[K12OSN] need help running sshd on client for fl_teachertool
Jeff Siddall
news at siddall.name
Tue Sep 29 19:42:16 UTC 2009
Robert Arkiletian wrote:
> On Tue, Sep 29, 2009 at 11:24 AM, Jeff Siddall <news at siddall.name> wrote:
>> Gideon Romm wrote:
>>> Jeff, if you are only using ssh to *launch* x11vnc, then you do know
>>> that the vnc traffic is still *unencrypted*, right? There are methods
>>> to encrypt the vnc connection, as wel, so maybe you guys are doing that,
>>> too? If not, don't be lulled into a false sense of security. In fact,
>>> it's more secure to not have sshd running at all then it is to have it
>>> running for the purpose of launching something.
>> No, the idea is to tunnel _all_ vnc traffic through ssh. Disallowing
>> password authentication and allowing only keys ensures security even if
>> the client image is available publicly (eg: via NFS)
>>
>> Here's a link to the configuration I use:
>>
>> http://wiki.ltsp.org/twiki/bin/view/Ltsp/X11vncLocalApp
>
> Jeff,
>
> the line you launch x11vnc is
>
> system("x11vnc -display :$1 -localhost -auth $2");
>
> you are not using a password file. This is bad because anyone can now
> snoop the screens of users. x11vnc gives big warnings not to do this.
> Even if you did use a password file, where would you put it (that is
> not nfs exported)?
Note the -localhost flag. If only secure (ie: ssh) logins are allowed
on the client, and only local connections are allowed to vnc, then it is
secure.
Jeff
More information about the K12OSN
mailing list