Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Supports network authentication? #24

Open
darshans2021 opened this issue Sep 10, 2021 · 13 comments
Open

Supports network authentication? #24

darshans2021 opened this issue Sep 10, 2021 · 13 comments

Comments

@darshans2021
Copy link

Is this PBA is network enabled i mean this supports network authentication

@ladar
Copy link
Owner

ladar commented Mar 30, 2022

Hi @darshans2021 no this PBA is not network enabled. In fact one of the changes I made when I forked, was explicitly disabling network support while booted into the PBA environment.

Personally, I wanted a standalone PBA, which makes more sense for an individual looking to protect their personal computer from others. While network enabled PBAs make more sense in an enterprise setting, where the IT department might want to provide remote assistance, or for servers located in a data center, which might need to be unlocked remotely after a power loss.

What I found, at least when I looked 2 years ago, was the various commercial implementations catered to the latter use cases. For an individual, who doesn't need network support, these features are a liability.

That said, I would welcome a pull request which adds remote unlock support via the network, if implemented properly. And one of the requirements would be generating distinct PBA images, which include network support, and images which don't. That would allow uses to install the image appropriate for their needs.

There is a fork floating around where someone added remote access support, but it tied to having a specific network topology and couldn't be disabled. I think there were other issues, like the ability to silently submit passwords remotely, without warning/logging invalid attempts to a console. There is also the issue of making extra sure someone who does login remotely, can't crash the authenticator, or escape out of it, and then subsequently intercept keystrokes supplied via the console (presumably by the legitimate owner).

@ladar
Copy link
Owner

ladar commented Mar 30, 2022

@darshans2021 see issue #10 in this repo.

@darshans2021
Copy link
Author

Thanks for the reply , if you have any idea to add the network capability through wifi in PBA image. Should i change the buildroot .config file to select the network packages that i want for wifi access in PBA .

@darshans2021
Copy link
Author

darshans2021 commented Mar 30, 2022

In your code in opalSedutil -> buildroot->64_bit->.config file,
How you generate that file on the buildroot. Can i change the buildroot according to my need and paste my buildroot with default configuration and new add of network configurations in your code.

@ladar
Copy link
Owner

ladar commented Mar 30, 2022

Yes, you would enable the kernel modules/drivers needed to support network devices (I probably disabled aany kernel modules/drivers I ran across for network support), and then add an init script which configures any network interfaces found during boot. The change I made was removing the default network init script so this doesn't happen, even if network hardware is recognized by some driver/kernel mod that I overlooked). You would also need an init script which starts an SSH server (or some other remote access tool), which could then bind/listen on the network interfaces setup by the previous step. There is probably a default init script you can start with.

Then, at least in theory, if any users connect to this daemon, they should presumably be dropped into a restricted shell (aka rshell) which automatically runs the authenticator, disconnecting the remote user if/when the authenticator exits. From there it's pretty obvious, but the input would be provided by a remote user, instead of via the physical console.

I don't recall if there is already an SSH server available in the current images, or if I removed it. In which case you would need to make a config change so an SSH is included. I think BusyBox does have a telnet daemon you could enale/use (although I certainly don't recommend it) but don't know if it also provides SSH. If not, which is my guess, then it probably will allow you to enable an external implementation which then be downloaded, compiled, and included with the PBA image.

@darshans2021
Copy link
Author

Thanks Ladar team, So i can make my own build root with network packages and add to the existing PBA code in this destination
images/buildroot

@ladar
Copy link
Owner

ladar commented Mar 30, 2022

@darshans2021 you should fork this repo, and then make your changes. If you want to submit your implementation back to this repo so others can benefit from, and improve upon it, you should create a new set of buildroot configs (which can initially be copies of the current configs). You'll then want to tweak the build script so it also compiles these new images which be in addition the current ones. These new images then be separate from the existing, standalone PBA images, and should be the only ones which provide network support. This allow users to decide which one they want.

@darshans2021
Copy link
Author

Thanks For the reply, one last question ,how this" images/buildroot->64->.config "file you made .

@ladar
Copy link
Owner

ladar commented Mar 31, 2022

It's been a long time. But I think its the file created or modified so I could override the Busy Box build configuration. I want to say that's because the BB config doesn't get created unti the build scripts clone the BB repos. So there needed to be a file I could edit, which then overwrites the file that gets created by the repo clone.

Of course I could be completely wrong about everything I just said.

@darshans2021
Copy link
Author

Hi, I have added the network package to PBA and build the image with buildUEFI script but when i boot it from it it shows me error as follows
loading bzImage ..ok
Loading rootfs.cpio.xz ..ok failed to readblock 0x7

Please help me on this i dont know why this error is occured is this because of size of rootfs increased when adding network package.

@ladar
Copy link
Owner

ladar commented Apr 26, 2022

@[darshans2021 without knowing what changes you made, I can't even begin to help. You might want to open a PR to this repo so we can both see/edit the changes...

@darshans2021
Copy link
Author

@ladar I have added network packages in buildroot like WPA_Supplicant, USBModeswtich, network and the related drivers. What i actually done is that i have downloaded a buildroot 2019.02.06 do make menuconfig select the default packages that is present in your .config file and the network packages like above and with that it creates the .config file so i replaced your .config file with the mine and run buildPBAroot and then buildUEFI64 to make an image and then load it to SSD . At time of boot i got error as below

loading bzImage ..ok
Loading rootfs.cpio.xz ..ok failed to readblock 0x7
IMG_6327

@ladar
Copy link
Owner

ladar commented Apr 26, 2022

@darshans2021 I'd have to look at the files you changed, and then possibly look at the build output. Most of the busy box build output is hidden, as I recall. There are other steps as well. And it could also be your environment. Are you building it inside the Vagrant box provided with the repo?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants