debian-installer does not support https when using with preseed files

In order to fix this we'll probably have to switch to wget-udeb, since busybox wget doesn't support SSL and is unlikely to ever do so as far as I can tell. It would be nice to get wget-udeb a bit smaller first.

Adding cobbler-enlist task, as we will likely want to add SSL support to cobbler-enlist when debian-installer is updated.

(task added based on MIR bug 860492)

We've been talking about this today. The question of certificates is a rather vexed one: we'd have to put the whole bulk of ca-certificates into the installer initrd, and furthermore many of the sites in question are going to be self-signed ones that somebody ran up locally so there would need to be a way to get certificates into the installer initrd. Furthermore, if you're PXE-booting the installer, anyone can already ARP-spoof you and substitute an installer initrd with the certificate of their choice. For lots of work, you gain not very much real security!

The installation guide does currently document that crypted passwords should be an MD5 hash, but as far as I can see there's no actual requirement for this, and a SHA-512 hash should work perfectly well. Have you tried this? Would this be sufficient to meet your compliance requirements?

Understandable, but as for that, the bulk certificates could be passed on as a bootloader parameter to keep it simple and more dynamic. You can protect your self against arp spoofing if you have proper security (eg arp spoof protection and/or private vlan in your switches).

I would not agree on that, with proper security in the environment you actually raise it allot by not sending the hashed root password over the network in clear text.

I would like to keep that still with in a encrypted session, are you that comfortable to post your password that is sha-512 hashed on a public forum?

Certificates: sure, but that's a lot of new mechanism we'd have to write.

Password: I didn't ask whether you were comfortable with it, but whether it met your PCI compliance requirements. :-)

Thats true and this is the request.

Ah, sorry, yes it does :-)

FWIW, on certificates, the best way to approach this would probably be to use the fact that you can concatenate two initramfses; so we'd probably have to have a tool that builds certificates into initramfs form so that you can append that to your installer initrd, or deliver it separately if your boot loader supports multiple initramfses.

Related:

"wget-udeb should install to /usr/bin/wget instead of /usr/bin/wget.gnu"
https://bugs.launchpad.net/ubuntu/+source/wget/+bug/1172101

I don't think certificates are necessary here: we could permit any https without any certificate checking, and still have an improvement, with no additional dangers over using http. For example, you would remain vulnerable to DNS spoofing or man-in-the-middle problems, but you would not be subject to the exposure of secret information in packages. (There are plenty of cases where a link is sniffable but not pwnable.)

Agree with tbushnell above. The advantage of at least having an encrypted tunnel is real, whether you get all the benefits of SSL certificate checks.
-Alan

Hi Guys,

An encrypted tunnel would at least provide some security level to the use case. I have seen more and more people requesting such kind of feature on Ubuntu deployments. Now with MAAS handling the orchestration I believe it's just about time.

Is it possible to have someone ( more knowledgeable than me ) working on a proposal patch ?

Thank you for the great work/discussion btw!
Leo

I've committed the start of this upstream, now that I've fixed things to permit the use of GNU wget. My strategy here is going to be:

 * make fetch-url (for preseeding) and kickseed both work with HTTPS
 * overload debian-installer/allow_unauthenticated=false to imply wget --no-check-certificate (I think this is close enough; I couldn't think of a reason why you would care deeply about the HTTPS certificate and then not care about installing unauthenticated packages)
 * add wget-udeb to our default d-i builds (at least netboot, but probably globally)
 * add support to the d-i build system for local builds with SSLCERTS set to a list of paths to certificates
 * if you want to use the stock initramfs, you can make another initramfs containing just /usr/lib/ssl/certs/*.crt for whatever certificates you need, run c_rehash over that directory, and concatenate that to the stock initramfs either with cat or in your boot loader

Once this is done, I'll be able to proceed with the next step, bug 1135163.

Re comment #13, I'll rename SSLCERTS to SSL_CERTS - fits better into the other variable names.

This bug was fixed in the package debian-installer-utils - 1.104ubuntu1

---------------
debian-installer-utils (1.104ubuntu1) trusty; urgency=medium

  * Resynchronise with Debian. Remaining changes:
    - user-params: Don't propagate vga=*, break=*, *-ubiquity, or
      noninteractive to installed system.
    - list-devices:
      + New "mmc-partition" type for detecting partitions on MMC devices.
      + Make sure we also detect platform-omap MMCs.
      + Don't return entries for extended partitions.
    - Don't include the battery subsystem on calls to udevadm trigger.

debian-installer-utils (1.104) unstable; urgency=medium

  * Add HTTPS support to fetch-url, which will only work if d-i has been
    built with GNU wget; debian-installer/allow_unauthenticated is
    overloaded to imply the --no-check-certificate option (LP: #833994).
 -- Colin Watson <email address hidden> Mon, 10 Feb 2014 18:51:39 +0000

This bug was fixed in the package kickseed - 0.61ubuntu1

---------------
kickseed (0.61ubuntu1) trusty; urgency=medium

  * Resynchronise with Debian. Remaining changes:
    - Add basic RAID support. (LVM-on-RAID won't quite work yet.)
    - Add basic iSCSI support.

