>>After contemplating the matter for a while, I still think it is a
>>serious security risk. As far as I know there is no password
>>authenication involved with NFS, so you only have to a) bind to a low
>>port and b) use the same UID on the client as the user that has files
>>on the NFS share that you want (rw) access to.
>>Now, consider a malicious user, who has prepared his laptop at home,
>>plugs it in to the local network, uses the same ip as one of the LTSP
>>servers, runs a bad script, and in a moment every users files are gone! A
>>alternative way would be booting from a customized floppy, if the thin
>>clients offer that possibility.
>>I have only a limited understanding of security issues, but am I wrong
>>here?
>*** A possible solution may be to create a VPN(IPSEC) betweeen the client
>and the server. Allow the home directory to be mounted only through the
>VPN.
Client---->switch<--->LTSP Host<---->switch<
Client---->switch<--->LTSP Host<---->switch<
Client---->switch<--->LTSP Host<---->swtich<--Backend Host (NFS, etc)
The simplest solution is two NICs in the LTSP server and they use a
seperate subnet for their own back-end services and have IP
forwarding disabled and some decent firewall rules. Some one hacking a
server might be able to get access to files they shouldn't, but not
someone using a laptop or some other torjan device on the client LAN
--
-----------------------------------------------------------
Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS
-----------------------------------------------------------
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.openprojects.net
