From owner-freebsd-security@FreeBSD.ORG Tue Aug 21 16:19:07 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 959D31065676; Tue, 21 Aug 2012 16:19:07 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) by mx1.freebsd.org (Postfix) with ESMTP id 77F238FC15; Tue, 21 Aug 2012 16:19:07 +0000 (UTC) Received: from Xins-MacBook-Pro.local (unknown [IPv6:2001:470:83bf:0:a0dd:a42a:75b4:d811]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 005131DECE; Tue, 21 Aug 2012 09:19:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1345565947; bh=52/M8KDcQzF3/ydAkawUU1qan8FxTx3ZDpf6XtkNa9M=; h=Date:From:Reply-To:To:CC:Subject; b=ZUa0CRGuL2MyHmXFfQviGDO6MJrYgWvj/9z5i9NI551cvwm3vyMwSZgacI0SnMs5e rkxj4OIU8urSSyVmDa2e/EUaD3K6b+Ie9RUfXJUe1zPMt19vDozs6TQCbhCoZMkR27 a5BvyV6GvfcjJPAjwISI17g2+xUiqtt5TFrG+sOo= Message-ID: <5033B4ED.20401@delphij.net> Date: Tue, 21 Aug 2012 09:18:53 -0700 From: Xin Li Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Pawel Jakub Dawidek Subject: Remotely attaching GELI provider on boot -- is this a useful feature? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 16:19:07 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I've been playing around GELI a little bit and come with an idea, have a prototype and wonders if this would be useful. The scenario is that a system administrator wants a system be started with only network access. In the current startup order 'geli' is started way earlier than SSH and network configuration, so in my prototype I have added a new script that runs before 'geli', starts the network and SSH and keep looking at the geli device, or someone pressed Enter on console (so 'geli' will takeover and ask for passphrase). The administrator is expected to enable root login with public key authentication and / (for base system) and /root is encrypted (for public key). Of course, this is only a prototype and there are a lot of rough edges like hardcoded geli device name, etc., but will this be useful for general consumption? - ---- #!/bin/sh # # PROVIDE: geli0 # BEFORE: disks # REQUIRE: initrandom # KEYWORD: nojail . /etc/rc.subr name="geli0" start_cmd="geli0_start" stop_cmd=":" required_modules="geom_eli:g_eli" geli0_start() { mount -uw / /etc/rc.d/devd start /etc/rc.d/hostid start /etc/rc.d/hostname start /etc/rc.d/netif start /etc/rc.d/routing start /etc/rc.d/sshd start echo -n "Waiting ada0s1d to be available, press enter to continue..." while true; do if [ -e /dev/ada0s1d.eli ]; then break fi read -t 5 dummy && break done /etc/rc.d/sshd stop /etc/rc.d/routing stop /etc/rc.d/netif stop /etc/rc.d/devd stop } load_rc_config $name run_rc_command "$1" - ---- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iQEcBAEBCAAGBQJQM7TtAAoJEG80Jeu8UPuzVTwH/Ami0s3CdAtPZzifu6SWhIQU FjIum2W6+W184jIyKJWgR97TVpWeyVPQBu1RMxnYgdgNroTlZq4QnsaD4GenJswi CzzOT01EY05nqkDSmMNTvRUXQIxIeRJc0c2yzGay6YviCRfSw2FxAFj/4rKZvMSx XRdIy6swLJAeWE9jbL3w5pZnhzK6rHo12GFIIGkHpuSnUPL8PJvOKFUWbiF4O0un li8rnNDR8bq1gy5kzaSwN138CqK6O3rN0MN3li9WC9ukFNZ6MxZ1CTNncC0pK8zD DoiYw9fAo7YTnYxBCXIiTsBsEsIjdHOAegGbwvIZaVD+2XdIKoo7v9wtjggPiQY= =aKe4 -----END PGP SIGNATURE-----