[K12OSN] need help running sshd on client for fl_teachertool

Gideon Romm ltsp at symbio-technologies.com
Tue Sep 29 18:10:46 UTC 2009 

On Tue, 2009-09-29 at 11:03 -0700, Robert Arkiletian wrote:
> On Tue, Sep 29, 2009 at 7:27 AM, Gideon Romm
> <ltsp at symbio-technologies.com> wrote:
> > On Tue, 2009-09-29 at 10:16 -0400, Jeff Siddall wrote:
> >> Gideon Romm wrote:
> >> > Robert, no need for sshd on the client for this! LTSP5 has a whole
> >> > system for starting processes after X launches, but before the greeter.
> >> >
> >> > There are in fact two different paths of interest in your chroot:
> >> >
> >> > .../usr/share/ltsp/xinitrc.d/  (This is used for ANY graphical screen
> >> > script, ldm, rdesktop, etc)
> >> >
> >> > .../usr/share/ldm/rc.d/ (This is used only for LDM)
> >> >
> >> > If you create a script prefixed with the capital letter "I" (as in
> >> > "init"), this script will be *sourced* after X initializes but before
> >> > the greeter.
> >> >
> >> > This is the ideal place to put a call to x11vnc.  Just make sure you
> >> > call x11vnc to die along with X, so it starts up every time and does not
> >> > daemonize or anything.
> >> >
> >> > You will find other scripts in those directories as examples.  If you
> >> > are running an image-based distro, such as ubuntu, remember to update
> >> > the image after making changes.
> >>
> >> Gadi,
> >>
> >> This is good information, and I agree that sshd is not _required_.
> >> However, it is still recommended for anyone who wants to encrypt traffic
> >> to the client.  It has the added benefit that x11vnc is only launched
> >> when needed, thus not consuming resources on the client continuously.
> >>
> >> Jeff
> >>
> >
> > Jeff, if you are only using ssh to *launch* x11vnc, then you do know
> > that the vnc traffic is still *unencrypted*, right?  There are methods
> > to encrypt the vnc connection, as wel, so maybe you guys are doing that,
> > too?  If not, don't be lulled into a false sense of security.  In fact,
> > it's more secure to not have sshd running at all then it is to have it
> > running for the purpose of launching something.
> 
> I thought about this Gideon. I *could* launch x11vnc from the script
> locations you mention. The problem with this is that x11vnc needs to
> launch with a password option from a password file to be secure. So if
> users have access to this password file they too can snoop in on any
> user. The problem is /root/ or any dir the client has access to is nfs
> exported. So really anyone with a laptop and some Linux knowledge
> should be able to vncviewer anyone. This is unfortunately the case
> with k12ltsp and fl_teachertool currently. I sent out a security
> advisory to this list a while ago about it. Fortunately, it has not
> been an issue for me and I suspect others because of the
> age/experience of our users. At least to my knowledge ;-)
> 
> However, now that I have sshd running I can *push* a unique password
> file to each client run x11vnc and then promptly delete the password
> file. So it's much more secure. Not secure in terms of sniffing
> bandwidth (vnc is still vnc) but the password file is no longer easily
> accessible this way.
> 
> BTW I set the sshd_config settings to disallow password auth (only
> keys are allowed). You are correct though that sshd listening on the
> client will add a bit more load to the client. Unfortunately, I don't
> think there is another secure way of doing things. Nor do I have the
> time to figure it out if there was. As for x11vnc load: Yes it does
> make the client slow when it's polling the clients X. But this was
> always the case. If you monitor people their systems get slow. That's
> why I implemented vncsnapshot. With vncsnapshot the slow down is for a
> fraction of a second. Non issue.
> 

Very cool.  Sounds like a good solution all around.

Cheers,

-Gadi

> >
> > Also, keep in mind, x11vnc can also be launched from (x)inetd.  So, if
> > you are looking to achieve having it launched "on demand", that would be
> > another way to go without sshd.
> >
> > When its all said and done, though, I think if x11vnc introduces enough
> > overhead to the running system to make it not work well, whether you
> > introduce that overhead at the start or only while someone is working, I
> > think the user's not gonna be happy with you.  :)  Also, sshd+x11vnc
> > necessarily has more overhead than x11vnc by itself, even if not running
> > all the time.  In my limited experience, I never saw much overhead to
> > x11vnc at all on the user's session - only on the vnc connection made.
> >
> > Now, if you *still* want sshd installed, once you install it, you
> > should, in the chroot, make it run on boot just like any other service.
> > In a redhat/fedora environment, I guess that is with chkconfig while
> > chrooted, or some such?  I know on ubuntu, it would be with
> > update-rc.d.
> >
> > -Gadi
> >
> >> _______________________________________________
> >> K12OSN mailing list
> >> K12OSN at redhat.com
> >> https://www.redhat.com/mailman/listinfo/k12osn
> >> For more info see <http://www.k12os.org>
> > --
> > --------------------------------------------------------
> > Gideon Romm | Proud LTSP Developer
> > ltsp at symbio-technologies.com
> >
> > Pay It Forward!
> > Intel Atom 1.6GHz, 512MB RAM + Symbiont Boot Stick = $275
> > 10% of order goes to school or open source project of your choice!
> >
> > Buy yourself a lab or office and use your donation to set up a school,
> > pay for a desperately needed feature added to a software package,
> > or sponsor part of LTSP's annual developer's conference LTSP-by-the-sea!
> >
> > Check out:  http://www.symbio-technologies.com/payitforward
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> >
> 
> 
> 
-- 
--------------------------------------------------------
Gideon Romm | Proud LTSP Developer
ltsp at symbio-technologies.com

Pay It Forward!  
Intel Atom 1.6GHz, 512MB RAM + Symbiont Boot Stick = $275
10% of order goes to school or open source project of your choice!

Buy yourself a lab or office and use your donation to set up a school,
pay for a desperately needed feature added to a software package,
or sponsor part of LTSP's annual developer's conference LTSP-by-the-sea!

Check out:  http://www.symbio-technologies.com/payitforward

More information about the K12OSN mailing list