[K12OSN] OOserver?
Les Mikesell
les at futuresource.com
Fri Apr 16 17:53:04 UTC 2004
On Fri, 2004-04-16 at 07:59, Julius Szelagiewicz wrote:
> Les,
> allow me to elaborate on your points: 1. rsh is not so much "less
> secure", but "totally insecure" seems to describe it well.
I'm not a security expert but there are several separate issues that
someone going to the trouble to set this up should understand.
- Rsh only allows authentication based on source IP address.
Note that NFS works this way as well and is probably
even worse as a security risk and you probably do want
to NFS mount the home directories onto the app server(s).
You could minimize this risk by running a separate subnet
server-to-server which would make it more difficult to
spoof the source addresses from elsewhere.
- Ssh can be used to issue the commands to start the programs
without using its X forwarding mechanism.
> 1.a to run rsh
> you need to open the access to the terminal display and keyboard. this
> may, or may not be a concern.
- The relationship between the app server and the terminal is
approximately the same as the k12ltsp server where the
desktop runs. I'm not sure if this uses xhost with a source
restriction or .Xauthority in the home directory but either
way if the home directory is available you have the same
choices and the same risks.
> 2. the additional load caused by ssh is
> negligible compared with the load of running oo. 3. depending on the
> balance between processing power and bandwidth you can adjust ssh
> compression to taste.
For something like OO and some smallish number of clients it probably
doesn't matter. For things with more screen activity it may be as
important to offload the display bandwidth too. If you let ssh
port-forward, it will all go through the original server, where
letting the app server programs connect back directly to the terminal
does not.
---
Les Mikesell
les at futuresource.com
More information about the K12OSN
mailing list