SuSE 8.0 no ftp installation possible ? NFS is insecure.
Hello, I've just been trying to install SuSE 8.0 via FTP, but I couldn't believe it hwen I saw it: there is no ftp-installation option. There are only two options left: - Installation via NFS (insecure !!!!) - Installation via SMB/Windows file sharing (doesn't work, because the installer can't find a no further specified module). Please don't force us to use nfs - that sucks and is _really_ insecure. Am I missing something or did SuSE remove the ftp-installer. Andy why doesn't the (also insecure) smb-installer work ? Bye, Gunther
What do you mean, "get real". If that is all your 2 cents you might as well keep them, thank you. Incidentially, I'm just running a few boxes behind a thorough firewall; and I want to install via ftp. I am not prepared to buy CD drives for every P133 in our office. THis is not a setting that requires a paranoic handling of things, and I have decided that installing via FTP is just fine and very conveniant in *MY* situation, that you do not know. The big question remains unanswered: Has the option to install via ftp gone? And how come so? Thank you. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Erwin Rennert, Center for Social Innovation Austria, Europe erwin@zsi.at On Thu, 2 May 2002, John Trickey wrote:
What do you mean, "get real". If that is all your 2 cents you might as well keep them, thank you.
Gunther knew exactly what I meant but if I have to spell it out. Doing any install on a network carrying potentially hostile traffic is a security risk. That includes ftp, nfs, smb and CDROM.
Thinking you're safe behind a firewall is a fools paradise. At the end of the day, you, the sysadmin have to weigh the risks but remember Murphy's law - if anything can happen, it will when you least want it to. John
John Trickey wrote:
If you can't trust your private network you have more serious problems that doing an install or upgrade across the lan (as in LOCAL area network). -- Ken Schneider Senior UNIX Administrator Network Administrator
On Thu, 2 May 2002, Ken Schneider wrote:
At least if you don't trust your private network you can watch and record EVERYTHING that goes on. -- (o< Powered by SuSE Linux //\ Virusproof. Crashproof. V_/_ No MS products were used in the creation of this message.. 4:06pm up 1 day, 7:11, 22 users, load average: 1.07, 1.04, 1.06 processes 40649
Hi John, I got your point, okay. But it's a exorbitancy that SuSE removed this commonly used feature !! Many many poeple were using ftp - most of my customers in fact. And I myself...... just arrived at the datacenter at 4 am because of an emergency, no cd - no nothing. you forgot everything @ home... some 3,5" disks can be found everywhere. Go to the next ftp i.e. ftp.gwdg.de, create the disks and go on.. I could live with a self-bootable nfs-server on one of the installation cds. Why didn't SuSE implement this nice feature ? Bye, Gunther -----Ursprungliche Nachricht----- Von: John Trickey [mailto:jtrickey@iee.org] Gesendet: Donnerstag, 2. Mai 2002 19:26 An: suse-security@suse.com Betreff: RE: [suse-security] SuSE 8.0 no ftp installation possible ? NFS is insecure.
Who in their right mind installs on a live network! Get real! John -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi Gunther,
I got your point, okay.
:-))
But it's a exorbitancy that SuSE removed this commonly used feature !!
That's a separate issue. I've never had to use ftp for an install so its not something I look for. I have used nfs to bypass a faulty CDROM drive and to load machines without CDROM drives. Its always a case of: enable nfs server; do install; disable nfs and always on a private/secured LAN. I have used smb to mount the DVD on a machine with only CD where only Windoze boxen are my only option. It works as long as you ignore YaSTs moans about installing from an older distro - Yes SuSE, Yast thinks same version DVD is older than CD !! Bottom line: what's the point of removing the ftp option? I can see none other than reducing the amount of code supported and I don't accept that for an excuse.
Yes bad news but the ftp is just a fix for a procedural problem. The datacenter should have in store the installation media for all production software and I would suggest you invest in a grab bag to keep all your CDs etc to hand - that's what I do.
I could live with a self-bootable nfs-server on one of the installation cds.
... But if you remembered the CDs you wouldn't need it ;-/ John
* Gunther Stammwitz wrote on Thu, May 02, 2002 at 01:44 +0200:
Hum, really?! Hope this will be fixed soon!
