Subject: Re: Ian's Xkernel
To: None <port-sun3@NetBSD.ORG>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: port-sun3
Date: 04/10/1997 21:24:34
>>> The only thing I thing I would like to run locally is an xlock.
>> Actually, what would be really nice to add would be ssh.  [...]
> Only if it's not booting dickless.  Otherwise the keys to the kingdom
> are exposed via NFS :-)

As someone else already mentioned, this is fixable for this particular

More generally, I've been thinking about ways to do secure diskless
boot.  Obviously, the diskless machine needs some information which is
secret, either secret to just that machine or shared between that
machine and its boot server.  In the case of Suns, for example, one
could use the hostid from the idprom, or possibly the firmware password
(most ROM sets I've seen display the hostid on power-up).  The
breath-of-life packet of course must be cleartext (unless you want to
put crypto code in the ROMs, which is not feasible for an existing
machine base).  But that packet can simply have the machine ask for its
_real_ breath-of-life packet, which is sent encrypted; only a machine
that can decrypt that packet will then be able to complete the boot

To prevent certain types of attacks, the secret should be used to
encrypt nothing but session keys, or to reduce exposure even further
(by providing less traffic), to encrypt nothing but key-exchange keys.

Based on a scheme such as this, I believe it would be possible to build
a diskless setup in which nothing more sensitive that the initial
RARP/bootp exchange and a little secure-boot code ever hit the wire in
the clear.  (No, I haven't tried it.  I'd love to, but unless/until I
find someone willing to pay me to, I probably won't find the time.)

					der Mouse

		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B