Your message dated Sat, 10 Aug 2019 10:08:08 +0000 with message-id <e1hwoic-000dxu...@fasolo.debian.org> and subject line Bug#931413: fixed in debian-edu-config 2.10.66 has caused the Debian Bug report #931413, regarding fetch-ldap-cert should not renew Debian Edu PKI on clients on every reboot to improve security to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 931413: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931413 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: debian-edu-config Severity: serious Version: 2.10.65The former version of fetch-ldap-cert (stretch and before) retrieved the LDAP servers pub cert only once, that is on first boot on the Debian Edu network. A machine booted in one network would not have been reusable in some other Debian Edu network.The reasoning behind this was: ```11:54 < sunweaver> pere: the original approach of fetch-ldap-cert was: retrieve the cert from TJENER on first usage on the network and then remember it, right? 11:54 < sunweaver> So that a prepped notebook would belong to the first TJENER where it was first booted with. Right? 11:55 < sunweaver> The new fetch-ldap-cert always overwrites the LDAP cert and Debian Edu machines can migrate from one school to another.11:55 < sunweaver> at least from what I read from the code... 11:55 < sunweaver> I found the previous approach more charming and "secure".11:56 < sunweaver> in a world where GRUB is md5 protected, you would not be able to retrieve local data from the notebook.11:57 < pere> sunweaver: yes.11:58 < pere> sunweaver: the idea was that a stolen machine would not pass out and validate password from whoever happened to be able to provide a certificate, but stick to the one it was using during installation.```For migrating a Debian Edu workstation from one D-E network to another, one would have had to remove the /etc/ldap/ssl/ldap-server-pubkey.pem and reboot the machine at the new location.With the latest (Debian Edu buster) implementation, the debian-edu-bundle.crt file is retrieved on every reboot and replaces the previously fetch cert file. IMHO, we should consider this as a severe regression that needs to be fixed.Feedback? Opinions?@Wolfgang: don't get me wrong, I am so happy about the new Debian Edu PKI stuff. That was really well done. I am just nitpicking on bits and pieces I stumble over while migrating a customer's network and report things here. Please don't take my "complaints" personally, only technically. Thank you!Thanks+Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.depgp1zJRf_uWGa.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---Source: debian-edu-config Source-Version: 2.10.66 We believe that the bug you reported is fixed in the latest version of debian-edu-config, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 931...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Holger Levsen <hol...@debian.org> (supplier of updated debian-edu-config package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 10 Aug 2019 11:41:47 +0200 Source: debian-edu-config Architecture: source Version: 2.10.66 Distribution: unstable Urgency: medium Maintainer: Debian Edu Developers <debian-edu@lists.debian.org> Changed-By: Holger Levsen <hol...@debian.org> Closes: 926933 928756 929964 930122 931366 931413 931680 932828 933183 933580 Changes: debian-edu-config (2.10.66) unstable; urgency=medium . [ Wolfgang Schweer ] * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes: #928756) - Use PXE option 'ipappend 2' for LTSP client boot. This option makes sure that all DHCP server information is getting through to LTSP clients. (LTSP used this option before, but switched to 'ipappend 3' during the Buster development cycle to ease setups with ProxyDHCP.) * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964) - Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.) * Set environment variable to deal with Firefox profile. (Closes: #930122) This is a workaround for bug #930125, preventing firefox-esr startup issues if the mozilla profile is on an NFS share). - Ship