Security Question

  • I have upgraded to clonedeploy 1.3.3 (from 1.2.x) in Fedora. I should note that https will not work without the mono complete package installed from the mono repo. (Without this I got some error about tokens, I forget what it is.) This isn't a complaing. I'm just saying this in case anyone else has the same problem.

    Furthermore I have some questions about security. I'm trying to use ipxe, but the ipxe devels have been very annoying with their TLS implementation. You can't just set a flag to say "please don't check certificates". If you want to use your own root certificate you have to build your own ipxe binaries (NO THANK YOU!). Anyway I'm trying to use https as much as possible. At some point during the process the SMB password has to be communicated to the client and I assume this is through http. If https is not used during that step is there any other encrpytion securing the passwords? Also if you don't have a task set up and choose clone deploy from the menu it will ask for the clone deploy user name and password?. If https is not used at that point, once again is there any encrpytion of the passwords? Thanks in advance for answering. I think that the answer will be no and no in which case I'll have to allow for http for the kernel and image fetching (I forget the path) and manually edit the ipxe menu file, to change https to http in that file.

  • Everything you said is 100% correct. Yes, I ran into the same problem with ipxe. There is no encryption without https because there is no secure way to store an encryption key. It could be stored inside initrd but anyone could do a tftp get to download the initrd file, mount it and grab the key. As for the ipxe menu, I could add an option to not use the base url setting, that way you wouldn't need to modify it manually.

  • I just realised that manually editing the files isn't really going to cut it because the specific menu files that get created when a task is started would also have to be edited and that's too much manual work. Anyway it's not a big deal. Thanks a lot for clonedeploy. I love it but I recognise that it's still not getting the deserved acclaim.

  • I did eventually recompile ipxe.efi. WHen building it seemed that I also had to embed an efi script that looked something like this:

    tftp://[server ip]/proxy/efi64/pxelinux.cfg/default.ipxe

    The build command looked like this:
    make bin-x86_64-efi/ipxe.efi TRUST=[path to certificate] CERT=[path to certificate] EMBED=[path to script]

    The good news is that things are working now (so far).

    Edit: I also had to edit a source file to enable HTTPS downloading before building.

  • Looks good, you may want to change the script to use ${next-server} instead of hardcoding you server ip in. Then it will pickup whatever is sent by the dhcp server.