Personaly, I'm agains the idea.
It's not exactly a lot of work to plug a monitor and keyboard (who needs a mouse for console??) on the machine then just change the password and start ssh
If it wasn't the way it is, you'd then have to do it anyway to change the password. Who wants to leave a root account open with no password for even 2 minutes?
think of how easy one could logon to it then install some nice backdoors while you're bootstraping. Or just sit there and wait for your install to be almost complete before they do it.
would turn gentoo into another Windows security nightmare
Install CD wish: sshd started, no root password scrambling
Message
Personally, I don't see why we can't have both (as discussed on the previous page).
It's not that I'm against security, but it would seem that some users are more paranoid than others
(and I probably belong to the first bunch, seeing as I run a personal firewall on my windows machine besides my linux firewall rules 
)
Anyway, Linux in general is all about choice, and this would be a great thing to have. There are always tradeoffs, no matter what you choose.
It's not that I'm against security, but it would seem that some users are more paranoid than others
(and I probably belong to the first bunch, seeing as I run a personal firewall on my windows machine besides my linux firewall rules )Anyway, Linux in general is all about choice, and this would be a great thing to have. There are always tradeoffs, no matter what you choose.
Personally, I think the root password should not be scrambled as it is an obvious security risk, although any "hackers" would have to know the default password and know that you would be using the CD on the net at the time were doing it. A much better solution would be to not scramble the password, but randomise it and show the user on the screen. This would prevent unauthorised internet accessbut still allow the password to be known with out change.
I also don't think that an ssh server should be started, as the majority would want to save resources eg.shut it down, and this would waste time.
Ben
I also don't think that an ssh server should be started, as the majority would want to save resources eg.shut it down, and this would waste time.
Ben
We are talking about two different things here. I don't want to remove the current way it works (it perfect when sitting AT the machine locally).
I just agreed that it might be a good idea to have the second option of booting to do a remote install (hackers be damned ).
Ohwell, I'm probably not going to help by just talking on the forum and I don't have the time/knowledge to do anything about it (and I'm also kinda lazy since I don't need it right now
) so I guess I'll leave this thread alone (for)now 
I just agreed that it might be a good idea to have the second option of booting to do a remote install (hackers be damned
).Ohwell, I'm probably not going to help by just talking on the forum and I don't have the time/knowledge to do anything about it (and I'm also kinda lazy since I don't need it right now
) so I guess I'll leave this thread alone (for)now 
- geekX
- Tux's lil' helper
- Posts: 86
- Joined: Wed Apr 02, 2003 11:15 am
- Location: Cape Town, South Africa
- Contact:
I don't think it would be such a big added security-risk. You need physical access to a box to boot from a cd, so this will be a consious thing for the administrator.
For a keyboard and monitorless install to work, the network configuration should happen automatically and I'm sure that it should be possible that while installing, the server gets some 'guest'-level access on the network so that it is only accessible from the internal lan and not the internet. You can then change the password, do the install and connect it to the net.
This should save some administrators lots of time/money.
I think a better approach to the livecd solution would be to create more different livecds or even a livecd 'kit'. You can then customise your own livecd, put on it any pre-compiled packages or 'stage' tarballs, select what services to start, what kernel to boot, whether it should have the bootsplash or framebuffer terminal, etc. Create your own iso, burn onto cd and boot.
hmmm maybe I should look into the idea. Can even combine this with the install programs and scripts that are currently under developement. Might add modem-install support, even. But a no-keyboard, no-monitor install would be cool.
All in the spirit of a 'meta-distribution'
For a keyboard and monitorless install to work, the network configuration should happen automatically and I'm sure that it should be possible that while installing, the server gets some 'guest'-level access on the network so that it is only accessible from the internal lan and not the internet. You can then change the password, do the install and connect it to the net.
This should save some administrators lots of time/money.
I think a better approach to the livecd solution would be to create more different livecds or even a livecd 'kit'. You can then customise your own livecd, put on it any pre-compiled packages or 'stage' tarballs, select what services to start, what kernel to boot, whether it should have the bootsplash or framebuffer terminal, etc. Create your own iso, burn onto cd and boot.
hmmm maybe I should look into the idea. Can even combine this with the install programs and scripts that are currently under developement. Might add modem-install support, even. But a no-keyboard, no-monitor install would be cool.
All in the spirit of a 'meta-distribution'
Sometimes I feel like Superman.
Sometimes I'm just recuperating.
Sometimes I'm just recuperating.
- lithiumcloud
- n00b
- Posts: 1
- Joined: Wed Apr 16, 2003 4:48 am
You need a keyboard to get past the bootprompt and select keymap anyway.
Besides, most people install gentoo over the net and thus are concerned about security. Hey, most people use a screen and keyboard to install becuase they will be using them with the machine. They'd have to stop ssh and put up with an insecure default password, far more serious than needing to plug in a keyboard (you don't need a screen). This would hurt people a lot more than the few it would help.
