Patrice,
you are right about the "man in the middle" attack. my take on the
whole discussion is that we are trying prevent people from sniffing
passwords. ssh *would* work great for it, if the software loaded into the
workstation was capable of encrypting the password with a public key. we
are looking at a change in the ltsp kernel (or possibly additional module)
and a change in the login program to use ssh decryption to get the
password. julius
On Tue, 14 May 2002, Patrice DUMAS - DOCT wrote:
> Hi,
>
> > Anthony Dean stated in a post the 25 of april that it is possible to
> > get a gui login promp over ssh (without using vnc), but, as I
> > understood his post, other features of the XDMCP such as indirect
> > queries is not possible (since they rely on udp).
>
> > He has not given a working example of how to do it though.
>
> I don't think it would be so difficult. I allready did something approaching
> (in the lts_ssh package), but the login is on the console, X is started
> afterwards. I use ssh to encrypt, but also to authenticate the user. I don't
> think much change would be needed to use only encryption.
>
> Doing a gui login wouldn't be so complicated, I think. Something like a dm
> isn't really needed, just a window which gets the login, password (and maybe
> passphrase), and then call a script which does all the work, or connect to ssh
> by pipes to transmit the login/password.
>
> As for features of XDMCP, the chooser could be emulated, by having a fixed list
> of ssh/X servers. I can't see any possible implemetation for indirect queries,
> as Dean said, but is it used a lot ?
>
> > I still think this discussion is rather academic: If security as in
> > confidentiality is of great concern, afford not to use LTSP (even
> > consider not connecting computers to the network at all), if integrity
>
> I don't think so. Public key authentication is fairly secure. The only issue I
> see is man in the middle attacks. I think ltsp environments, with dhcp/tftp
> issuing broadcasts it isn't possible to avoid man in the middle attacks.
>
> > of data is of great concern, use LTSP and enforce good backup
> > policies. For those whose needs are in between, use SSH together with
> > VNC rather than XDMCP.
>
> ssh with X is right here too.
>
_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.openprojects.net
