[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] need help running sshd on client for fl_teachertool



On Tue, Sep 29, 2009 at 11:24 AM, Jeff Siddall <news siddall name> wrote:
> Gideon Romm wrote:
>> Jeff, if you are only using ssh to *launch* x11vnc, then you do know
>> that the vnc traffic is still *unencrypted*, right?  There are methods
>> to encrypt the vnc connection, as wel, so maybe you guys are doing that,
>> too?  If not, don't be lulled into a false sense of security.  In fact,
>> it's more secure to not have sshd running at all then it is to have it
>> running for the purpose of launching something.
>
> No, the idea is to tunnel _all_ vnc traffic through ssh.  Disallowing
> password authentication and allowing only keys ensures security even if
> the client image is available publicly (eg: via NFS)
>
> Here's a link to the configuration I use:
>
> http://wiki.ltsp.org/twiki/bin/view/Ltsp/X11vncLocalApp

Jeff,

the line you launch x11vnc is

system("x11vnc -display :$1 -localhost -auth $2");

you are not using a password file. This is bad because anyone can now
snoop the screens of users. x11vnc gives big warnings not to do this.
Even if you did use a password file, where would you put it (that is
not nfs exported)?


>
>> When its all said and done, though, I think if x11vnc introduces enough
>> overhead to the running system to make it not work well, whether you
>> introduce that overhead at the start or only while someone is working, I
>> think the user's not gonna be happy with you.  :)  Also, sshd+x11vnc
>> necessarily has more overhead than x11vnc by itself, even if not running
>> all the time.  In my limited experience, I never saw much overhead to
>> x11vnc at all on the user's session - only on the vnc connection made.
>
> The overhead of having sshd listening is _much_ less than having x11vnc
> running.  I agree that when running sshd+x11vnc _will_ slow the client
> down, in my case this is only going to be used for remote support and
> the user will not care about the slowdown during the time that remote
> support is being provided.
>
> Jeff
>
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>



-- 
Robert Arkiletian
Eric Hamber Secondary, Vancouver, Canada


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]