Greetings, On Mon, Nov 16, 2009 at 10:44 AM, Ivan Shmakov <[email protected]> wrote: > Do I understand correctly that the netbooting Debian Live is > currently inherently insecure against both eavesdroppers and > intruders? > > I see that even if the gPXE option to securily check the kernel > and initramfs images after downloading is used, NFS has still to > be secured separately. > > Anyway, the process of establishing the secure connection to the > netboot server depends on a kind of secure ``token'' (say, a > private key and an X.509 certificate.) Do I understand it > correctly that, in principle, the availability of such a token > early during the boot process may allow for the whole netboot > process to be secure? > > The secure token may, e. g., be embedded into the initramfs > image, which, together with the kernel, may be stored on a > removable media, such as a USB Flash or a CD-R (DVD+R) disk. > > It may seem that the cost of maintenance of such a secure Debian > Live installation is more than of an ordinary USB Flash drive > loaded with Debian Live. However, it doesn't seem so anymore > when the number of the hosts to be booted exceeds tens, > considering the cost of using (and -- regularly updating!) > multiple disks or USB Flash media. > > To put the last paragraph simple, the pro's of Debian Live > configured for, e. g., booting from DVD+R(W): > > * works ``out of box''. > > But the cons. are: > > * the number of hosts up at the same moment cannot exceed the > number of the disks burned; > > * each time a security fix is released, or a new package is > needed, or the configuration is to be changed, all the boot > media has to be re-written. > > For now, I'm considering using IKEv2 (as provided by the > strongSwan implementation) embedded, along with a private key > and a certificate, into the initramfs image. I'd be glad to > hear any suggestions, ideas, or (well, there may be) success > stories. >
Well you could use mac addresses and dhcp for some layer of security and also you could boot http.iso and only use pxe to get started. Back when hook= was originally introduced I booted to boot prompt where users had to use hook=http://username:passw...@hostname/ to pull in the custom hooks for a given set of users. I am not sure if hook= is working or not. Anyhow hope this information assists. > -- > FSF associate member #7257 > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact [email protected] > > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
