userdoc pages added
links in online documentation fixed remove some service links (rc scripts) during "config" (cb-build.sh)master
parent
e156f699d1
commit
645445d95c
@ -0,0 +1,80 @@
|
||||
|
||||
<a id="top"></a>
|
||||
<p><em>This is a first overview of the <a href="/cryptobox?action=show_doc&page=CryptoBox">CryptoBox</a> Live-CD. We apologize for publishing the documentation atm in german only. We started the <a href="/cryptobox?action=show_doc&page=CryptoBox">CryptoBox</a> project for a german speaking association. For now we're deeply into bringing this CD up and running, so we prefer coding than translating docs ;). Sorry!</em> </p>
|
||||
<p><em>Feel free to start a translation in this wiki. Otherwise just be patient a few weeks. (it's 12th of july as i'm writing)</em> </p>
|
||||
|
||||
<h3 id="head-bcd3c71e6cd0adb01302f5903f235299682ae28a">Overview</h3>
|
||||
|
||||
<p>The <a href="/cryptobox?action=show_doc&page=CryptoBox">CryptoBox</a> is a Debian/Linux based live-cd. This CD boots up, starting a secure fileserver. Even non-technical users are able to store their data on its encrypted harddisk. There is no special knowledge about cryptgraphy or servers required at all. </p>
|
||||
|
||||
<h3 id="head-06e39b97d2b48d950da32608efa367371bb0a9cc">Specs</h3>
|
||||
|
||||
<div>
|
||||
<table>
|
||||
<tr>
|
||||
<td>
|
||||
<p>system</p>
|
||||
</td>
|
||||
<td>
|
||||
<p>Debian/Linux based Live-CD</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<p>needed hardware</p>
|
||||
</td>
|
||||
<td>
|
||||
<p> "outdated" PC (i386 p1-100 32MB RAM minimum)</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<p>supported clients</p>
|
||||
</td>
|
||||
<td>
|
||||
<p><a class="interwiki" title="WikiPedia" href="http://en.wikipedia.org/wiki/Operating_System"><img src="/moin-base/greenthumb/img/moin-inter.png" alt="[WikiPedia]" height="16" width="16">*nix; *bsd; Windows; Mac OS</a></p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<p>internal fileserver</p>
|
||||
</td>
|
||||
<td>
|
||||
<p><a class="external" href="http://samba.org"><img src="/moin-base/greenthumb/img/moin-www.png" alt="[WWW]" height="11" width="11"> samba</a> (Networkshares)</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<p>userinterface</p>
|
||||
</td>
|
||||
<td>
|
||||
<p>fully remote controlled via webbrowser (Perl,https interface)</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<p>encryption</p>
|
||||
</td>
|
||||
<td>
|
||||
<p><a class="interwiki" title="WikiPedia" href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard"><img src="/moin-base/greenthumb/img/moin-inter.png" alt="[WikiPedia]" height="16" width="16">AES</a> via device-mapper</p>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
|
||||
<h3 id="head-8d738f62cb1a70005c64de686c424efe89f07ad2">Development</h3>
|
||||
|
||||
<p>Browse the source code in the <a class="interwiki" title="SubVersion" href="/websvn/cryptobox"><img src="/moin-base/greenthumb/img/moin-inter.png" alt="[SubVersion]" height="16" width="16">CryptoBox-websvn</a> </p>
|
||||
|
||||
<h3 id="head-f5510e22bd4e832da55c40e1e95886a46fc05b7e">TODO</h3>
|
||||
|
||||
<p>Read more about the <a href="/cryptobox?action=show_doc&page=CryptoBox">CryptoBox</a> in german or try kind of a babelfish. </p>
|
||||
<a id="bottom"></a>
|
||||
|
||||
</div>
|
||||
<p id="pageinfo" class="info" lang="en" dir="ltr">last edited 2005-07-25 12:50:07 by <span title=""></span></p>
|
||||
|
||||
</div> <!-- end page -->
|
||||
|
||||
|
||||
|
