Jason, Good points.
At this point, I would be happy with a simple dialog box popping up, asking if it is ok for another user to attach and view the session. At least the thin client user would know that someone was watching. Additional password checking would be a plus, but you know what they say about open source: "Release Early, Release Often" Jim McQuillan [EMAIL PROTECTED] On Mon, 10 Jun 2002, Jason A. Pattie wrote: > Just thinking about authentication with the .x0rfbserver file that I > assume contains the necessary password information for accessing the > x0rfbserver for the thin client sessions. Talking it over with my boss, > he pointed out that there seems to be a flaw with this implementation. > You have decided to place the .x0rfbserver file in .../ for the thin > client filesystem. However, this filesystem is being exported as > readable to anyone who wants it. Not only that, if the LTSP server is > the same as the application server, all users on the application server > have access to the password file for all other user's sessions without > even having to mount the NFS export. Unless there's some way to secure > the exported directory (via user/group permissions, etc.), then we were > thinking the following features might be useful: > > 1) When a vncviewer or xrfbviewer connection attempt comes to the thin > client, the x0rfbserver will popup a dialog that asks the currently > logged in user to accept or reject the connection. > > 2) If the user accepts the connection, x0rfbserver will popup another > dialog for the user to type a password for the new connection. > > 3) On the vncviewer or xrfbviewer side of the connection, the user would > have been waiting. At this point, the password prompt would be > displayed for them to enter the newly set session password and connect > to the thin client. > > This is of course more interactive and may not be the policy that a > company desires to implement. However, at first glance it seems to be > more secure. > > Also, it would seem very likely to be able to store a per thin client > x0rfbserver password in LDAP once that becomes available. That would > also be more secure than having the password available in a file on the > NFS export especially if the LDAP server requires authentication for > that particular information. > > -- _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net
