Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Mandos[0] does this, and allows you to configure a policy for how long the server is allowed to be offline without requiring an administrator to authorize boot. You could also cook up something for debian/ubuntu's support for embedding dropbear in the initramfs to supply a key.

0. https://wiki.recompile.se/wiki/Mandos - note that you'll probably get an SSL warning because the site uses CACert.



I am a co-author of Mandos – thanks for the plug! ☺

The canonical link is (https://www.recompile.se/mandos), which currently redirects into our MediaWiki instance.

(Regarding CACert; we are planning to move to Let’s Encrypt whenever they become available, but for now CACert is at least better than self-signed.)


I saw your talk at FOSDEM this year and Mandos was one of the biggest take-aways this year for me.


I am assuming you're morally opposed to paying $10/yr for a certificate, but why not use StartSSL and avoid what is probably a very high bounce rate?


1. The web page is not the primary entry point for the program; the Debian package is. So I don’t think the “bounce rate” is that large of a problem.

2. CAcert was chosen when the system was used for different purposes, in a different environment, by a different audience, and at a time when Debian shipped browsers with CACert’s root cert included. After that, it’s just been inertia.

3. I quote from the StartSSL F.A.Q.¹: “The Terms and Conditions of StartCom and the StartCom Certification Policy requires subscribers to provide the correct and complete personal details during registration.”. I generally don’t create accounts with external services, and as a sysadmin, I can and do run everything myself.

https://www.startssl.com/?app=25#1




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: