[Bug 833994] Re: debian-installer does not support https when using with preseed files

Colin Watson cjwatson at canonical.com
Fri Nov 25 16:24:09 UTC 2011 

We've been talking about this today.  The question of certificates is a
rather vexed one: we'd have to put the whole bulk of ca-certificates
into the installer initrd, and furthermore many of the sites in question
are going to be self-signed ones that somebody ran up locally so there
would need to be a way to get certificates into the installer initrd.
Furthermore, if you're PXE-booting the installer, anyone can already
ARP-spoof you and substitute an installer initrd with the certificate of
their choice.  For lots of work, you gain not very much real security!

The installation guide does currently document that crypted passwords
should be an MD5 hash, but as far as I can see there's no actual
requirement for this, and a SHA-512 hash should work perfectly well.
Have you tried this?  Would this be sufficient to meet your compliance
requirements?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to debian-installer-utils in
Ubuntu.
https://bugs.launchpad.net/bugs/833994

Title:
  debian-installer does not support https when using with preseed files

Status in “cobbler-enlist” package in Ubuntu:
  Triaged
Status in “debian-installer” package in Ubuntu:
  Triaged
Status in “debian-installer-utils” package in Ubuntu:
  Triaged

Bug description:
  Hi

  As part of a PCI Compliance process we need to ensure that
  confidential information is passed in a secure way. Currently one can
  pxeboot machines and the root password travels encrypted with MD5
  which nowadays is breakable and it is not part of the PCI
  Recommendations as follow below:

  "Render all passwords unreadable during transmission and storage on
  all system components using strong cryptography (defined in PCI DSS
  Glossary of Terms, Abbreviations, and Acronyms)" -
  https://www.trustwave.com/steps_pci_info.php?step=8 where md5 is not a
  part of the examples of the strong cryptography's described in the
  above document.

  Everything else works in the pxeboot, eg getting the kernel and initrd
  through https but the preseed file fails to get downloaded as in the
  example below.

  By appending the following in the pxelinux configuration:
  -- preseed/url=https://host/path/presee.cfg

  Linux version: Ubuntu LTS 10.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cobbler-enlist/+bug/833994/+subscriptions

More information about the foundations-bugs mailing list