subject:"Bug#933185\: fai\-server\: \/etc\/fai\/apt\/sources.list should not contain trusted=yes to skip GPG verification"

Bug#933185: fai-server: /etc/fai/apt/sources.list should not contain trusted=yes to skip GPG verification

2019-08-15 Thread Christian Seiler


Hi,

(Sorry, overlooked your email.)

Am 2019-08-12 21:31, schrieb Thomas Lange:

I think we cannot fix it in this way.
gpg --export 2BF8D9FE074BCDE4 may not work, if the key is not already
downloaded and available for gpg. I also do not want to force to
install the package debian-keyring on the fai server.
And we should not create a file when calling fai-make-nfsroot under
/etc which is normally a config file.

The idea is to ship the gpg key directly in the fai-server package.
So I would add the file /etc/fai/apt/trusted.gpg.d/fai-project.gpg to
the package fai-server. What do you think?


Sorry if I wasn't clearer in my bugreport. Yes, I did mean that
you should simply add the fai-project.gpg to the package. The
gpg --export was just a demonstration how to work around this
issue with the current version of FAI.

So yes, if you added the file to the package and removed the
[trusted=yes] in the /etc/fai/apt/sources.list, that would be
perfect.

Thanks!

Best regards,
Christian

Bug#933185: fai-server: /etc/fai/apt/sources.list should not contain trusted=yes to skip GPG verification

2019-08-12 Thread Thomas Lange



I think we cannot fix it in this way.
gpg --export 2BF8D9FE074BCDE4 may not work, if the key is not already
downloaded and available for gpg. I also do not want to force to
install the package debian-keyring on the fai server.
And we should not create a file when calling fai-make-nfsroot under
/etc which is normally a config file.

The idea is to ship the gpg key directly in the fai-server package.
So I would add the file /etc/fai/apt/trusted.gpg.d/fai-project.gpg to
the package fai-server. What do you think?

-- 
regards Thomas

Bug#933185: fai-server: /etc/fai/apt/sources.list should not contain trusted=yes to skip GPG verification

2019-07-27 Thread Christian Seiler


Package: fai-server
Version: 5.8.4
Severity: grave
Tags: security, buster

Dear Maintainer,

fai-server installs /etc/fai/apt/sources.list with the following entry
by default:

deb [trusted=yes] http://fai-project.org/download buster koeln

This is problematic, as the [trusted=yes] part will tell APT to
completely skip cryptographic verification of the repository when
creating the nfsroot. This is extremely bad because the repository is
accessed via unencrypted HTTP, which makes a man-in-the-middle attack
absolutely trivial. True, this only occurs if the NFSROOT is created
and/or updated, but at least updating with make-fai-nfsroot -k should
be a semi-regular thing on well-managed systems.

You should make sure that your APT signing key is added to the
NFSROOT so that APT may check it:

 - Export your GPG signing key in binary (NOT -a!) format:
   gpg --export 2BF8D9FE074BCDE4 > fai-project.gpg

 - Create a directory /etc/fai/apt/trusted.gpg.d

 - Copy the file to the appropriate directory
   cp fai-project.gpg /etc/fai/apt/trusted.gpg.d/

 - Remove the [trusted=yes] part of that line

I've tested this with a pristine FAI install on Debian 10 and during
fai-make-nfsroot the repository is correctly added to the NFSROOT and
the integrity of the signatures is properly checked.

For Debian 9 I don't think this is a critical issue (as the default
configuration does not include the repository, the line is commented
out entirely), but even suggestions in configuration files should
follow established security practices, so I would recommend also
removing the [trusted=yes] comment from the package in Debian 9 (and
also including the key there, or maybe just a comment on how to add
the key), so that inexperienced administrators may avoid the trap that
enabling this repository leads to a security issue.



Best regards,
Christian

-- System Information:
Debian Release: 10.0
  APT prefers stable-debug
  APT policy: (500, 'stable-debug'), (500, 'stable'), (100, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)

Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fai-server depends on:
ii  debootstrap  1.0.114
ii  e2fsprogs1.44.5-1
ii  fai-client   5.8.4
ii  xz-utils 5.2.4-1

Versions of packages fai-server recommends:
pn  isc-dhcp-server   
pn  libproc-daemon-perl   
pn  nfs-kernel-server 
ii  openbsd-inetd [inet-superserver]  0.20160825-4
ii  openssh-client1:7.9p1-10
ii  openssh-server1:7.9p1-10
pn  tftpd-hpa | atftpd

Versions of packages fai-server suggests:
ii  binutils   2.31.1-16
pn  debmirror  
pn  fai-setup-storage  
pn  grub2  
pn  perl-tk
ii  qemu-utils 1:3.1+dfsg-8~deb10u1
pn  reprepro   
ii  squashfs-tools 1:4.3-12
ii  xorriso1.5.0-1

-- no debconf information

Bug#933185: fai-server: /etc/fai/apt/sources.list should not contain trusted=yes to skip GPG verification

Bug#933185: fai-server: /etc/fai/apt/sources.list should not contain trusted=yes to skip GPG verification

Bug#933185: fai-server: /etc/fai/apt/sources.list should not contain trusted=yes to skip GPG verification

3 matches

Site Navigation

Mail list logo

Footer information