[K12OSN] OOserver?

[Les Mikesell]

On Fri, 2004-04-16 at 07:59, Julius Szelagiewicz wrote:
> Les,
> 	allow me to elaborate on your points: 1. rsh is not so much "less
> secure", but "totally insecure" seems to describe it well.

I'm not a security expert but there are several separate issues that
someone going to the trouble to set this up should understand.

 - Rsh only allows authentication based on source IP address.
   Note that NFS works this way as well and is probably
   even worse as a security risk and you probably do want
   to NFS mount the home directories onto the app server(s).
   You could minimize this risk by running a separate subnet
   server-to-server which would make it more difficult to
   spoof the source addresses from elsewhere.

 - Ssh can be used to issue the commands to start the programs
   without using its X forwarding mechanism.

>  1.a to run rsh
> you need to open the access to the terminal display and keyboard.  this
> may, or may not be a concern.

 - The relationship between the app server and the terminal is
   approximately the same as the k12ltsp server where the
   desktop runs.  I'm not sure if this uses xhost with a source
   restriction or .Xauthority in the home directory but either
   way if the home directory is available you have the same
   choices and the same risks.

> 2. the additional load caused by ssh is
> negligible compared with the load of running oo. 3. depending on the
> balance between processing power and bandwidth you can adjust ssh
> compression to taste.

For something like OO and some smallish number of clients it probably
doesn't matter.  For things with more screen activity it may be as
important to offload the display bandwidth too.  If you let ssh
port-forward, it will all go through the original server, where
letting the app server programs connect back directly to the terminal
does not.

---
  Les Mikesell
   les at futuresource.com