[K12OSN] Shutting clients down: was tight vnc connection to ltsp client refused (111 error)

Huck dhuckaby at paasda.org
Tue May 30 20:46:08 UTC 2006

that clarifies a lot actually ;)


Eric Harrison wrote:
> Huck wrote:
>> No way to code in a wrapper in the TeacherTool app to get a passwd even
>> if it is a static passwd that is set in a config file or something? To
>> use that option.
>> --Huck
> The problem is not on the server side, it is on the terminal side.
> Adding a password, etc to applications running on the server-side
> doesn't fix the problem.
> Here is an example. Let's abuse a terminal, say one with the IP address
> Edit /opt/ltsp/i386/etc/lts.conf and append:
> 	[]
> and reboot the terminal.
> Now run this command logged in as any random user logged into any random
> terminal:
> 	echo shutdown | nc 9200
> So say you ban the use of netcat (nc). Well then, let's just use telnet:
> 	$ telnet 9200
> 	Trying
> 	Connected to
> 	Escape character is '^]'.
> 	shutdown
> Etc, etc. All you have to do is connect to TCP port 9200 on a terminal
> and type "shutdown" (or "reboot"). That's all there is to it.  Note that
> there is no username or password required, there is no logging of who
> did the dastardly deed, no firewall protection for the terminals' port
> 9200, simply no protection what-so-ever.
> Hopefully that clearly illustrates why enabling ALLOW_SHUTDOWN is
> currently a REALLY BAD IDEA in most environments (especially in the
> environments targeted by K12LTSP).
> -Eric
>> Robert Arkiletian wrote:
>>> On 5/29/06, Eric Harrison <eharrison at mail.mesd.k12.or.us> wrote:
>>>>> What if you change the permission of ltspinfo to 754?
>>>> It would break a bunch of stuff yet will not fix this specific
>>>> problem...
>>>> No matter how you slice it or dice it, the "shutdown" feature is
>>>> currently
>>>> at best secured by obscurity. Security by obscurity is no security at
>>>> all,
>>>> especially when it is all in plain text.
>>>> Just to make the point perfectly clear, there is currently no way to
>>>> secure or restrict this specific feature. I highly recommend that
>>>> this is
>>>> NOT ADDED to fl_tt or in any way encourage people to use it.
>>>> It is not an accident that this is disabled and undocumented.
>>> I understand Eric. I will NOT add this feature. It's dropped. Sorry if
>>> I got some peoples hopes up. Thanks for letting me know about the
>>> issues concerning this before I spent time on it.
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>

More information about the K12OSN mailing list