kickseed (0.61) unstable; urgency=medium

  * Add HTTPS support, which will only work if d-i has been built with GNU
    wget (LP: #833994). "url https://..." requires further work in at least
    choose-mirror before it will be usable.
 -- Colin Watson <email address hidden> Mon, 10 Feb 2014 19:44:28 +0000

This bug was fixed in the package debian-installer - 20101020ubuntu295

---------------
debian-installer (20101020ubuntu295) trusty; urgency=medium

  * Add SSL_CERTS variable, which can be used to build images with embedded
    SSL certificates with c_rehash run over them so that OpenSSL can see
    them (LP: #833994).
  * Include wget-udeb in all images so that HTTPS support works out of the
    box.
 -- Colin Watson <email address hidden> Mon, 10 Feb 2014 21:47:54 +0000

Thinking a bit harder about this, we shouldn't use debian-installer/allow_unauthenticated=true to govern this, as GPG checking is much stronger than SSL certificate checking; it's reasonable to want to disable the latter without disabling the former. I'll add a new debian-installer/allow_unauthenticated_ssl=true preseed for this.

This bug was fixed in the package rootskel - 1.107ubuntu1

---------------
rootskel (1.107ubuntu1) trusty; urgency=medium

  * Resynchronise with Debian. Remaining changes:
    - Apply configurable console colors in d-i virtual terminals.

rootskel (1.107) unstable; urgency=low

  [ Martin Michlmayr ]
  * Remove Cobalt related scripts.

  [ Samuel Thibault ]
  * /proc/mounts now exists on hurd-any, point /etc/mtab to it.

  [ Colin Watson ]
  * Add a new debian-installer/allow_unauthenticated_ssl template, which can
    be used to disable SSL certificate checks when using HTTPS
    (LP: #833994).
 -- Colin Watson <email address hidden> Tue, 11 Feb 2014 18:29:54 +0000

Finally,

The bug I reported almost 2.5y ago that got converted to a community bug and it is now fixed!

Very appriciated!

Will this make it to ubuntu 14.04 (or 14.04.1?)

Hi Lezgin,

This is already in 14.04. You can test right away.

Hello Leonardo, or anyone else affected,

Accepted debian-installer-utils into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/debian-installer-utils/1.88ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Leonardo, or anyone else affected,

Accepted kickseed into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/kickseed/0.57ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Leonardo, or anyone else affected,

Accepted rootskel into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/rootskel/1.98ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Leonardo, or anyone else affected,

Accepted debian-installer into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu136.18 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Leonardo, or anyone else affected,

Accepted debian-installer into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu136.19 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Verified. Thanks!

The verification of the Stable Release Update for debian-installer-utils has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package rootskel - 1.98ubuntu2.1

---------------
rootskel (1.98ubuntu2.1) precise; urgency=medium

  * Add a new debian-installer/allow_unauthenticated_ssl template, which can
    be used to disable SSL certificate checks when using HTTPS
    (LP: #833994).
 -- Colin Watson <email address hidden> Mon, 23 Jun 2014 18:01:20 +0100

This bug was fixed in the package kickseed - 0.57ubuntu1.2

---------------
kickseed (0.57ubuntu1.2) precise; urgency=medium

  * Add HTTPS support, which will only work if d-i has been built with GNU
    wget (LP: #833994).
 -- Colin Watson <email address hidden> Mon, 23 Jun 2014 17:58:01 +0100

This bug was fixed in the package debian-installer - 20101020ubuntu136.19

---------------
debian-installer (20101020ubuntu136.19) precise; urgency=medium

  * Bump i386 and amd64 lts-trusty netboot sizes to match trusty.

debian-installer (20101020ubuntu136.18) precise; urgency=medium

  [ Colin Watson ]
  * Add SSL_CERTS variable, which can be used to build images with embedded
    SSL certificates with c_rehash run over them so that OpenSSL can see
    them (LP: #833994).
  * Include wget-udeb in all images so that HTTPS support works out of the
    box.

  [ Adam Conrad ]
  * Cargo-cult lts-saucy configs as lts-trusty, starting at 3.13.0-30.
  * Move master kernels to 3.2.0-65.
  * Move armadaxp kernels to 3.2.0-1635.
  * Move ti-omap4 kernels to 3.2.0-1450.
  * Move lts-quantal kernels to 3.5.0-52.
  * Move lts-saucy kernels to 3.11.0-24.
 -- Adam Conrad <email address hidden> Wed, 25 Jun 2014 08:07:11 -0600

This bug was fixed in the package debian-installer-utils - 1.88ubuntu2.2

---------------
debian-installer-utils (1.88ubuntu2.2) precise; urgency=medium

  * fetch-url-methods/http: Cope with the slightly different no-such-file
    output produced by GNU wget, and with it needing to be invoked using
    --no-verbose rather than -q (LP: #1172101).
  * Add HTTPS support to fetch-url, which will only work if d-i has been
    built with GNU wget; debian-installer/allow_unauthenticated_ssl implies
    the --no-check-certificate option (LP: #833994).
 -- Colin Watson <email address hidden> Mon, 23 Jun 2014 16:35:11 +0100

Status changed to 'Confirmed' because the bug affects multiple users.

This won't be fixed in 12.04 as it's ESM only.