[K12OSN] need help running sshd on client for fl_teachertool

Jeff Siddall news at siddall.name
Tue Sep 29 19:42:16 UTC 2009


Robert Arkiletian wrote:
> On Tue, Sep 29, 2009 at 11:24 AM, Jeff Siddall <news at siddall.name> wrote:
>> Gideon Romm wrote:
>>> Jeff, if you are only using ssh to *launch* x11vnc, then you do know
>>> that the vnc traffic is still *unencrypted*, right?  There are methods
>>> to encrypt the vnc connection, as wel, so maybe you guys are doing that,
>>> too?  If not, don't be lulled into a false sense of security.  In fact,
>>> it's more secure to not have sshd running at all then it is to have it
>>> running for the purpose of launching something.
>> No, the idea is to tunnel _all_ vnc traffic through ssh.  Disallowing
>> password authentication and allowing only keys ensures security even if
>> the client image is available publicly (eg: via NFS)
>>
>> Here's a link to the configuration I use:
>>
>> http://wiki.ltsp.org/twiki/bin/view/Ltsp/X11vncLocalApp
> 
> Jeff,
> 
> the line you launch x11vnc is
> 
> system("x11vnc -display :$1 -localhost -auth $2");
> 
> you are not using a password file. This is bad because anyone can now
> snoop the screens of users. x11vnc gives big warnings not to do this.
> Even if you did use a password file, where would you put it (that is
> not nfs exported)?

Note the -localhost flag.  If only secure (ie: ssh) logins are allowed
on the client, and only local connections are allowed to vnc, then it is
secure.

Jeff




More information about the K12OSN mailing list