[Freedombox-discuss] [Freedom Box] Finding your FB box on the network

Thu Oct 14 17:47:37 UTC 2010

Got to say I find this process quite complicated actually, compared to
have a debian installer with web installation. Even more if we had to add
some webid support, which sound quite too much untested technology to me.

Actually the liveCD way as it goes will mean to develop an installer,
which might not be really adapted to the upstream use cases, so that might
be a lot of dev to do and maintain (plus adding all this overhead about
the password setting), cause it probably won't be merged upstream.

Plus, being part of the T(A)ILS livecd dev team [1], I know it's not that
easy to follow debian live's development. I'm actually not sure the
installer they work oon will be available soon.

The idea to use the debian installer was to try to use the one *already
existing* and that prove to work, and has ways to configure those
passwords.

This way to go would just mean a little dev, and possibly even less on the
long run if we try to push it in the debian installer.

That would even be quite compatible with the use debconf web interface to
set up the system.

bert.

[1] https://amnesia.boum.org

On Thu, Oct 14, 2010 at 06:41:02PM +0200, Christian Brædstrup wrote:
> 2010/10/14 Bjarni Rúnar Einarsson <bre at beanstalks-project.net>
> 
> > Your suggestion was that people plug a cable in to the box and some sort of
> > network magic took place - which initially sounded really complicated to me.
> > But if you strip out all the fancy authentication protocols, and implement a
> > "just trust the LAN on first boot" policy, then a physical cable can be the
> > recommended way to make that secure on first boot.
> >
> 
> How about if the web server only accepts local IP's during the install
> process? That should provide some security. Then you need to be on the LAN
> to access the install process or have hacked into a box that is on the
> network. Then we can advice the user to unplug the Internet during the first
> stages of the install process (but not have him only connect the two
> computers directly) and only allow one user to access the web install
> interface at a time. If more the one user tries to access the install
> interface it will just display:
> 
> One user is already connected to the device. If that is not you then you may
> have a intruder on the network. Please unplug your device, disconnect your
> Internet connection and try the installation again. If you still get this
> error go ask you son to stop it ;)
> If that is you then enter the security code you recived during the
> installation.
> 
> The installation could generate a security code at install time that is only
> known to the first user on the system. Then the cracker needs to be
> physically in the building to be able to unplug the device and try again to
> get access to the device before the user.
> 
> That is so low tech that even my mother should be able to figure it out. The
> installation could have a 30 sec delay time from the user logs in and until
> the installation starts so that if a intruder should have taken over the box
> at boot he can't begin the installer for the first 30 sec and the "real"
> user can discover the intruder and disconnect the box without harming the
> system.
> This should work on both a headless and non-headerless install and then all
> the WebID could be setup later (if the user wants to use it).
> 
> About the Zeroconf. Both the user and server need the software right?
> 
> Cheers,
> Christian

> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss