[K12OSN] need help running sshd on client for fl_teachertool
robark at gmail.com
Tue Sep 29 18:03:48 UTC 2009
On Tue, Sep 29, 2009 at 7:27 AM, Gideon Romm
<ltsp at symbio-technologies.com> wrote:
> On Tue, 2009-09-29 at 10:16 -0400, Jeff Siddall wrote:
>> Gideon Romm wrote:
>> > Robert, no need for sshd on the client for this! LTSP5 has a whole
>> > system for starting processes after X launches, but before the greeter.
>> > There are in fact two different paths of interest in your chroot:
>> > .../usr/share/ltsp/xinitrc.d/ (This is used for ANY graphical screen
>> > script, ldm, rdesktop, etc)
>> > .../usr/share/ldm/rc.d/ (This is used only for LDM)
>> > If you create a script prefixed with the capital letter "I" (as in
>> > "init"), this script will be *sourced* after X initializes but before
>> > the greeter.
>> > This is the ideal place to put a call to x11vnc. Just make sure you
>> > call x11vnc to die along with X, so it starts up every time and does not
>> > daemonize or anything.
>> > You will find other scripts in those directories as examples. If you
>> > are running an image-based distro, such as ubuntu, remember to update
>> > the image after making changes.
>> This is good information, and I agree that sshd is not _required_.
>> However, it is still recommended for anyone who wants to encrypt traffic
>> to the client. It has the added benefit that x11vnc is only launched
>> when needed, thus not consuming resources on the client continuously.
> Jeff, if you are only using ssh to *launch* x11vnc, then you do know
> that the vnc traffic is still *unencrypted*, right? There are methods
> to encrypt the vnc connection, as wel, so maybe you guys are doing that,
> too? If not, don't be lulled into a false sense of security. In fact,
> it's more secure to not have sshd running at all then it is to have it
> running for the purpose of launching something.
I thought about this Gideon. I *could* launch x11vnc from the script
locations you mention. The problem with this is that x11vnc needs to
launch with a password option from a password file to be secure. So if
users have access to this password file they too can snoop in on any
user. The problem is /root/ or any dir the client has access to is nfs
exported. So really anyone with a laptop and some Linux knowledge
should be able to vncviewer anyone. This is unfortunately the case
with k12ltsp and fl_teachertool currently. I sent out a security
advisory to this list a while ago about it. Fortunately, it has not
been an issue for me and I suspect others because of the
age/experience of our users. At least to my knowledge ;-)
However, now that I have sshd running I can *push* a unique password
file to each client run x11vnc and then promptly delete the password
file. So it's much more secure. Not secure in terms of sniffing
bandwidth (vnc is still vnc) but the password file is no longer easily
accessible this way.
BTW I set the sshd_config settings to disallow password auth (only
keys are allowed). You are correct though that sshd listening on the
client will add a bit more load to the client. Unfortunately, I don't
think there is another secure way of doing things. Nor do I have the
time to figure it out if there was. As for x11vnc load: Yes it does
make the client slow when it's polling the clients X. But this was
always the case. If you monitor people their systems get slow. That's
why I implemented vncsnapshot. With vncsnapshot the slow down is for a
fraction of a second. Non issue.
> Also, keep in mind, x11vnc can also be launched from (x)inetd. So, if
> you are looking to achieve having it launched "on demand", that would be
> another way to go without sshd.
> When its all said and done, though, I think if x11vnc introduces enough
> overhead to the running system to make it not work well, whether you
> introduce that overhead at the start or only while someone is working, I
> think the user's not gonna be happy with you. :) Also, sshd+x11vnc
> necessarily has more overhead than x11vnc by itself, even if not running
> all the time. In my limited experience, I never saw much overhead to
> x11vnc at all on the user's session - only on the vnc connection made.
> Now, if you *still* want sshd installed, once you install it, you
> should, in the chroot, make it run on boot just like any other service.
> In a redhat/fedora environment, I guess that is with chkconfig while
> chrooted, or some such? I know on ubuntu, it would be with
>> K12OSN mailing list
>> K12OSN at redhat.com
>> For more info see <http://www.k12os.org>
> Gideon Romm | Proud LTSP Developer
> ltsp at symbio-technologies.com
> Pay It Forward!
> Intel Atom 1.6GHz, 512MB RAM + Symbiont Boot Stick = $275
> 10% of order goes to school or open source project of your choice!
> Buy yourself a lab or office and use your donation to set up a school,
> pay for a desperately needed feature added to a software package,
> or sponsor part of LTSP's annual developer's conference LTSP-by-the-sea!
> Check out: http://www.symbio-technologies.com/payitforward
> K12OSN mailing list
> K12OSN at redhat.com
> For more info see <http://www.k12os.org>
Eric Hamber Secondary, Vancouver, Canada
More information about the K12OSN