On Tue, May 14, 2002 at 03:20:33PM +0200, Patrice DUMAS - DOCT wrote: > On Tue, May 14, 2002 at 02:10:35PM +0200, Jason Bechtel wrote: > > Security-minded LTSPers, > > > > For my contribution, I just want to mention stunnel. From the main page: > > > > If I'm thinking properly, then we should be able to make an > > Stunnel+OpenSSL add-on package for LTSP which provides a wrapper on the > > workstation for the X server's XDMCP request and a new service on the > > server which functions merely as an ecrypted layer over the existing > > display manager (port 177). This would provide for an encypted login. > > I don't think it is possible as XDMCP is udp based.
Anthony Dean stated in a post the 25 of april that it is possible to get a gui login promp over ssh (without using vnc), but, as I understood his post, other features of the XDMCP such as indirect queries is not possible (since they rely on udp). He has not given a working example of how to do it though. > > For the paranoid or those who require higher levels of security, one > > could then invoke stunnel again for the permanent X connection (ports > > 6000-6063), right? It seems too easy... too good to be true... > > ssh may also do X forwarding, (I think) more easily. As other have stated, ssh seems to reduce performance on X traffic, but if security is a great concern then you are willing to pay that price. Does stunnel involve the same performance hit as ssh? I still think this discussion is rather academic: If security as in confidentiality is of great concern, afford not to use LTSP (even consider not connecting computers to the network at all), if integrity of data is of great concern, use LTSP and enforce good backup policies. For those whose needs are in between, use SSH together with VNC rather than XDMCP. -- Hans Ekbrand
msg05129/pgp00000.pgp
Description: PGP signature
