Re: Secure deploy of keys

[Diego Zuccato]

Il 15/12/2022 18:15, Toomas Tamm via linux-fai ha scritto:


Some things that I can imagine that could mitigate such risks would be:
- Inputting some secret on the physical machine during install (from the keyboard, USB 
stick, etc). This would defeat the idea of "fully automatic" install.

That's a form of "root of trust".


- Pre-loading a secret onto hardware (is this what you mean by using TPM?).
Yes. TPM (Trusted Platform Module) is a piece of HW that handles crypto 
keys and should be hard to tamper. At least it would require 
unsupervised physical access to the interior of the machine for quite a 
long time. But once the attacker does have unsupervised physical access 
to the machine, it would be faster to just boot from USB key and extract 
the files. Unless TPM is also used for secure boot, but that's another 
can of worms.



- Time-limiting the availability of secrets and/or some component of FAI. Most 
of us probably do not install clients every day, all day.
That shouldn't be too hard. Just make secrets available only during 
install. Once the machine is installed it calls a hook to close the 
access to the secrets.



- Monitoring of installation processes and flagging abnormal activities. This 
would not prevent successful attacks, but possible breaches could be patched 
up, eg keys replaced afterwards.

This seems harder.

--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786

Re: Secure deploy of keys

[Robert Markula]

Am 15.12.22 um 18:15 schrieb Toomas Tamm via linux-fai:

This message was wrapped to be DMARC compliant. The actual message
text is therefore in an attachment.

Hi Toom,

unforunately I can't quote you directly, but regarding a rogue attacker 
mimicking the MAC of an install client: You have to manually enable a 
FAI installation, otherwise the client cannot be installed:


fai-chboot -c DEFAULT client.example.com

Granted, with the right timing one could be faster with a rogue client 
than with the real client. But on the other hand, any client with access 
to the FAI NFS server can manually mount the NFSroot and obtain any 
secrets living on the NFS server via this method.


So keeping a secret on the NFSroot is not a viable solution. But there 
are possibilities to work around that. What has been discussed:


1. the secret is created on the install client during installation and 
transfered to another system in a secure way, e.g. via SSH
2. the secret is pulled from a third-party solution, which is outside 
the scope of FAI (e.g. via Salt, Cfengine or any other configuration 
management software). Authenticated registration of the install client 
to the configuration management software of your choice is the weakest 
link here [1]

3. using public key encryption (GPG, PKI, SSH) [2]
4. using a zero-trust-like approach to secrets like clevis/tang [3]

I have not looked into solutions like HashiCorp Vault, but maybe that 
can be cleverly integrated as well?


Kind regards,


Robert

[1] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg07955.html
[2] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08003.html
[3] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08005.html

RE: Secure deploy of keys

[Toomas Tamm via linux-fai]

Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die
eigentliche Nachricht steht dadurch in einem Anhang.

This message was wrapped to be DMARC compliant. The actual message
text is therefore in an attachment.--- Begin Message ---
Hello,

In the case of public network and no access to the machine at time of 
installation, I think this is unsolvable in principle.

Imagine the following scenario, say on a school on university network: an 
attacker (perhaps just a curious student) sets up a virtual machine with the 
MAC address and emulated hardware identical to a physical machine that would be 
installed by FAI. Then he disconnects the actual machine (say, in a computer 
classroom) and initiates a FAI install on his VM. Any exchange of secrets that 
would take place with the real machine now takes place with the student's VM. 
Afterwards, he takes the VM image home and can extract any secrets that were 
transferred to it during install.

Some things that I can imagine that could mitigate such risks would be:
- Inputting some secret on the physical machine during install (from the 
keyboard, USB stick, etc). This would defeat the idea of "fully automatic" 
install.
- Pre-loading a secret onto hardware (is this what you mean by using TPM?).
- Time-limiting the availability of secrets and/or some component of FAI. Most 
of us probably do not install clients every day, all day.
- Monitoring of installation processes and flagging abnormal activities. This 
would not prevent successful attacks, but possible breaches could be patched 
up, eg keys replaced afterwards.

BR,
Toomas




-Original Message-
From: linux-fai  On Behalf Of Diego Zuccato
Sent: kolmapäev, 14. detsember 2022 07:40
To: linux-fai@uni-koeln.de
Subject: Re: Secure deploy of keys

Tks.
Too bad I fear it's not applicable to my scenario.
First because the network is public. Second because ssh is just one of 
the secrets I have to distribute (others are usually SaltStack key and 
Gluster certificate).
I'm thinking that probably this is one of the few cases where a TPM is 
actually useful...
GPG encrypted tarballs can be a good solution if there's a trusted 
person that can insert the password (or a tpm that can decrypt it) to 
complete the install...

Diego

Il 13/12/2022 20:44, Andrew Ruthven ha scritto:
> Hey,
> 
> On Tue, 2022-12-13 at 14:47 +0100, Diego Zuccato wrote:
>> What's the recommended way to deploy (or re-deploy) security-sensitive
>> objects (just to say one: private ssh key to avoid client warnings when
>> redeploying a server)?
> 
> For things like ssh host keys I have a command that we run which copies 
> them into the NFSROOT, and then a cron job that runs every minute that 
> removes "expired" files from the NFSROOT. Given our NFSROOT is on a 
> restricted network I feel that is sufficient.
> 
> I know someone who had GPG encrypted tarballs, but that required 
> entering a passphrase during the build process.
> 
> Another option for ssh which I am considering is using PKI for it. Then 
> servers and clients just need to trust a CA.
> 
> Cheers,
> Andrew
> 
> -- 
> 
> Andrew Ruthven, Wellington, New Zealand
> and...@etc.gen.nz |
> Catalyst Cloud:   | This space intentionally left blank
>   https://catalystcloud.nz |
> 

-- 
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786


--- End Message ---