Re: cgd and remote keys

[Curt Sampson <cjs%starling-software.com@localhost>]

Thanks for all of your helpful replies. I'm glad people think that this is
a worthwhile idea.

On 2008-01-02 13:43 -0800 (Wed), Erik Berls wrote:

> I'm thinking we might want to take a step back and look at a general
> key storage and distribution mechanism for these types of things
> within NetBSD....

Well, it's definitely a good idea to generalize where you can, but I'm
not sure that I see a lot of generality here. There are many different
ways to do this key distribution thing for various purposes, and many
of them (such as getting web server SSH keys) are outside of the base
system. However, I'm open to thoughts on this.

On 2007-12-31 03:25 -0700 (Mon), John R. Shannon wrote:

> An approach used in military applications is to keep a symmetric key on your 
> server with encrypted storage that is used only for key encryption. This is 
> usually called a "cryptographic ignition key".

This is an understandable approach, but it seems to me that the same
level of security is achieved merely by having the server provide part
of the key and the local client provide another part; thus, if the
server's part of the key is stolen, it alone can't be used to decrypt
anything, either. (I'm sorry I didn't say so explicitly in my previous
post, but I was assuming that this would almost invariably be the way
the system would be configured.)

On 2007-12-31 17:16 +0000 (Mon), David Holland wrote:

> This suggests that the mechanism inside cgdconfig should maybe be a
> simple callout, so that different key-fetching scripts can be used.

On 2007-12-31 22:39 +0100 (Mon), Hubert Feyrer wrote:

> Maybe use a command that prints the key to stdout, then use something like 
> "ssh server cat keyfile"?

Ah, now this idea makes good sense; just add to cgdconfig a keying
scheme that uses the result of an arbitrary shell command as the key
material. Then you could use ftp(1), ssh(1), netcat(1), or whatever else
you liked. You could even use Alan Barrett's idea of starting a web
server that waits for someone to enter the key.

Is there any downside to this?

On 2008-01-02 15:22 -0800 (Wed), Cem Kayali wrote:

> Just additional note, it is possible to store /etc/cgd/* content on usb
> memory, already tested. You just need to add a line into /etc/fstab. 

I understand this. Unfortunately, it doesn't solve my problem, since the
USB memory is likely to be stolen along with the machine.

> Although this does not allow you to enable remote reboot, it is much more
> secure than storing cgd key on / partition.

In my case, since what's stored on / is only part of the key, it seems
to me to make little difference.

cjs
-- 
Curt Sampson       <cjs%starling-software.com@localhost>        +81 90 7737 
2974   
Mobile sites and software consulting: http://www.starling-software.com