Control: close -1 Hi Guido, On Mi 06 Sep 2023 11:31:57 CEST, Guido Berhoerster wrote:
On Wed, 30 Mar 2022 11:25:12 +0000 Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:With the new Debian Edu rootCA certificate (introduced with Debian Edu 10) being used as a base for authorizing the relationship between clients and the network server TJENER, I observe that when plugging one Debian Edu machine from one Debian Edu network into some other Debian Edu network the Debian Edu client machine would adjust itself to the new network (update Debian-Edu_rootCA.crt) during boot time.…I'd suggest going back to the previous behaviour where a notebook would only attach itself to one Debian Edu TJENER on first boot and from then on be only authorized to talk to the LDAP server of that initial Debian Edu network it was booted in.Currently, fetch-rootca-cert is either run on bootup (or via DHCPhooks if https://salsa.debian.org/debian-edu/debian-edu-config/-/merge_requests/22 gets merged). The script checks whether /usr/local/share/ca-certificates/Debian-Edu_rootCA.crtexists and is not empty and does nothing if so (see https://salsa.debian.org/debian-edu/debian-edu-config/-/blob/7f7b819882e2fec58fd85d5d52db5248aafed48e/share/debian-edu-config/tools/fetch-rootca-cert#L28). Isn't this already the TOFU behavior you suggest? -- Guido Berhoerster
the current status looks good and it seems it has been around for more than two years.
So, closing this one. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgp8J7gvwzzZM.pgp
Description: Digitale PGP-Signatur