[opensuse] Is there something like Debians Mandos for Opensuse?
Hello, Debian GNU/Linux contains a program called Mandos, which lets computers with encrypted root partition boot unattended. See: https://wiki.recompile.se/wiki/Mandos Is there something similar for Opensuse? Regards, mots
mots wrote:
Hello,
Debian GNU/Linux contains a program called Mandos, which lets computers with encrypted root partition boot unattended. See: https://wiki.recompile.se/wiki/Mandos
Is there something similar for Opensuse?
If you're up to it, it looks like an excellent opportunity to participate. There is noone building a Mandos package for openSUSE atm. -- Per Jessen, Zürich (4.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-29 09:30, Per Jessen wrote:
mots wrote:
Hello,
Debian GNU/Linux contains a program called Mandos, which lets computers with encrypted root partition boot unattended. See: https://wiki.recompile.se/wiki/Mandos
Is there something similar for Opensuse?
If you're up to it, it looks like an excellent opportunity to participate. There is noone building a Mandos package for openSUSE atm.
I don't see how an encrypted root that automatically boots can be a good thing. If somebody steals the machine, they can "open" it completely! How does that Mandos does the trick, where is the password stored? -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/29/2014 09:05 AM, Carlos E. R. wrote:
I don't see how an encrypted root that automatically boots can be a good thing. If somebody steals the machine, they can "open" it completely!
How does that Mandos does the trick, where is the password stored?
It looks a bit like a Kerberos ticket server. The key is not stored on the machine with the encrypted ROOTFS. Rather the boot sequence - think of it as a shim within grub (or whatever) - contacts the key server much in the same way that a kerberos enabled session starts up. That's a pretty broad-brush explanation. My own Kerberos experience is with AIX machines and applications needing to authenticate to communicate with another machine. The irony is that these machines were all in a SPFrame with the common high speed fabric between them, a *very* closed subnet! The IBM FSE told me that the AS400 (or whatever they term it today) version of the application suite ran all on one machine, one CPU but different LPARs :-) -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-29 15:55, Anton Aylward wrote:
On 11/29/2014 09:05 AM, Carlos E. R. wrote:
I don't see how an encrypted root that automatically boots can be a good thing. If somebody steals the machine, they can "open" it completely!
How does that Mandos does the trick, where is the password stored?
It looks a bit like a Kerberos ticket server. The key is not stored on the machine with the encrypted ROOTFS. Rather the boot sequence - think of it as a shim within grub (or whatever) - contacts the key server much in the same way that a kerberos enabled session starts up.
I can imagine two possibilities. one is that the initrd image contains the needed scripts/binaries to contact the mandos server. Another is that grub2 itself, which has some decryption capabilities to boot from an encrypted root (without a plain /boot), includes itself the code needed for mandos. This is not so simple as adding a package to the distribution. It could also be a variation of tiny-ftp... it can be used for booting from network. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----Ursprüngliche Nachricht-----
Von:Carlos E. R. <robin.listas@telefonica.net> Gesendet: Sam 29 November 2014 17:52 The mandos client is installed in initrd, which is why it's so hard to get it running on anything that isn't Debian based. From what I've read Debian has lots of hooks to add things to initrd, but all other distributions don't. Source: https://www.centos.org/forums/viewtopic.php?t=28316#p133190
PS: I've manually replaced "AW" with "Re" in hopes of not breaking mail threading.
An: oS-en <opensuse@opensuse.org> Betreff: Re: [opensuse] Is there something like Debians Mandos for Opensuse?
On 2014-11-29 15:55, Anton Aylward wrote:
On 11/29/2014 09:05 AM, Carlos E. R. wrote:
I don't see how an encrypted root that automatically boots can be a good thing. If somebody steals the machine, they can "open" it completely!
How does that Mandos does the trick, where is the password stored?
It looks a bit like a Kerberos ticket server. The key is not stored on the machine with the encrypted ROOTFS. Rather the boot sequence - think of it as a shim within grub (or whatever) - contacts the key server much in the same way that a kerberos enabled session starts up.
I can imagine two possibilities.
one is that the initrd image contains the needed scripts/binaries to contact the mandos server.
Another is that grub2 itself, which has some decryption capabilities to boot from an encrypted root (without a plain /boot), includes itself the code needed for mandos.
This is not so simple as adding a package to the distribution.
It could also be a variation of tiny-ftp... it can be used for booting from network.
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
mots wrote:
PS: I've manually replaced "AW" with "Re" in hopes of not breaking mail threading.
Mail threading is generally based on the Message-ID: and References: headers, not the Subject:. -- Per Jessen, Zürich (4.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-30 13:06, Per Jessen wrote:
mots wrote:
The mandos client is installed in initrd, which is why it's so hard to get it running on anything that isn't Debian based. From what I've read Debian has lots of hooks to add things to initrd, but all other distributions don't. Source: https://www.centos.org/forums/viewtopic.php?t=28316#p133190
Ah, in initrd. And an added complication is that now openSUSE uses dracut instead. It would be an interesting feature to have, yes. I think you (mots) should make the suggestion in the factory mail list, because the people that can make it happen meet there.
PS: I've manually replaced "AW" with "Re" in hopes of not breaking mail threading.
Mail threading is generally based on the Message-ID: and References: headers, not the Subject:.
Unless the sender mail client thinks that when you edit the subject it has to start a new thread, as an automatism to avoid thread hijack :-? Strange, but a possibility. Another possibility, which is known to break threading, is using a forward instead of a reply. Accidents may happen - this post went correct :-) -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
On 2014-11-30 13:06, Per Jessen wrote:
mots wrote:
PS: I've manually replaced "AW" with "Re" in hopes of not breaking mail threading.
Mail threading is generally based on the Message-ID: and References: headers, not the Subject:.
Unless the sender mail client thinks that when you edit the subject it has to start a new thread, as an automatism to avoid thread hijack :-?
Strange, but a possibility.
Another possibility, which is known to break threading, is using a forward instead of a reply.
That seems pretty obvious to me - a forward would not update the References: header. -- Per Jessen, Zürich (3.8°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Anton Aylward -
Carlos E. R. -
mots -
Per Jessen