share/debian-edu-config/edu-firefox-nfs with NSS_SDB_USE_CACHE="yes" as content. Thanks to Mike Gabriel for spotting the issue and providing this information. - Add instructions to cf3/cf.workarounds to link the 'edu-firefox-nfs' file to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'. * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680) - While the reported arch is i686, LTSP uses i386. Set arch accordingly. * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366) - Remove outdated (and now wrong) logging section. * Add LDAP server certificate to the initial LTSP NBD image. (Closes: #932828) - etc/ltsp/ltsp-build-client.conf: Don't create the image by default. - cf3/edu.cf: Define new class 'ltspimages'. - cf3/cf.finalize: Add code to include the LDAP server certificate for all possible use cases, to generate the image and to adjust various rights. * Provide Debian Edu RootCA certificate for download. (Closes: #933183) - Adjust share/debian-edu-config/tools/create-debian-edu-certs to copy the rootCA file to the web server directory at certificate generation time. - Adjust cf3/cf.finalize to care for the rootCA file as well. - Adjust cf3/cf.workarounds to copy the rootCA file to the web server directory upon main server upgrade. * Fix loss of dynamically allocated v4 IP address. (Closes: #933580) - Drop etc/network/if-up.d/hostname. This script doesn't work anymore due to changed behaviour of the ifupdown/dhclient/systemd combination and now also causes the loss of a dynamically allocated ipv4 IP address after 20 to 30 minutes after booting. - Add code to d/debian-edu-config.postinstall to implement the intended hostname update just after rebooting the system after a change. - Adjust Makefile. . [ Mike Gabriel ] * debian/debian-edu-config.fetch-ldap-cert: Make the script (and with it Debian Edu buster workstations) work in a Debian Edu environment where the main server (TJENER) is still on Debian Edu 8 or 9. (Closes: #926933) * debian/debian-edu-config.fetch-ldap-cert: Retrieve TJENER's PKI server certificate only once per host to improve security. This re-introduces the behaviour of fetch-ldap-cert in stretch and earlier. (Closes: #931413). . [ Holger Levsen ] * Drop obsolete code in d-i/finish-install now that d-i uses haveged (via a newly introduced udeb) or a hardware RNG. (See #923675). * Bump standards version to 4.4.0, no changes needed. Checksums-Sha1: 04f13395ffcd3497ced2b6416d43326c80abb521 1918 debian-edu-config_2.10.66.dsc cdb03702ea336c096ea83a1299d1f101c74bd865 342532 debian-edu-config_2.10.66.tar.xz 3500f5cf337338572ea9d54571d30268032955a1 5232 debian-edu-config_2.10.66_source.buildinfo Checksums-Sha256: 3ae5532ded3a02e30e84131feba33a8a53a516da562a11fdebbbf37eb08861d0 1918 debian-edu-config_2.10.66.dsc f05b1de98fe91db73e26cdafb48295c8893e1f712453b4ab287f098c37c4d1d0 342532 debian-edu-config_2.10.66.tar.xz 218fc276448d872a81d6ad3a5117a0ad30f71ec1ac565e67e85434af8315062a 5232 debian-edu-config_2.10.66_source.buildinfo Files: e098730c4c8f29837c230f0c8db5a06a 1918 misc optional debian-edu-config_2.10.66.dsc 99a8f115b4fa8f67f073f0bccee6f9fa 342532 misc optional debian-edu-config_2.10.66.tar.xz 28301807f531b70fedeabb2e6404e289 5232 misc optional debian-edu-config_2.10.66_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl1Ok7oACgkQCRq4Vgaa qhyaJhAAggyyBQ3oamr/QU7WKvofET70WO3g189mEDhEaUMpf9+rASpg8N+Sj7V7 061pJhxoInwESdpPXmWgxZkNo7uJ2EH5eGaO39cDmKXOmu2bxL7Qe0n6veuDU6JW 0gk0+s2stNeyRF4CLqT3Ec+IuHNNRuxVOgiP1hoAvdb98LyzigfZ09rVOYe04R+c 5bby160jFykV0mDmaLkQBbHV/2eye1j98OSYCq1P1YEbWmTWHoM66rNTROSJ4900 dAI+FwHQ+5rn+rHTgE+0ydtrMrbIPso87tlsXHZQ9UF7NYGTPUodhE0bfErMrOvO k+DbrYH1FtsZ9lnmT0XBohl6W92EHJFlRCp/V5ar+xotGqOLRVpPsNLmFL6GROff eWsQka9IoXLUaEDluotBO+kB56c0Nm9KPjOoPQHnoiOqLLlcOrBh2yOGIPNOcYIv 50FgLoPqZIW6taF2Gkd+zUtuivTKNH4k/KbLtx7CjoKi5Nz84OYiL1rqxp0+PFwi iQSvoZVWJxV4p5sMB0HbVsj/cWaTNBbwRs8sE/20ha4P+Q+ONbzPZIWwafWT8N8X FZZZcQ0spY9o5x5R76c0cYtwqKCKdY+42vm+lSitcd0JACRLXoMdEfo0hdP5e8ds 74keRouTnwlI3pOHlkJtuKQIWycCIX9AC8EMvzQA5l8PbPYVy68= =tFxx -----END PGP SIGNATURE-----
--- End Message ---