-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
adam bultman wrote:
> Hardly news, hardly news at all. It was "news" to that guy in 2007, but
> when I started using linux in ~1998, it wasn't really news then, either.
> (it was just harder with the lack of live CDs and bootable USB thumb
> drives.) It applies pretty much to any distro of linux, and at least
> solaris (since I use that, too.) It be assumed that it applies to *BSD
> as well.
>
Yeah, definitely not news, but it does underscore the reality that some
distros (strangely enough) still do not automatically offer to set the
MD5 password for you during GRUB installation.
> The grub password is hardly a protection either, since I could pop in a
> boot cd, get a shell, mount your drives, change your password, reboot,
> and have root. But as soon as I mount your drives, I've got you.
>
> Want to avoid all that? Encrypt all your drives, but then you can't
> reboot your box remotely and have it come up, it'll ask you for that
> pesky password.
>
GRUB password + BIOS lockout + disabling CD boot at least ensures that
they won't be able to get into your system without cracking open the
hardware case. But hard drive encryption is definitely the best
solution, in my ever so humble opinion.
Regarding the remote reboot problem: I wonder if anyone has ever thought
of some way around that. I mean, if it is possible to enter a password
at the terminal during boot time, then could there not possibly be some
way to do it remotely? Perhaps we could somehow wrap a small ssh server
into the initramfs, so that when the kernel booted and cryptsetup was
run, it also could receive the password over the network.
That obviously wouldn't work for systems that needed to reboot
/immediately,/ like a lot of servers, but for everything else it would
save some inconvenience. What made me think of it was the Debian
net-install CD, which has an option during install to transfer the
installation process over to SSH so the installation can be completed
remotely.
Thoughts anyone?
- --
Christopher Howard
http://indicium.us
http://theologia.indicium.us
I digitally sign /all/ of my e-mails via PGP. If you receive any e-mails
supposedly from me without my valid PGP signature, please take
additional steps to verify the authenticity of the message.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkqLlssACgkQQ5FLNdi0BcXQCwCeORuoCKVyVkYCNaHJambM8hx2
SL0AoI8GZQQltKDG3AraKsSOr+WICGGd
=sFJ9
-----END PGP SIGNATURE-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Aug 18 22:08:26 2009
This archive was generated by hypermail 2.1.8 : Tue Aug 18 2009 - 22:08:26 AKDT