Besides, most people install gentoo over the net and thus are concerned about security. Hey, most people use a screen and keyboard to install becuase they will be using them with the machine. They'd have to stop ssh and put up with an insecure default password, far more serious than needing to plug in a keyboard (you don't need a screen). This would hurt people a lot more than the few it would help.
You don't need to select keymap on the rc4 LiveCD... The bootprompt boots an image after some time.lithiumcloud wrote:You need a keyboard to get past the bootprompt and select keymap anyway.
Besides, most people install gentoo over the net and thus are concerned about security. Hey, most people use a screen and keyboard to install becuase they will be using them with the machine. They'd have to stop ssh and put up with an insecure default password, far more serious than needing to plug in a keyboard (you don't need a screen). This would hurt people a lot more than the few it would help.
So most people install over the net and most people install with a screen and a keyboard? Sorry, I don't understand the logic behind this...
As has been proposed before, a special LiveCD for input/outputless computers could be made...
- Simon
- erik_swanson
- Retired Dev
- Posts: 123
- Joined: Sun Feb 02, 2003 7:11 pm
- Location: Corvallis, OR USA
Personally, I am looking for this right now. I have two workstations on my 2port KVM and 2 servers running headless. Due to my comfortable arrangement with my two workstations, it is indeed going to be a pain to hook up my KVM to new box, a 3rd server that will run headless.
I definitely want this, but haven't had time to mess with the livecd-ng package. PLEASE... someone do this for me!
I definitely want this, but haven't had time to mess with the livecd-ng package. PLEASE... someone do this for me!
-----------------------------------------
Michael
Michael
- carambola5
- Apprentice
- Posts: 214
- Joined: Wed Jul 10, 2002 8:53 pm
As a shameless plug to my practical novel I wrote for the Portage website, I suggest you look at my post. Scroll down to the Remote Gentoo Installation section and read the paragraph that starts with "Regarding the modified LiveCD."
What do you think?
What do you think?
I don't see the big security problem
In my case, I'm trying to install gentoo on a new headless box and I don't even own a PC keyboard (except the one built-in to my laptop). I do have
a monitor so I can see that my network connection started up nicely, and I can ping the box fine, but of course there is no service to log on to.
So a liveCD that would launch sshd would be very handy for me right now...
In my case, the box is behind a firewall so there is no real security issue, but I must say that the probability of a breach is very small even without the firewall: the default root password would only be acitve DURING the time that the machine is booted from the liveCD, (presumably only long enough for you to do the install). You could have a default password and then only allow a single log-on until the root password is changed. The first person to log on wins control of the box! Now who do you think will get there first? The person that knows a brand-new never-existed-before machine was just booted and is itching to get started, or mister anonymous hacker searching for free machines? The window of vulnerability would last mere seconds.
This would require that console users also login, but you can display the default password for them so its no trouble. The install procedure SHOULD require a new (non-default) root password for the installed system, I don't know what it actually does because I can't do anything without a keyboard.
The potential danger is someone boots the liveCD and walks away without ever logging in, but how often is that going to happen? Heck you could even make the script kill the sshd after 5 minutes if there was no log in, so then only the physical keyboard would be vulnerable, but then it already is now isn't it?
Where are the security paranoids screaming about the root exploit for those poor idiots who parked there computer in a public place and walked away after booting from the live CD? It's a huge gaping security hole!!!! Not.
a monitor so I can see that my network connection started up nicely, and I can ping the box fine, but of course there is no service to log on to.
So a liveCD that would launch sshd would be very handy for me right now...
In my case, the box is behind a firewall so there is no real security issue, but I must say that the probability of a breach is very small even without the firewall: the default root password would only be acitve DURING the time that the machine is booted from the liveCD, (presumably only long enough for you to do the install). You could have a default password and then only allow a single log-on until the root password is changed. The first person to log on wins control of the box! Now who do you think will get there first? The person that knows a brand-new never-existed-before machine was just booted and is itching to get started, or mister anonymous hacker searching for free machines? The window of vulnerability would last mere seconds.
This would require that console users also login, but you can display the default password for them so its no trouble. The install procedure SHOULD require a new (non-default) root password for the installed system, I don't know what it actually does because I can't do anything without a keyboard.
The potential danger is someone boots the liveCD and walks away without ever logging in, but how often is that going to happen? Heck you could even make the script kill the sshd after 5 minutes if there was no log in, so then only the physical keyboard would be vulnerable, but then it already is now isn't it?
Where are the security paranoids screaming about the root exploit for those poor idiots who parked there computer in a public place and walked away after booting from the live CD? It's a huge gaping security hole!!!! Not.
except the hacker would have to run a special script to compromise gentoo boxes.puggy wrote: If the password is preset there might as well be no password as it'll make no difference to the hacker. Hence there is no point in only using a static login for the remote install as long as the local interface is logged out on boot.
I'm all in favor of this. Just make the password immdiatly expire after the first login. Shouldn't be too hard.
Aim:gsfgf0