FTP is insecure as well. The security should came from secure hashing the RPMs secured by a key stored on the book/install disk. I never verified if the suse FTP/NFS install is secure, BTW, anyone? But FTP is more commonly available, more fast and more easy to set up. I really would like to read a statement why this feature is not avialable in SuSE 8.0 from SuSE itself. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Thu, May 02, 2002 at 01:44:01AM +0200, Gunther Stammwitz wrote:
Welcome to yast2. The option you remember belongs to yast.
There are only two options left: - Installation via NFS (insecure !!!!)
Please write me a private mail where you can show me that a ftp installation is more secure than a nfs installation. Peter
On Sun, May 05, 2002 at 22:27 +0200, Patrick Sannes wrote:
perhaps a stupid question, but where can I find the suse 8 ftp version? It suposed to be released in a couple of weeks (as usual)
It can be found on your local file server (the machine with drives for multiple media and lots of disk space). It's held there for those machines you want to install but which neither have a local CD drive nor an other means to get the distribution files from -- except for network access. That's exactly the situation where FTP installation makes sense. Installing from a public FTP server for anything else but fun and personal pleasure has been called stupid in the thread before. You don't connect not yet set up / tightened machines to an open network, do you? And yes, I'm aware of signed RPMs to eliminate some of the concerns. But not all. 1) *every* package had to be signed. 2) which signature is the package signed with and checked against? You got to have "clean" boot / bootstrap media. 3) even signed packages come with holes and vulnerabilities you don't want to offer to the world. 4) when distributors started to count (and praise) how *few* mouseclicks their systems take to install and boot they decided for more and more things to run by default, so that every wheenie gets all the bells and whistles running OOTB. That's when the after installation process of locking down all the stuff you didn't want in the first place takes more and more time with every new release. It's constantly getting easier to setup a modern distribution while it constantly gets harder to do it right. :( But I got sidetracked in the last few sentences ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
What do you mean, "get real". If that is all your 2 cents you might as well keep them, thank you. Incidentially, I'm just running a few boxes behind a thorough firewall; and I want to install via ftp. I am not prepared to buy CD drives for every P133 in our office. THis is not a setting that requires a paranoic handling of things, and I have decided that installing via FTP is just fine and very conveniant in *MY* situation, that you do not know. The big question remains unanswered: Has the option to install via ftp gone? And how come so? Thank you. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Erwin Rennert, Center for Social Innovation Austria, Europe erwin@zsi.at On Thu, 2 May 2002, John Trickey wrote:
What do you mean, "get real". If that is all your 2 cents you might as well keep them, thank you.
Gunther knew exactly what I meant but if I have to spell it out. Doing any install on a network carrying potentially hostile traffic is a security risk. That includes ftp, nfs, smb and CDROM.
Thinking you're safe behind a firewall is a fools paradise. At the end of the day, you, the sysadmin have to weigh the risks but remember Murphy's law - if anything can happen, it will when you least want it to. John
John Trickey wrote:
If you can't trust your private network you have more serious problems that doing an install or upgrade across the lan (as in LOCAL area network). -- Ken Schneider Senior UNIX Administrator Network Administrator
On Thu, 2 May 2002, Ken Schneider wrote:
At least if you don't trust your private network you can watch and record EVERYTHING that goes on. -- (o< Powered by SuSE Linux //\ Virusproof. Crashproof. V_/_ No MS products were used in the creation of this message.. 4:06pm up 1 day, 7:11, 22 users, load average: 1.07, 1.04, 1.06 processes 40649
Hi John, I got your point, okay. But it's a exorbitancy that SuSE removed this commonly used feature !! Many many poeple were using ftp - most of my customers in fact. And I myself...... just arrived at the datacenter at 4 am because of an emergency, no cd - no nothing. you forgot everything @ home... some 3,5" disks can be found everywhere. Go to the next ftp i.e. ftp.gwdg.de, create the disks and go on.. I could live with a self-bootable nfs-server on one of the installation cds. Why didn't SuSE implement this nice feature ? Bye, Gunther -----Ursprungliche Nachricht----- Von: John Trickey [mailto:jtrickey@iee.org] Gesendet: Donnerstag, 2. Mai 2002 19:26 An: suse-security@suse.com Betreff: RE: [suse-security] SuSE 8.0 no ftp installation possible ? NFS is insecure.
Who in their right mind installs on a live network! Get real! John -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (9)
-
Erwin Rennert -
Gerhard Sittig -
Gunther Stammwitz -
John Trickey -
Ken Schneider -
Patrick Sannes -
Peter Wiersig -
Robt. Miller -
Steffen Dettmer