@ -0,0 +1,342 @@
|
||||
|
||||
<a id="top"></a>
|
||||
<ol>
|
||||
|
||||
<li>
|
||||
<a href="#head-5ed902c46ecec30abecc26fdcd3571661e1e2a45">Allgemeines</a>
|
||||
<ol>
|
||||
|
||||
<li>
|
||||
<a href="#head-2ee2a633402e09cd9bb956d6c73ad9b088206eab">Zieleigenschaften</a>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#head-a7956f960cfe72128ad4cf88f2a0605cb499fa40">Zielgruppe</a>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#head-4fefceadc6642bb8cd44d7308040f968b855e79c">Auslieferungsformen</a>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<li>
|
||||
<a href="#head-40253d66b9a6db89547453b5453e795a3361afc0">Dienste</a>
|
||||
<ol>
|
||||
|
||||
<li>
|
||||
<a href="#head-9dc7b4d5d46187d6420a41a42193dc91d464c24d">webinterface</a>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#head-b618d1664742249c31eb99c067de8ae8bc6bbde1">Samba</a>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#head-ebabfe595d80837be2d98d956b2ef22c259bc2f2">cups [optional]</a>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<li>
|
||||
<a href="#head-7f6469d2c5fb67ffd47693c7ab76b3e98bdf28ff">Kommunikationssicherheit</a>
|
||||
<ol>
|
||||
|
||||
<li>
|
||||
<a href="#head-bc34afcd3fbcd91e984610f0006ac181b327d114">Varinate A - Dienste verlangen Zertifikate einer CA</a>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#head-b4ffedcc87fc9030c6577a496492a2a85ee9786b">Variante B - ipsec</a>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#head-199b22790e295d0d08684accc025578ce7a9bc0d">Variante C - ssl+iptables</a>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<li>
|
||||
<a href="#head-89fe76b7643132073e3d24bf3811dfae9d5aed12">Sicherheit</a>
|
||||
<ol>
|
||||
|
||||
<li>
|
||||
<a href="#head-904d67346f079ee3d0e9346041948da842cafeba">physisch</a>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#head-606edd4fcd331cf4a2bc2cce8b58c6bf7fbb9c97">DAU-Abschirmung</a>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#head-9eed32e533f43900f9ba900afffe739f924af336">system</a>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#head-df9e59f7b1b0b5b81c9d3e6d7a239a26e0a2d057">pw aendern</a>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<li>
|
||||
<a href="#head-340d5b44acfff8e0df2ce3778e2b351b562ac438">Doku</a>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#head-ebb84d9adc7e81c694ed7dc4cf30a8affb4d972a">Nerd-Pride</a>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
<p> </p>
|
||||
<hr class="hr1">
|
||||
<p> </p>
|
||||
|
||||
<h2 id="head-5ed902c46ecec30abecc26fdcd3571661e1e2a45">Allgemeines</h2>
|
||||
|
||||
|
||||
<h3 id="head-2ee2a633402e09cd9bb956d6c73ad9b088206eab">Zieleigenschaften</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> Daten sind in ausgeschaltetem Zustand geschützt </p>
|
||||
</li>
|
||||
<li><p> Netz gilt als relativ begrenzt und sicher </p>
|
||||
<ul>
|
||||
<li><p> kaum Schutz vor Hackern im lokalen Netz </p>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><p> Schutz vor Einbrechern/Hausdurchsuchung </p>
|
||||
</li>
|
||||
<li><p> einfache Hardware genuegt (ab 586) </p>
|
||||
</li>
|
||||
<li><p> eine grosse Festplatte </p>
|
||||
</li>
|
||||
<li><p> (un)mounten ueber einfaches web-interface (mit ssl) </p>
|
||||
</li>
|
||||
<li><p> anwenderfreundlich </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 id="head-a7956f960cfe72128ad4cf88f2a0605cb499fa40">Zielgruppe</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> untechnische Gruppen mit gesunder Paranoia </p>
|
||||
</li>
|
||||
