Re: Thoughts about network-console
On Thursday 05 August 2010, Thibaut Girka wrote: Did you actually check this? The password templates are of type 'password' and thus the value should be in /var/lib/cdebconf/passwords.dat (and thus encoded) instead of in plain text in questions.dat. Well, you can still db_get the password, can't you? Yes. As said earlier, I was, for some reason, sure that the postinst script didn't clear the passwords... The fact that it clears the passwords is somewhat accidental (it has more to do with allowing to re-enter the passwords if they are unequal than with security considerations). There are also other fields in passwords.dat, like the root and first user passwords, that are possibly not cleared. Systems are vulnerable anyway when people have physical access to them. That they are a bit more vulnerable during installation is almost unavoidable, but in most cases the window (time from start of install to reboot) is quite short. I don't think this is something we should worry too much about. -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201008051458.25739.elen...@planet.nl
Re: Thoughts about network-console
Quoting Frans Pop (elen...@planet.nl): Systems are vulnerable anyway when people have physical access to them. That they are a bit more vulnerable during installation is almost unavoidable, but in most cases the window (time from start of install to reboot) is quite short. I don't think this is something we should worry too much about. I share that feeling, indeed. Even if the console password had been in clear text in the debconf databases *of the installer system*, I don't thinnk that would have been a big concern. signature.asc Description: Digital signature
Re: Thoughts about network-console
Le jeudi 05 août 2010 à 14:58 +0200, Frans Pop a écrit : On Thursday 05 August 2010, Thibaut Girka wrote: Did you actually check this? The password templates are of type 'password' and thus the value should be in /var/lib/cdebconf/passwords.dat (and thus encoded) instead of in plain text in questions.dat. Well, you can still db_get the password, can't you? Yes. As said earlier, I was, for some reason, sure that the postinst script didn't clear the passwords... The fact that it clears the passwords is somewhat accidental (it has more to do with allowing to re-enter the passwords if they are unequal than with security considerations). There are also other fields in passwords.dat, like the root and first user passwords, that are possibly not cleared. If you're talking about user-setup, they are cleared, that the first thing I've checked (better done that checking network-console, it seems) before sending this mail. Systems are vulnerable anyway when people have physical access to them. That they are a bit more vulnerable during installation is almost unavoidable, but in most cases the window (time from start of install to reboot) is quite short. Well, depends on what you mean by short, but I agree. I don't think this is something we should worry too much about. Hence the paranoid. signature.asc Description: This is a digitally signed message part
Re: Thoughts about network-console
(No need to CC on replies: I read the list.) On Thursday 05 August 2010, Thibaut Girka wrote: If you're talking about user-setup, they are cleared, that the first thing I've checked (better done that checking network-console, it seems) before sending this mail. With user-setup the passwords are asked by a different (much earlier [1]) script than the one that creates the accounts and sets the passwords. So they *must* be in the debconf database for at least the time in between. The fact that they are cleared afterwards - only at the very, very end of the installation: just before the reboot - seems to me like a mostly empty gesture. At least for the attack vector you were concerned about. [1] The asking of the passwords was recently moved forward quite a bit for Squeeze. -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201008052017.30148.elen...@planet.nl
Re: Thoughts about network-console
Le jeudi 05 août 2010 à 20:17 +0200, Frans Pop a écrit : (No need to CC on replies: I read the list.) On Thursday 05 August 2010, Thibaut Girka wrote: If you're talking about user-setup, they are cleared, that the first thing I've checked (better done that checking network-console, it seems) before sending this mail. With user-setup the passwords are asked by a different (much earlier [1]) script than the one that creates the accounts and sets the passwords. So they *must* be in the debconf database for at least the time in between. The fact that they are cleared afterwards - only at the very, very end of the installation: just before the reboot - seems to me like a mostly empty gesture. At least for the attack vector you were concerned about. You're right, I was expecting it to do that at the end of the base-install step, but here too, it would be readable for quite a long time. signature.asc Description: This is a digitally signed message part
Re: Thoughts about network-console
Excerpts from Thibaut Girka's message of Mit Aug 04 07:57:46 -0400 2010: Second is quite the opposite: I would like to have a debconf boolean to display the password in the network-console/start note. The reason behind this is that, on some devices, with display and no usable input, we can (and were already doing) display network-console/start. On such devices, the password is set by a preseed file, so, showing it should be helpful to the user. I don't think there are strong security issues there, since somebody that have access to the screen probably have physical access to the device too. Making it a debconf boolean defaulting to false (and probably never displayed to the user?) should make it not be a security problem outside of the scope of the few devices with such preseeding. +1 from me for showing the password in the debconf note for preseeded passwords. Context: Thibaut requests this for his GSoC project of d-i for the Neo Freerunner. On the Freerunner d-i runs on the screen in text mode, but there is no keyboard to interact with it. Gaudenz -- Ever tried. Ever failed. No matter. Try again. Fail again. Fail better. ~ Samuel Beckett ~ -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1281036853-sup-2...@meteor.durcheinandertal.local
Re: Thoughts about network-console
Quoting Gaudenz Steinlin (gaud...@debian.org): +1 from me for showing the password in the debconf note for preseeded passwords. Context: Thibaut requests this for his GSoC project of d-i for the Neo Freerunner. On the Freerunner d-i runs on the screen in text mode, but there is no keyboard to interact with it. How about proposing the possible text as well as, of course, the patch to maintainer scripts? That could help reviewing it and then converge to what you would like to achieve. signature.asc Description: Digital signature
Thoughts about network-console
Hi, I have some thoughts that I would like to discuss with you about network-console: First is a (quite paranoid) security consideration: Let's say that some user wants to install Debian remotely in his working environment. He starts the installation in front of the computer, sets a password, that happen to be its daily-use one. He then do the remaining steps remotely. Then, an untrustworthy colleague goes to the computer, and just reads /var/lib/cdebconf/questions.dat: installer's password is there, plain, clear text. So, I think we should remove this password from the debconf database as soon as it is written to /etc/shadow. Second is quite the opposite: I would like to have a debconf boolean to display the password in the network-console/start note. The reason behind this is that, on some devices, with display and no usable input, we can (and were already doing) display network-console/start. On such devices, the password is set by a preseed file, so, showing it should be helpful to the user. I don't think there are strong security issues there, since somebody that have access to the screen probably have physical access to the device too. Making it a debconf boolean defaulting to false (and probably never displayed to the user?) should make it not be a security problem outside of the scope of the few devices with such preseeding. Best regards, Thibaut Girka. signature.asc Description: This is a digitally signed message part
Re: Thoughts about network-console
On Wednesday 04 August 2010, Thibaut Girka wrote: He starts the installation in front of the computer, sets a password, that happen to be its daily-use one. That's not very smart, is it? Then, an untrustworthy colleague goes to the computer, and just reads /var/lib/cdebconf/questions.dat: installer's password is there, plain, clear text. Did you actually check this? The password templates are of type 'password' and thus the value should be in /var/lib/cdebconf/passwords.dat (and thus encoded) instead of in plain text in questions.dat. After testing I cannot find the password in questions.dat... Also, if you look at the postinst script for network-console, you'll see that the template already *is* cleared after the password is asked. The above is valid when the component is used interactively. The only case in which AFAICT what you describe can be true is when the template is preseeded [1] while the network-console component is not yet loaded (because then the template could be created as a regular template instead of as a password one). As preseeding passwords in itself already lowers security, I don't really think this is an important bug. Please verify that you really do see readable passwords and describe the exact scenario (architecture / image / installation method used) in which you do. Cheers, FJP [1] Certainly when preseeded at the boot prompt and maybe also when preseeded using a preseed file. In the last case the template type 'password' can be specified, but I'm not 100% sure whether that is honored or not. -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201008041510.51690.elen...@planet.nl
Re: Thoughts about network-console
Hi, Then, an untrustworthy colleague goes to the computer, and just reads /var/lib/cdebconf/questions.dat: installer's password is there, plain, clear text. Did you actually check this? The password templates are of type 'password' and thus the value should be in /var/lib/cdebconf/passwords.dat (and thus encoded) instead of in plain text in questions.dat. Well, you can still db_get the password, can't you? Also, if you look at the postinst script for network-console, you'll see that the template already *is* cleared after the password is asked. Oh, my bad, you're right. I've actually read it, but for some reason, I overlooked the exact thing I was searching for... The only case in which AFAICT what you describe can be true is when the template is preseeded [1] while the network-console component is not yet loaded (because then the template could be created as a regular template instead of as a password one). As preseeding passwords in itself already lowers security, I don't really think this is an important bug. Please verify that you really do see readable passwords and describe the exact scenario (architecture / image / installation method used) in which you do. As said earlier, I was, for some reason, sure that the postinst script didn't clear the passwords... So, please ignore this first issue, as it wasn't here in the first place. Regards, Thibaut Girka. signature.asc Description: This is a digitally signed message part