Re: Secure deploy of keys
Tks for the answer. Sorry for seeing it late but it went in the spam folder :( I didn't know clevis/tang, but it's really interesting (maybe a bit overkill in my scenario). Diego Il 15/12/2022 18:53, Robert Markula ha scritto: Am 15.12.22 um 18:15 schrieb Toomas Tamm via linux-fai: This message was wrapped to be DMARC compliant. The actual message text is therefore in an attachment. Hi Toom, unforunately I can't quote you directly, but regarding a rogue attacker mimicking the MAC of an install client: You have to manually enable a FAI installation, otherwise the client cannot be installed: fai-chboot -c DEFAULT client.example.com Granted, with the right timing one could be faster with a rogue client than with the real client. But on the other hand, any client with access to the FAI NFS server can manually mount the NFSroot and obtain any secrets living on the NFS server via this method. So keeping a secret on the NFSroot is not a viable solution. But there are possibilities to work around that. What has been discussed: 1. the secret is created on the install client during installation and transfered to another system in a secure way, e.g. via SSH 2. the secret is pulled from a third-party solution, which is outside the scope of FAI (e.g. via Salt, Cfengine or any other configuration management software). Authenticated registration of the install client to the configuration management software of your choice is the weakest link here [1] 3. using public key encryption (GPG, PKI, SSH) [2] 4. using a zero-trust-like approach to secrets like clevis/tang [3] I have not looked into solutions like HashiCorp Vault, but maybe that can be cleverly integrated as well? Kind regards, Robert [1] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg07955.html [2] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08003.html [3] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08005.html -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
Re: Secure deploy of keys
Just did a quick test. Seems feasible to use clevis w/ tpm2 to securely bind credentials to a machine. The idea is: - in case of new install there are no machine-specific files - secrets gets generated as usual - once the machine is up & running, use ssh to run a script to encrypt the needed secret files using machine's TPM and tranfer encrypted files to FAI - in case of reinstall, FAI transfers encrypted files to the machine and runs clevis decrypt to restore 'em That's just a rough idea. Any evident issues? Diego Il 16/01/2023 14:12, Diego Zuccato ha scritto: Tks for the answer. Sorry for seeing it late but it went in the spam folder :( I didn't know clevis/tang, but it's really interesting (maybe a bit overkill in my scenario). Diego Il 15/12/2022 18:53, Robert Markula ha scritto: Am 15.12.22 um 18:15 schrieb Toomas Tamm via linux-fai: This message was wrapped to be DMARC compliant. The actual message text is therefore in an attachment. Hi Toom, unforunately I can't quote you directly, but regarding a rogue attacker mimicking the MAC of an install client: You have to manually enable a FAI installation, otherwise the client cannot be installed: fai-chboot -c DEFAULT client.example.com Granted, with the right timing one could be faster with a rogue client than with the real client. But on the other hand, any client with access to the FAI NFS server can manually mount the NFSroot and obtain any secrets living on the NFS server via this method. So keeping a secret on the NFSroot is not a viable solution. But there are possibilities to work around that. What has been discussed: 1. the secret is created on the install client during installation and transfered to another system in a secure way, e.g. via SSH 2. the secret is pulled from a third-party solution, which is outside the scope of FAI (e.g. via Salt, Cfengine or any other configuration management software). Authenticated registration of the install client to the configuration management software of your choice is the weakest link here [1] 3. using public key encryption (GPG, PKI, SSH) [2] 4. using a zero-trust-like approach to secrets like clevis/tang [3] I have not looked into solutions like HashiCorp Vault, but maybe that can be cleverly integrated as well? Kind regards, Robert [1] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg07955.html [2] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08003.html [3] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08005.html -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
FAI 6.0 released and new ISO images using Debian 12 bookworm/testing
Hi all, after more than a year, a new major FAI release is ready to download. Following new features are included: * add support for release specification in package_config via release= * the partitioning tool now supports partition labels with GPT * support partition labels and partition uuids in fstab * support for Alpine Linux and Arch Linux package managers in install_packages * Ubuntu 22.04 support added * Rocky Linux 9 support added * use zstd instead of gzip * fai-chboot: variable substitution for $IP and $HOST when copying a template * all customization scripts now write to scripts.log. The old behaviour can be enable by setting $FAI_USE_OLD_SCRIPT_LOGS * add support for NVme devices in fai-kvm * add ssh key for root remote access using classes * drop support of .asc signatures of your repository, use .gpg instead Sure, we have a lot of bug fixes included. Even FAI 6.0 will only be included into Debian bookworm, you can install FAI 6.0 on a bullseye FAI server and create a nfsroot using bookworm without any problems. The combination of a bullseye FAI server with FAI 6.0 and a bullseye nfsroot should also work. New ISO images are available at https://fai-project.org/fai-cd/ The FAI.me build service is not yet using FAI 6.0, but support will be added in the future. -- regards Thomas
