[Bug 833994] Re: debian-installer does not support https when using with preseed files

Colin Watson cjwatson at canonical.com
Mon Feb 10 18:39:47 UTC 2014 

I've committed the start of this upstream, now that I've fixed things to
permit the use of GNU wget.  My strategy here is going to be:

 * make fetch-url (for preseeding) and kickseed both work with HTTPS
 * overload debian-installer/allow_unauthenticated=false to imply wget --no-check-certificate (I think this is close enough; I couldn't think of a reason why you would care deeply about the HTTPS certificate and then not care about installing unauthenticated packages)
 * add wget-udeb to our default d-i builds (at least netboot, but probably globally)
 * add support to the d-i build system for local builds with SSLCERTS set to a list of paths to certificates
 * if you want to use the stock initramfs, you can make another initramfs containing just /usr/lib/ssl/certs/*.crt for whatever certificates you need, run c_rehash over that directory, and concatenate that to the stock initramfs either with cat or in your boot loader

Once this is done, I'll be able to proceed with the next step, bug
1135163.

** Changed in: debian-installer-utils (Ubuntu)
     Assignee: (unassigned) => Colin Watson (cjwatson)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to debian-installer in Ubuntu.
https://bugs.launchpad.net/bugs/833994

Title:
  debian-installer does not support https when using with preseed files

Status in “cobbler-enlist” package in Ubuntu:
  Triaged
Status in “debian-installer” package in Ubuntu:
  Triaged
Status in “debian-installer-utils” package in Ubuntu:
  Fix Committed
Status in “kickseed” package in Ubuntu:
  Triaged

Bug description:
  Hi

  As part of a PCI Compliance process we need to ensure that
  confidential information is passed in a secure way. Currently one can
  pxeboot machines and the root password travels encrypted with MD5
  which nowadays is breakable and it is not part of the PCI
  Recommendations as follow below:

  "Render all passwords unreadable during transmission and storage on
  all system components using strong cryptography (defined in PCI DSS
  Glossary of Terms, Abbreviations, and Acronyms)" -
  https://www.trustwave.com/steps_pci_info.php?step=8 where md5 is not a
  part of the examples of the strong cryptography's described in the
  above document.

  Everything else works in the pxeboot, eg getting the kernel and initrd
  through https but the preseed file fails to get downloaded as in the
  example below.

  By appending the following in the pxelinux configuration:
  -- preseed/url=https://host/path/presee.cfg

  Linux version: Ubuntu LTS 10.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cobbler-enlist/+bug/833994/+subscriptions

More information about the foundations-bugs mailing list