>>After contemplating the matter for a while, I still think it is a >>serious security risk. As far as I know there is no password >>authenication involved with NFS, so you only have to a) bind to a low >>port and b) use the same UID on the client as the user that has files >>on the NFS share that you want (rw) access to. >>Now, consider a malicious user, who has prepared his laptop at home, >>plugs it in to the local network, uses the same ip as one of the LTSP >>servers, runs a bad script, and in a moment every users files are gone! A >>alternative way would be booting from a customized floppy, if the thin >>clients offer that possibility. >>I have only a limited understanding of security issues, but am I wrong >>here? >*** A possible solution may be to create a VPN(IPSEC) betweeen the client >and the server. Allow the home directory to be mounted only through the >VPN.
Client---->switch<--->LTSP Host<---->switch< Client---->switch<--->LTSP Host<---->switch< Client---->switch<--->LTSP Host<---->swtich<--Backend Host (NFS, etc) The simplest solution is two NICs in the LTSP server and they use a seperate subnet for their own back-end services and have IP forwarding disabled and some decent firewall rules. Some one hacking a server might be able to get access to files they shouldn't, but not someone using a laptop or some other torjan device on the client LAN -- ----------------------------------------------------------- Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS ----------------------------------------------------------- _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net