[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] need help running sshd on client for fl_teachertool



On Tue, Sep 29, 2009 at 12:42 PM, Jeff Siddall <news siddall name> wrote:
> Robert Arkiletian wrote:
>> On Tue, Sep 29, 2009 at 11:24 AM, Jeff Siddall <news siddall name> wrote:
>>> Gideon Romm wrote:
>>>> Jeff, if you are only using ssh to *launch* x11vnc, then you do know
>>>> that the vnc traffic is still *unencrypted*, right?  There are methods
>>>> to encrypt the vnc connection, as wel, so maybe you guys are doing that,
>>>> too?  If not, don't be lulled into a false sense of security.  In fact,
>>>> it's more secure to not have sshd running at all then it is to have it
>>>> running for the purpose of launching something.
>>> No, the idea is to tunnel _all_ vnc traffic through ssh.  Disallowing
>>> password authentication and allowing only keys ensures security even if
>>> the client image is available publicly (eg: via NFS)
>>>
>>> Here's a link to the configuration I use:
>>>
>>> http://wiki.ltsp.org/twiki/bin/view/Ltsp/X11vncLocalApp
>>
>> Jeff,
>>
>> the line you launch x11vnc is
>>
>> system("x11vnc -display :$1 -localhost -auth $2");
>>
>> you are not using a password file. This is bad because anyone can now
>> snoop the screens of users. x11vnc gives big warnings not to do this.
>> Even if you did use a password file, where would you put it (that is
>> not nfs exported)?
>
> Note the -localhost flag.  If only secure (ie: ssh) logins are allowed
> on the client, and only local connections are allowed to vnc, then it is
> secure.

Ah! Thanks. I missed that.

-- 
Robert Arkiletian
Eric Hamber Secondary, Vancouver, Canada


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]