debian-installer does not support https when using with preseed files

Bug #833994 reported by Leonardo Borda on 2011-08-25
48
This bug affects 7 people
Affects Status Importance Assigned to Milestone
cobbler-enlist (Ubuntu)
Medium
Unassigned
Precise
Undecided
Unassigned
debian-installer (Ubuntu)
Medium
Colin Watson
Precise
Medium
Colin Watson
debian-installer-utils (Ubuntu)
Medium
Colin Watson
Precise
Medium
Colin Watson
kickseed (Ubuntu)
Medium
Colin Watson
Precise
Medium
Colin Watson
rootskel (Ubuntu)
Medium
Colin Watson
Precise
Medium
Colin Watson

Bug Description

Hi

As part of a PCI Compliance process we need to ensure that confidential information is passed in a secure way. Currently one can pxeboot machines and the root password travels encrypted with MD5 which nowadays is breakable and it is not part of the PCI Recommendations as follow below:

"Render all passwords unreadable during transmission and storage on all system components using strong cryptography (defined in PCI DSS Glossary of Terms, Abbreviations, and Acronyms)" - https://www.trustwave.com/steps_pci_info.php?step=8 where md5 is not a part of the examples of the strong cryptography's described in the above document.

Everything else works in the pxeboot, eg getting the kernel and initrd through https but the preseed file fails to get downloaded as in the example below.

By appending the following in the pxelinux configuration:
-- preseed/url=https://host/path/presee.cfg

Linux version: Ubuntu LTS 10.04

Colin Watson (cjwatson) wrote :

In order to fix this we'll probably have to switch to wget-udeb, since busybox wget doesn't support SSL and is unlikely to ever do so as far as I can tell. It would be nice to get wget-udeb a bit smaller first.

Changed in debian-installer (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

Adding cobbler-enlist task, as we will likely want to add SSL support to cobbler-enlist when debian-installer is updated.

Changed in cobbler-enlist (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Dave Walker (davewalker) wrote :

(task added based on MIR bug 860492)

Colin Watson (cjwatson) on 2011-11-25
Changed in debian-installer-utils (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Colin Watson (cjwatson) wrote :

We've been talking about this today. The question of certificates is a rather vexed one: we'd have to put the whole bulk of ca-certificates into the installer initrd, and furthermore many of the sites in question are going to be self-signed ones that somebody ran up locally so there would need to be a way to get certificates into the installer initrd. Furthermore, if you're PXE-booting the installer, anyone can already ARP-spoof you and substitute an installer initrd with the certificate of their choice. For lots of work, you gain not very much real security!

The installation guide does currently document that crypted passwords should be an MD5 hash, but as far as I can see there's no actual requirement for this, and a SHA-512 hash should work perfectly well. Have you tried this? Would this be sufficient to meet your compliance requirements?

lezbak (lezgin-bakircioglu) wrote :

Understandable, but as for that, the bulk certificates could be passed on as a bootloader parameter to keep it simple and more dynamic. You can protect your self against arp spoofing if you have proper security (eg arp spoof protection and/or private vlan in your switches).

I would not agree on that, with proper security in the environment you actually raise it allot by not sending the hashed root password over the network in clear text.

I would like to keep that still with in a encrypted session, are you that comfortable to post your password that is sha-512 hashed on a public forum?

Colin Watson (cjwatson) wrote :

Certificates: sure, but that's a lot of new mechanism we'd have to write.

Password: I didn't ask whether you were comfortable with it, but whether it met your PCI compliance requirements. :-)

lezbak (lezgin-bakircioglu) wrote :

Thats true and this is the request.

Ah, sorry, yes it does :-)

Colin Watson (cjwatson) wrote :

FWIW, on certificates, the best way to approach this would probably be to use the fact that you can concatenate two initramfses; so we'd probably have to have a tool that builds certificates into initramfs form so that you can append that to your installer initrd, or deliver it separately if your boot loader supports multiple initramfses.

