On Thu, 2006-08-31 at 10:32 -0600, Jeffrey Law wrote:
> By distributing the puppet CA cert in the OS image we get the
> end-to-end secured channel.
Right, or if you were doing something similar with SSH, the OS image
would contain the server's host key fingerprint in known_hosts.
> The weak link at this point becomes dhcp/tftp. Mr. bad guy
> would need to attack that point so that he could serve a
> different OS image with a different CA cert. If successful
> mr. bad guy could then run a successful MITM and give the
> client/victim bogus ssh keys. I'm not immediately aware of
> anyone that's looked at hardening dhcp/tftp.
Yep, only real solution to that would be that you'd do the initial
bootstrapping by booting a CD containing the OS image.
Cheers,
Mark.
[Kernel Newbies]
[Share Photos]
[IDE]
[Security]
[Git]
[Netfilter]
[Bugtraq]
[Photo]
[Yosemite]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Linux ATA RAID]
[Samba]
[Linux Media]
[Device Mapper]
[Linux Resources]
