[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1008672: debian-edu-config: Only fetch Debian Edu rootca once

On Wed, 30 Mar 2022 11:25:12 +0000 Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
> With the new Debian Edu rootCA certificate (introduced with Debian Edu  
> 10) being used as a base for authorizing the relationship between  
> clients and the network server TJENER, I observe that when plugging  
> one Debian Edu machine from one Debian Edu network into some other  
> Debian Edu network the Debian Edu client machine would adjust itself  
> to the new network (update Debian-Edu_rootCA.crt) during boot time.
…
> I'd suggest going back to the previous behaviour where a notebook  
> would only attach itself to one Debian Edu TJENER on first boot and  
> from then on be only authorized to talk to the LDAP server of that  
> initial Debian Edu network it was booted in.

Currently, fetch-rootca-cert is either run on bootup (or via DHCP
hooks if https://salsa.debian.org/debian-edu/debian-edu-config/-/merge_requests/22
gets merged). The script checks whether /usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
exists and is not empty and does nothing if so (see
https://salsa.debian.org/debian-edu/debian-edu-config/-/blob/7f7b819882e2fec58fd85d5d52db5248aafed48e/share/debian-edu-config/tools/fetch-rootca-cert#L28).
Isn't this already the TOFU behavior you suggest?
-- 
Guido Berhoerster
Reply to: