Patrice, you are right about the "man in the middle" attack. my take on the whole discussion is that we are trying prevent people from sniffing passwords. ssh *would* work great for it, if the software loaded into the workstation was capable of encrypting the password with a public key. we are looking at a change in the ltsp kernel (or possibly additional module) and a change in the login program to use ssh decryption to get the password. julius
On Tue, 14 May 2002, Patrice DUMAS - DOCT wrote: > Hi, > > > Anthony Dean stated in a post the 25 of april that it is possible to > > get a gui login promp over ssh (without using vnc), but, as I > > understood his post, other features of the XDMCP such as indirect > > queries is not possible (since they rely on udp). > > > He has not given a working example of how to do it though. > > I don't think it would be so difficult. I allready did something approaching > (in the lts_ssh package), but the login is on the console, X is started > afterwards. I use ssh to encrypt, but also to authenticate the user. I don't > think much change would be needed to use only encryption. > > Doing a gui login wouldn't be so complicated, I think. Something like a dm > isn't really needed, just a window which gets the login, password (and maybe > passphrase), and then call a script which does all the work, or connect to ssh > by pipes to transmit the login/password. > > As for features of XDMCP, the chooser could be emulated, by having a fixed list > of ssh/X servers. I can't see any possible implemetation for indirect queries, > as Dean said, but is it used a lot ? > > > I still think this discussion is rather academic: If security as in > > confidentiality is of great concern, afford not to use LTSP (even > > consider not connecting computers to the network at all), if integrity > > I don't think so. Public key authentication is fairly secure. The only issue I > see is man in the middle attacks. I think ltsp environments, with dhcp/tftp > issuing broadcasts it isn't possible to avoid man in the middle attacks. > > > of data is of great concern, use LTSP and enforce good backup > > policies. For those whose needs are in between, use SSH together with > > VNC rather than XDMCP. > > ssh with X is right here too. > _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net