<li><p> keine Vorkenntnisse über Server und Kryptografie notwendig </p>
|
||||
</li>
|
||||
<li><p> für Einzelpersonen wegen Energiebedarf wohl eher ungeeignet </p>
|
||||
</li>
|
||||
<li><p> alle dürfen es nutzen - Support nur für die Guten </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 id="head-4fefceadc6642bb8cd44d7308040f968b855e79c">Auslieferungsformen</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> Live-CD + einfache Benutzeranleitung (för ölle) </p>
|
||||
</li>
|
||||
<li><p> komplette Entwicklungsdokumentation (för säminörds) </p>
|
||||
</li>
|
||||
<li><p> Verweis auf die man-page von <em>dmsetup</em> (för nörds) </p>
|
||||
</li>
|
||||
</ul>
|
||||
<hr>
|
||||
<p> </p>
|
||||
|
||||
<h2 id="head-40253d66b9a6db89547453b5453e795a3361afc0">Dienste</h2>
|
||||
|
||||
|
||||
<h3 id="head-9dc7b4d5d46187d6420a41a42193dc91d464c24d">webinterface</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> Aufgaben: </p>
|
||||
<ul>
|
||||
<li><p> (un)mounten </p>
|
||||
</li>
|
||||
<li><p> MAC-Liste setzen </p>
|
||||
</li>
|
||||
<li><p> Ausschalt-Knopf </p>
|
||||
</li>
|
||||
<li><p> Neu-Initialisierung einer Datenfestplatte </p>
|
||||
</li>
|
||||
<li><p> Durchführung eines Backups </p>
|
||||
<ul>
|
||||
<li><p> tar durch ccrypt schicken mit einem per webinterface eingetippten Passwort </p>
|
||||
</li>
|
||||
<li><p> eventuell Datei splitten falls größer als [hier beliebige Schwelle einsetzen, z.B.: 650MB] </p>
|
||||
</li>
|
||||
<li><p> Ergebnisse sind über samba erreichbar </p>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 id="head-b618d1664742249c31eb99c067de8ae8bc6bbde1">Samba</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> gast-Freigabe ohne Passwort </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 id="head-ebabfe595d80837be2d98d956b2ef22c259bc2f2">cups [optional]</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> Druckerdienst (zumindest braucht lobbi das) </p>
|
||||
<ul>
|
||||
<li><p> das is aber nich originol </p>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h2 id="head-7f6469d2c5fb67ffd47693c7ab76b3e98bdf28ff">Kommunikationssicherheit</h2>
|
||||
|
||||
|
||||
<h3 id="head-bc34afcd3fbcd91e984610f0006ac181b327d114">Varinate A - Dienste verlangen Zertifikate einer CA</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> alle Clients bekommen Zertifikate </p>
|
||||
</li>
|
||||
<li><p> die CA liegt auf der crypto-partition </p>
|
||||
</li>
|
||||
<li><p> per webinterface koennen neue Zertifikate erzeugt werden </p>
|
||||
<ul>
|
||||
<li><p> fuehlt sich komisch an, muss aber wohl sein - Alternativen? [l] </p>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><p> http und samba gibt es nur mit einem korrekten Zertifikat der CA </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 id="head-b4ffedcc87fc9030c6577a496492a2a85ee9786b">Variante B - ipsec</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> racoon als Schluesselserver </p>
|
||||
</li>
|
||||
<li><p> Vorteile: </p>
|
||||
<ul>
|
||||
<li><p> Verschluesselung fuer alle Dienste ohne basteln </p>
|
||||
</li>
|
||||
<li><p> wird von Windows unterstuetzt </p>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><p> Nachteile: </p>
|
||||
<ul>
|
||||
<li><p> für die Labor-wlan-Verbindung war es nicht brauchbar - mystische Ausfaelle </p>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 id="head-199b22790e295d0d08684accc025578ce7a9bc0d">Variante C - ssl+iptables</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> stunnel macht den Webserver ssl-faehig </p>
