, so why deploy the LDAP server cert at > > > > all to the diskless chroot? It is sufficient (and fully works) to > > > > retrieve the LDAP cert during the diskless machine's boot process. > > > > > > The LDAP server cert is placed inside diskless chroots to protect the > > > users (for example their passwords) from man-in-the-middle attacks on > > > the LDAP directory. The point is not to keep the read only files safe, > > > but the users logging into them. > > > > oh yeah, this is indeed a highly valid point. Without that, an attacker > > could fake a TJENER on the network (or pseudo-rollout another Debian Edu > > like network to clients) and collect login credentials. > > This is supposed to be a problem since the time LTSP uses NBD, but only > for LTSP chroots that never got an update. > > For Buster we should make sure that the LDAP certificate gets copied > into the LTSP chroot before the initial NBD image is built at > installation time to avoid another NBD build just after the first reboot. > > This would require changes to /etc/ltsp/ltsp-build-client.conf and > cf3/cf.finalize (building the client without NBD image generation, > copying the certificate, then run ltsp-update-image). Maybe another option could be to only change /etc/ltsp/ltsp-build-client.conf (building the client without NBD image generation) and generate the NBD image via xdebian-edu-firstboot.
Imo the fetch-ldap-cert script should be changed in any case like this
to get the certificate into the LTSP chroot:
diff --git a/debian/debian-edu-config.fetch-ldap-cert
b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..2d68d318 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -29,7 +29,7 @@ do_start() {
LDAPSERVER=$(debian-edu-ldapserver)
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
@@ -40,7 +40,7 @@ do_start() {
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
certificate."
if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ;
then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new
ldap.intern < /dev/null
+ gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new
$LDAPSERVER < /dev/null
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER
> $CERTFILE.new
chmod 644 $CERTFILE.new
@@ -79,13 +79,7 @@ do_start() {
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
Please check.
Wolfgang
signature.asc
Description: PGP signature