Peter Matulis (petermatulis) wrote :

Related:

"wget-udeb should install to /usr/bin/wget instead of /usr/bin/wget.gnu"
https://bugs.launchpad.net/ubuntu/+source/wget/+bug/1172101

I don't think certificates are necessary here: we could permit any https without any certificate checking, and still have an improvement, with no additional dangers over using http. For example, you would remain vulnerable to DNS spoofing or man-in-the-middle problems, but you would not be subject to the exposure of secret information in packages. (There are plenty of cases where a link is sniffable but not pwnable.)

Alan Sparks (alan-l-sparks) wrote :

Agree with tbushnell above. The advantage of at least having an encrypted tunnel is real, whether you get all the benefits of SSL certificate checks.
-Alan

Leonardo Borda (lborda) wrote :

Hi Guys,

An encrypted tunnel would at least provide some security level to the use case. I have seen more and more people requesting such kind of feature on Ubuntu deployments. Now with MAAS handling the orchestration I believe it's just about time.

Is it possible to have someone ( more knowledgeable than me ) working on a proposal patch ?

Thank you for the great work/discussion btw!
Leo

Colin Watson (cjwatson) on 2014-02-10
Changed in kickseed (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Colin Watson (cjwatson) on 2014-02-10
Changed in debian-installer-utils (Ubuntu):
status: Triaged → Fix Committed
Colin Watson (cjwatson) wrote :

I've committed the start of this upstream, now that I've fixed things to permit the use of GNU wget. My strategy here is going to be:

 * make fetch-url (for preseeding) and kickseed both work with HTTPS
 * overload debian-installer/allow_unauthenticated=false to imply wget --no-check-certificate (I think this is close enough; I couldn't think of a reason why you would care deeply about the HTTPS certificate and then not care about installing unauthenticated packages)
 * add wget-udeb to our default d-i builds (at least netboot, but probably globally)
 * add support to the d-i build system for local builds with SSLCERTS set to a list of paths to certificates
 * if you want to use the stock initramfs, you can make another initramfs containing just /usr/lib/ssl/certs/*.crt for whatever certificates you need, run c_rehash over that directory, and concatenate that to the stock initramfs either with cat or in your boot loader

Once this is done, I'll be able to proceed with the next step, bug 1135163.

Changed in debian-installer-utils (Ubuntu):
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson) wrote :

Re comment #13, I'll rename SSLCERTS to SSL_CERTS - fits better into the other variable names.

Changed in kickseed (Ubuntu):
status: Triaged → Fix Committed
assignee: nobody → Colin Watson (cjwatson)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debian-installer-utils - 1.104ubuntu1

---------------
debian-installer-utils (1.104ubuntu1) trusty; urgency=medium

  * Resynchronise with Debian. Remaining changes:
    - user-params: Don't propagate vga=*, break=*, *-ubiquity, or
      noninteractive to installed system.
    - list-devices:
      + New "mmc-partition" type for detecting partitions on MMC devices.
      + Make sure we also detect platform-omap MMCs.
      + Don't return entries for extended partitions.
    - Don't include the battery subsystem on calls to udevadm trigger.

debian-installer-utils (1.104) unstable; urgency=medium

  * Add HTTPS support to fetch-url, which will only work if d-i has been
    built with GNU wget; debian-installer/allow_unauthenticated is
    overloaded to imply the --no-check-certificate option (LP: #833994).
 -- Colin Watson <email address hidden> Mon, 10 Feb 2014 18:51:39 +0000

Changed in debian-installer-utils (Ubuntu):
status: Fix Committed → Fix Released
Colin Watson (cjwatson) on 2014-02-10
Changed in debian-installer (Ubuntu):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kickseed - 0.61ubuntu1