|
||||
</li>
|
||||
<li><p> samba gibt es auch mit ssl - muss aber vielleicht auch nicht </p>
|
||||
</li>
|
||||
<li><p> die MACs der clients müssen freigechaltet werden - iptables </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h2 id="head-89fe76b7643132073e3d24bf3811dfae9d5aed12">Sicherheit</h2>
|
||||
|
||||
|
||||
<h3 id="head-904d67346f079ee3d0e9346041948da842cafeba">physisch</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> Kernel ohne Konsole konfigurieren </p>
|
||||
</li>
|
||||
<li><p> Grafikkarte ausbauen </p>
|
||||
<ul>
|
||||
<li><p> langfrist </p>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><p> Tastatur-Port kurzschließen <img src="/moin-base/modern/img/smile.png" alt=":)" height="15" width="15"> </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 id="head-606edd4fcd331cf4a2bc2cce8b58c6bf7fbb9c97">DAU-Abschirmung</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> timeout von 60 Minuten - danach samba beenden, crypto unmounten und abschalten </p>
|
||||
<ul>
|
||||
<li><p> Problem: smb-broadcasting-muell wird staendig hin- und herfliegen ... [l] </p>
|
||||
</li>
|
||||
<li><p> Lösung: herausfinden, welche Ports echten Datenverkehr darstellen </p>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 id="head-9eed32e533f43900f9ba900afffe739f924af336">system</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> kein ssh </p>
|
||||
</li>
|
||||
<li><p> root ohne gueltigen Passworteintrag </p>
|
||||
</li>
|
||||
<li><p> eine systempartition (ro) </p>
|
||||
</li>
|
||||
<li><p> eine fette daten partition </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 id="head-df9e59f7b1b0b5b81c9d3e6d7a239a26e0a2d057">pw aendern</h3>
|
||||
|
||||
<ul>
|
||||
<li><p> was machen wenn jemand das kennwort geschnappt hat? </p>
|
||||
<ol type="1">
|
||||
<li><p>ein Backup der Daten erstellen lassen </p>
|
||||
</li>
|
||||
<li><p>die crypto-Platte neu initialisieren </p>
|
||||
</li>
|
||||
<li><p>das Backup wieder einspielen - im Idealfall natuerlich mit unserem crypto-Backup-Skript <img src="/moin-base/modern/img/smile.png" alt=":)" height="15" width="15"> </p>
|
||||
</li>
|
||||
</ol>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h2 id="head-340d5b44acfff8e0df2ce3778e2b351b562ac438">Doku</h2>
|
||||
|
||||
<ul>
|
||||
<li><p> jeder Schritt der Erstellung wird per Shell-Skript reproduzierbar gemacht </p>
|
||||
</li>
|
||||
<li><p> Ziel: System ohne Unsicherheit, notfalls jedesmal neu bauen lassen <img src="/moin-base/modern/img/smile.png" alt=":)" height="15" width="15"> </p>
|
||||
</li>
|
||||
<li><p> Nutzerdoku in ein Wiki </p>
|
||||
</li>
|
||||
<li><p> beides in ein svn-repos </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h2 id="head-ebb84d9adc7e81c694ed7dc4cf30a8affb4d972a">Nerd-Pride</h2>
|
||||
|
||||
<ul>
|
||||
<li><p> Erkennung der Netzwerk-Hardware </p>
|
||||
<ul>
|
||||
<li><p> damit wir keine vorkonfigurierten Komplettrechner ausliefern müssen </p>
|
||||
</li>
|
||||
<li><p> bei Knoppiix abgucken </p>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><p> Led, die den crypto-Status anzeigt </p>
|
||||
</li>
|
||||
<li><p> externer Abschalter (sanft!) für nicht-atx </p>
|
||||
</li>
|
||||
</ul>
|
||||
<a id="bottom"></a>
|
||||
|
||||
</div>
|
||||
<p id="pageinfo" class="info" lang="en" dir="ltr">last edited 2005-07-07 17:18:29 by <span title=""></span></p>
|
||||
|
||||
</div> <!-- end page -->
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue