[Freedombox-discuss] [Freedom Box] Finding your FB box on the network
Christian Brædstrup
linuxchristian at gmail.com
Thu Oct 14 16:41:02 UTC 2010
2010/10/14 Bjarni Rúnar Einarsson <bre at beanstalks-project.net>
> Your suggestion was that people plug a cable in to the box and some sort of
> network magic took place - which initially sounded really complicated to me.
> But if you strip out all the fancy authentication protocols, and implement a
> "just trust the LAN on first boot" policy, then a physical cable can be the
> recommended way to make that secure on first boot.
>
How about if the web server only accepts local IP's during the install
process? That should provide some security. Then you need to be on the LAN
to access the install process or have hacked into a box that is on the
network. Then we can advice the user to unplug the Internet during the first
stages of the install process (but not have him only connect the two
computers directly) and only allow one user to access the web install
interface at a time. If more the one user tries to access the install
interface it will just display:
One user is already connected to the device. If that is not you then you may
have a intruder on the network. Please unplug your device, disconnect your
Internet connection and try the installation again. If you still get this
error go ask you son to stop it ;)
If that is you then enter the security code you recived during the
installation.
The installation could generate a security code at install time that is only
known to the first user on the system. Then the cracker needs to be
physically in the building to be able to unplug the device and try again to
get access to the device before the user.
That is so low tech that even my mother should be able to figure it out. The
installation could have a 30 sec delay time from the user logs in and until
the installation starts so that if a intruder should have taken over the box
at boot he can't begin the installer for the first 30 sec and the "real"
user can discover the intruder and disconnect the box without harming the
system.
This should work on both a headless and non-headerless install and then all
the WebID could be setup later (if the user wants to use it).
About the Zeroconf. Both the user and server need the software right?
Cheers,
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20101014/13699d55/attachment.htm>
More information about the Freedombox-discuss
mailing list