[K12OSN] need help running sshd on client for fl_teachertool
Robert Arkiletian
robark at gmail.com
Tue Sep 29 21:02:27 UTC 2009
On Tue, Sep 29, 2009 at 12:42 PM, Jeff Siddall <news at siddall.name> wrote:
> Robert Arkiletian wrote:
>> On Tue, Sep 29, 2009 at 11:24 AM, Jeff Siddall <news at siddall.name> wrote:
>>> Gideon Romm wrote:
>>>> Jeff, if you are only using ssh to *launch* x11vnc, then you do know
>>>> that the vnc traffic is still *unencrypted*, right? There are methods
>>>> to encrypt the vnc connection, as wel, so maybe you guys are doing that,
>>>> too? If not, don't be lulled into a false sense of security. In fact,
>>>> it's more secure to not have sshd running at all then it is to have it
>>>> running for the purpose of launching something.
>>> No, the idea is to tunnel _all_ vnc traffic through ssh. Disallowing
>>> password authentication and allowing only keys ensures security even if
>>> the client image is available publicly (eg: via NFS)
>>>
>>> Here's a link to the configuration I use:
>>>
>>> http://wiki.ltsp.org/twiki/bin/view/Ltsp/X11vncLocalApp
>>
>> Jeff,
>>
>> the line you launch x11vnc is
>>
>> system("x11vnc -display :$1 -localhost -auth $2");
>>
>> you are not using a password file. This is bad because anyone can now
>> snoop the screens of users. x11vnc gives big warnings not to do this.
>> Even if you did use a password file, where would you put it (that is
>> not nfs exported)?
>
> Note the -localhost flag. If only secure (ie: ssh) logins are allowed
> on the client, and only local connections are allowed to vnc, then it is
> secure.
Ah! Thanks. I missed that.
--
Robert Arkiletian
Eric Hamber Secondary, Vancouver, Canada
More information about the K12OSN
mailing list