>>>>> On 22 Apr 2004 10:50:47 +0200, Holger Levsen <[EMAIL PROTECTED]> said:
> Hi, > in FAI's simple examples the root password is distributed to the install > clients as a md5sum which is world-readable through the nfs-exported > FAI_CONFIGDIR. I think the examples are not using md5sums but the normal crypted passwords. > It's a good solution as a starting point but not really sufficient for > installations where you need real security. Sure. > How do you distribute passwords, private ssh-host-keys and/or private > ssl-certificates ? Can you realy achieve real security during installation? PXE is a broadcast protocol, tftp is also very insecure, NFS is also not so secure, so how can the install client verify that it gets its information from the right install server and not from a bad guy? How can a install server verify that the install client is not cheating its MAC or IP address? On starting point could be to boot from CD (faibootCD) which includes the publik key of the install server, so all communication could be crypted and authenticated. Is there a BIOS that can store some misc data (public and private keys of the install client) ? That would be nice for security. Or we should create a small partition which includes this data and will never be deleted. -- regards Thomas