package: italc severity: wishlist x-debbugs-cc: debian-...@lists.debian.org
On Dienstag, 30. Dezember 2008, Valerio Pachera wrote:
> In a previous mail I worte I wish ITALC to be preconfigured for the
> next debian edu released and you ask instruction/help fot it.
> Here it is the analisys I made.
> -------------------------------------------
>
> Well, I try to explain how I would preset italc on debian edu.
> The point is that different actions have to be taken on the base of
> the different profile we are working with.
>
> Profile
> -main
> -ltsp
> -workstation
> -diskless workstation (dws)
>
> Short introduciton:
> italc is made by two programs:
> 1-the client (called "ica"). It is a daemon that runs on the computers
> we want to control (also called clients)
> 2-the main application "italc" that teachers use to check and control
> students.
>
> Italc uses keys to increase security.
> The private keys have to be presente on the computers where teachers
> want to run the main application.
> Actualy we don't know wich computer they will use so I think it's a
> good idea so I suggest to make the private key available on all
> computers/profiles.
>
> The public key has off course to be present on all computers and to be
> readable by anyone (or at least, all students).
>
> So, shortly, the actions needed after italc installation are two:
> 1-keys generation
> 2-run the ica daemon on all clients and on the ltsp server(s)
>
> Focus on the firt step:
> ---------
> ### STEP 1: KEY GENERATIONS ###
> keys has to be generated once and be available to all clients. I think
> the best way to do it is to generate them on the "main"
> profile/machine because every computer on the debian edu network are
> in contact with it.
>
>
> --MAIN PROFILE
> here we need to install only italc client (ica).
> We do not need to run it but we have to generate the keys
> # ica -createkeypair
>
> This will create the directory
> /etc/italc/keys/ wich contains "public" and "private" folders with the
> respective keys.
>
> It's now a good idea to assign the private keys to the "teachers"
> group and be sure tey can read them (and none else).
> # chgrp -R teachers /etc/italc/private
> # for key in $("find /etc/italc/private/ key"); do chmod 640 done
>
> We have to ensure that "public" keys have 644 permission.
>
> <isntalla itcal client e guarda i permessi di default. Idem per le
> chiavi private>
> The public keys are already readable by anyone do we don't need to do
> anything.
>
> We have to make available the keys to the other hosts on the net so we
> export them using nfs with something like that in /etc/exports
> /usr/share/keys 10.0.2.0/23(ro,subtree_check)
> 192.168.0.0/24(ro,subtree_check)
>
> --THIN CLIENTS
> we don't have to do anything special about keys because the thin
> clinets runs on the server and the keys are already there
> We just have to
>
>
> --WORKSTATION
> Both italc client (ica) and italc master have to be installed by
> deafult on this profile.
> We need the same keys that are on the MAIN server. We simply have to
> create the folder /etc/italc and mount the shared folde by /etc/fstab
> with something like
> 10.0.2.1:/etc/italc /etc/italc nfs ro 0 0
>
> --DISKLESS WORKSTATION
> We can do the samething we did for theworkstation: mount the
> /etc/italc folder by fstab.
>
>
>
>
> ### STEP 2: RUN ITALC CLIET (ICA) ###
>
> --MAIN PROFILE
> we do not need to run the daemon here. None have to control this
> machine or use italc master on it.
>
> --LTSP PROFILE
> thin client run o this machine so we have to run ica to control them.
> Because we have to run "n" istances of ica for "n" thin clinet
> connected, we MUST use a different port for each ica session.
> To aim that is sufficent call a small script instead of calling
> directly /usr/bib/ica.
> This script take care of running ica using an unique port wich number
> is the sum of the last part of the thin clinet IP plus 11.000.
> (Note: on the master application to refear to a thin client we have to
> specify the ltsp server address WITH the unique port).
>
> --THIN CLIENT
> we do not have to do anything because we did it on the ltsp server
>
> --WORKSTATION
> we do not need any modification about ports here. We need only to
> execute ica when the usr log in.
>
> --DISKLESS WORKSTATION
> the same as workstation
>
> -----------------------
>
> ITALC MASTER CONFIGURATION
>
> italc master, like any other apllication, save its own configuration
> file in the user home folder.
> That means a teacher may configre it in the finest way but the other
> teachers will have to repeat the same process.
> We can avoid that using a global configuration file. We already
> exportet the folder /etc/italc that is reachable by any host of the
> debian edu netowrk, so we can simply put the configuration file in
> this folder.
> Copy the file configured by the teacher in that directory
> cp ~/.italc/globalconfig.xml /etc/italc/
> It may be a good idea to not give write permission to all teacher but
> only to teacher of group "teacher+".
> # chown teacher+:teacher+ /usr/share/italc.conf
> # chmod 640 /etc/italc/globalconfig.xml
> Now we need to instruct italc to use that file.
> Edit /etc/xdg/iTALC Solutions/iTALC.conf adding
> [paths]
> globalconfig=/etc/italc/
>
> ------------------------
> Actualy I didn't test all this stuff on debian edu lenny because the
> installation fails.
> I have a pure lenny where I can see that on the repository there is
> the 1.0.9_rc3 version of italc.
> It would be good to pack the stable release instead of the rc3.
>
> I made a schema to simplify thing. It may not be accurated because I
> made it in a hurry.
> http://www.linuxludus.it/sites/default/files/download/debian-edu_italc.svg
> Let me know if we can work to have italc preconfigured in debian-edu.
> ------------------------
>
> Valerio.
I turned this into a bugreport to get some maintainer reaction on this. Last
time I looked, italc included no useful documentation how to get started in
the package (there is stuff online), so this bug is a request to document
inside the package how to use it.
regards,
Holger
signature.asc
Description: This is a digitally signed message part.
