[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [school-discuss] Portable applications & VPN services

As far as booting from (USB|CD) and then securely mounting a remote /home, I 
used to use a cryptsetup file mounted as a loopback device as my home 
directory, and was able to mount it across the network or from usb stick.  

Also look into sshfs, its on my list of things to play with, one of these 
days, and I suspect does exactly what we are discussing.

With cryptsetup, you predetermine file size though, I suspect you may not have 
to with sshfs since you are accessing your /home directory on that server. 
So, cryptsetup is portable since it is just a file, but limited in size.  It 
all depends on what fits your purpose best.

My first Live CD, EDU-Nix version I had an option called securestor, but it 
was not enabled - I am pretty sure I am the only person who used it, it used 
a cryptsetup file as a home dir.

It's making it easy to use on a wide basis that is quirky, what if the cd is 
off network?  so, you need to have a boot option or dialog that asks if you 
want to mount a persistent (local|remote) encrypted homedir or use a 
temporary ram homedir.

Then, grab the server path and credentials from the user and mount the remote 
resource as home, with all the appropriate error handling - no network, login 
failed, etc. 

Continue booting with your nice shiny encrypted persistent homedir.

Actually, this was helpful, maybe it's not as tough as i first thought... Add 
on a dialog to create a cryptsetup file, and you're golden.

Attached is an rc script for my EDU-Nix Live CD I, which was Gentoo-based.  My 
commenting is not extensive (non existent), but it reads fairly easily and 
gives an idea of the mechanics.  It just was never ready for joe average 
user, I used it all the time but with a larger file than 32M. 


On Thursday 12 October 2006 05:39, Jeff Waddell wrote:
> Hey,
> On 10/11/06, Chris Gregan <cgregan@xxxxxxxxxxx> wrote:
> > Would this be something like a USB stick booting a VPN enable Linux
> > distro that would then mount a drive?
> Don't know.
> That might be easier than all the
> > programming overhead that would have to go on using a USB drive as a VPN
> > authenticator.
> Or it might be harder...probably have to try both and see :)
> I believe a discussion just happened here about a VPN
> > live CD.
> If you are referring to what I'm doing it's not even made it to a howto
> stage for public consumption.  Although I suppose one could make a
> "generic" VPN live CD there would be a great deal of security issues and
> policies to work out before you even began to go very far.
> Could this be modified to boot from USB and mount a specified
> > /home folder after setting up a VPN connection?
> Most likely...I'm currently using a modified DSL [damn small linux] image
> for what I'm doing and that fits into about 60 Meg.  I don't know if DSL
> can be modified to boot from USB and it may not be necessary if you use
> QEMU. My mind is currently churning on how this type of set up can be used
> to create secure ltsp setups...however that's only in my mind at this
> moment.
> <snip>

EDU-Nix Open Source Schoolware
Free Software for Public Schools

Version II Beta I is out!
#securestor creates an encrypted home directory on a network share
#for persistent storage that is relatively secure for livecd 

#!#testing values, replace with conf file or interactive

depend() {
	after net

start() {
if [ -f $USER_HOME_FILE ]; then
ebegin "Reopening Existing Encrypted Storage File"
	cd /
	cryptsetup create $CRYPT_NAME /dev/$LOOP_DEVICE
	mount /dev/mapper/$CRYPT_NAME $MOUNT_POINT
eend $?
ebegin "Creating New Encrypted Storage File"
	cd /
	cryptsetup -y create $CRYPT_NAME /dev/$LOOP_DEVICE
	mke2fs /dev/mapper/$CRYPT_NAME
	mount /dev/mapper/$CRYPT_NAME $MOUNT_POINT
	echo "exec startkde" >> $MOUNT_POINT/.xinitrc
eend $?

stop() {
ebegin "Disconnecting Encrypted Storage File"
	cd /
	umount $MOUNT_POINT
	cryptsetup remove $CRYPT_NAME
	losetup -d /dev/$LOOP_DEVICE
eend $?