---------------
kickseed (0.61ubuntu1) trusty; urgency=medium

  * Resynchronise with Debian. Remaining changes:
    - Add basic RAID support. (LVM-on-RAID won't quite work yet.)
    - Add basic iSCSI support.

kickseed (0.61) unstable; urgency=medium

  * Add HTTPS support, which will only work if d-i has been built with GNU
    wget (LP: #833994). "url https://..." requires further work in at least
    choose-mirror before it will be usable.
 -- Colin Watson <email address hidden> Mon, 10 Feb 2014 19:44:28 +0000

Changed in kickseed (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debian-installer - 20101020ubuntu295

---------------
debian-installer (20101020ubuntu295) trusty; urgency=medium

  * Add SSL_CERTS variable, which can be used to build images with embedded
    SSL certificates with c_rehash run over them so that OpenSSL can see
    them (LP: #833994).
  * Include wget-udeb in all images so that HTTPS support works out of the
    box.
 -- Colin Watson <email address hidden> Mon, 10 Feb 2014 21:47:54 +0000

Changed in debian-installer (Ubuntu):
status: Fix Committed → Fix Released
Colin Watson (cjwatson) on 2014-02-11
Changed in debian-installer (Ubuntu):
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson) wrote :

Thinking a bit harder about this, we shouldn't use debian-installer/allow_unauthenticated=true to govern this, as GPG checking is much stronger than SSL certificate checking; it's reasonable to want to disable the latter without disabling the former. I'll add a new debian-installer/allow_unauthenticated_ssl=true preseed for this.

Changed in rootskel (Ubuntu):
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → Medium
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rootskel - 1.107ubuntu1

---------------
rootskel (1.107ubuntu1) trusty; urgency=medium

  * Resynchronise with Debian. Remaining changes:
    - Apply configurable console colors in d-i virtual terminals.

rootskel (1.107) unstable; urgency=low

  [ Martin Michlmayr ]
  * Remove Cobalt related scripts.

  [ Samuel Thibault ]
  * /proc/mounts now exists on hurd-any, point /etc/mtab to it.

  [ Colin Watson ]
  * Add a new debian-installer/allow_unauthenticated_ssl template, which can
    be used to disable SSL certificate checks when using HTTPS
    (LP: #833994).
 -- Colin Watson <email address hidden> Tue, 11 Feb 2014 18:29:54 +0000

Changed in rootskel (Ubuntu):
status: In Progress → Fix Released
lezbak (lezgin-bakircioglu) wrote :

Finally,

The bug I reported almost 2.5y ago that got converted to a community bug and it is now fixed!

Very appriciated!

Will this make it to ubuntu 14.04 (or 14.04.1?)

Mark Russell (marrusl) wrote :

Hi Lezgin,

This is already in 14.04. You can test right away.

Colin Watson (cjwatson) on 2014-06-23
Changed in debian-installer (Ubuntu Precise):
importance: Undecided → Medium
milestone: none → ubuntu-12.04.5
status: New → Triaged
Changed in debian-installer-utils (Ubuntu Precise):
importance: Undecided → Medium
milestone: none → ubuntu-12.04.5
status: New → Triaged
Changed in debian-installer (Ubuntu Precise):
assignee: nobody → Colin Watson (cjwatson)
Changed in debian-installer-utils (Ubuntu Precise):
assignee: nobody → Colin Watson (cjwatson)
Changed in kickseed (Ubuntu Precise):
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → Medium
status: New → Triaged
milestone: none → ubuntu-12.04.5
Changed in rootskel (Ubuntu Precise):
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → Medium
milestone: none → ubuntu-12.04.5
status: New → Triaged
Colin Watson (cjwatson) on 2014-06-23
Changed in debian-installer-utils (Ubuntu Precise):
status: Triaged → In Progress
Colin Watson (cjwatson) on 2014-06-23
Changed in kickseed (Ubuntu Precise):
status: Triaged → In Progress
Changed in rootskel (Ubuntu Precise):
status: Triaged → In Progress

Hello Leonardo, or anyone else affected,

Accepted debian-installer-utils into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/debian-installer-utils/1.88ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in debian-installer-utils (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Chris J Arges (arges) wrote :

Hello Leonardo, or anyone else affected,

Accepted kickseed into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/kickseed/0.57ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in kickseed (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in rootskel (Ubuntu Precise):
status: In Progress → Fix Committed
Chris J Arges (arges) wrote :

Hello Leonardo, or anyone else affected,

Accepted rootskel into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/rootskel/1.98ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Colin Watson (cjwatson) wrote :

Hello Leonardo, or anyone else affected,

Accepted debian-installer into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu136.18 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in debian-installer (Ubuntu Precise):
status: Triaged → Fix Committed
Colin Watson (cjwatson) wrote :

Hello Leonardo, or anyone else affected,

Accepted debian-installer into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu136.19 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Mark Russell (marrusl) wrote :

Verified. Thanks!

tags: added: verification-done
removed: verification-needed

The verification of the Stable Release Update for debian-installer-utils has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rootskel - 1.98ubuntu2.1

---------------
rootskel (1.98ubuntu2.1) precise; urgency=medium

  * Add a new debian-installer/allow_unauthenticated_ssl template, which can
    be used to disable SSL certificate checks when using HTTPS
    (LP: #833994).
 -- Colin Watson <email address hidden> Mon, 23 Jun 2014 18:01:20 +0100

Changed in rootskel (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kickseed - 0.57ubuntu1.2

---------------
kickseed (0.57ubuntu1.2) precise; urgency=medium

  * Add HTTPS support, which will only work if d-i has been built with GNU
    wget (LP: #833994).
 -- Colin Watson <email address hidden> Mon, 23 Jun 2014 17:58:01 +0100

Changed in kickseed (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debian-installer - 20101020ubuntu136.19

---------------
debian-installer (20101020ubuntu136.19) precise; urgency=medium

  * Bump i386 and amd64 lts-trusty netboot sizes to match trusty.

debian-installer (20101020ubuntu136.18) precise; urgency=medium

  [ Colin Watson ]
  * Add SSL_CERTS variable, which can be used to build images with embedded
    SSL certificates with c_rehash run over them so that OpenSSL can see
    them (LP: #833994).
  * Include wget-udeb in all images so that HTTPS support works out of the
    box.

  [ Adam Conrad ]
  * Cargo-cult lts-saucy configs as lts-trusty, starting at 3.13.0-30.
  * Move master kernels to 3.2.0-65.
  * Move armadaxp kernels to 3.2.0-1635.
  * Move ti-omap4 kernels to 3.2.0-1450.
  * Move lts-quantal kernels to 3.5.0-52.
  * Move lts-saucy kernels to 3.11.0-24.
 -- Adam Conrad <email address hidden> Wed, 25 Jun 2014 08:07:11 -0600

Changed in debian-installer (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debian-installer-utils - 1.88ubuntu2.2

---------------
debian-installer-utils (1.88ubuntu2.2) precise; urgency=medium

  * fetch-url-methods/http: Cope with the slightly different no-such-file
    output produced by GNU wget, and with it needing to be invoked using
    --no-verbose rather than -q (LP: #1172101).
  * Add HTTPS support to fetch-url, which will only work if d-i has been
    built with GNU wget; debian-installer/allow_unauthenticated_ssl implies
    the --no-check-certificate option (LP: #833994).
 -- Colin Watson <email address hidden> Mon, 23 Jun 2014 16:35:11 +0100

Changed in debian-installer-utils (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cobbler-enlist (Ubuntu Precise):
status: New → Confirmed
Bryan Quigley (bryanquigley) wrote :

This won't be fixed in 12.04 as it's ESM only.

Changed in cobbler-enlist (Ubuntu):
status: Triaged → Won't Fix
Changed in cobbler-enlist (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers