> Just thinking about authentication with the .x0rfbserver file that I > assume contains the necessary password information for accessing the > x0rfbserver for the thin client sessions. Talking it over with my boss, > he pointed out that there seems to be a flaw with this implementation. > You have decided to place the .x0rfbserver file in .../ for the thin > client filesystem. However, this filesystem is being exported as > readable to anyone who wants it. Not only that, if the LTSP server is > the same as the application server, all users on the application server > have access to the password file for all other user's sessions without > even having to mount the NFS export.
*** When I launch x0rfbserver -stealth on the thin client, I do so as root. So if the .x0rfbserver config file is readable only by root then that will minimize the impact by preventing others from reading the file. > Unless there's some way to secure > the exported directory (via user/group permissions, etc.), then we were > thinking the following features might be useful: > > 1) When a vncviewer or xrfbviewer connection attempt comes to the thin > client, the x0rfbserver will popup a dialog that asks the currently > logged in user to accept or reject the connection. > > 2) If the user accepts the connection, x0rfbserver will popup another > dialog for the user to type a password for the new connection. > > 3) On the vncviewer or xrfbviewer side of the connection, the user would > have been waiting. At this point, the password prompt would be > displayed for them to enter the newly set session password and connect > to the thin client. > > This is of course more interactive and may not be the policy that a > company desires to implement. However, at first glance it seems to be > more secure. > > Also, it would seem very likely to be able to store a per thin client > x0rfbserver password in LDAP once that becomes available. That would > also be more secure than having the password available in a file on the > NFS export especially if the LDAP server requires authentication for > that particular information. > > _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net
