Jim and all, I just saw a list of hacking topics for the upcoming "LTSP by the sea" event. I a couple of the topics were getting a local display manager and ssh tunnelling. I did some preliminary work on this last spring and thought I'd share my notes to see if it sparks anything. Basically, I set up a terminal to run "s-terminal" which is a small graphical interface that runs locally on the terminal, collects the username and password and sets up a tunneled x session. It worked well. Sorry it took me so long to get this to the list.
Here are the notes I took when I was doing it. Hope this is helpful. ----------------------- Here is the beginning of some notes on how to implement LTSP with encrypted X sessions. Steps 1. set up an NIS/LDAP gateway http://www.radux.com/ypAnything 2. enable local apps 3. get a local display manager going (authenticating against ldap through NIS for now) 4. use .xinitrc file (or default session file) to launch a window manager via ssh 5. develop a "screen script" to make this a normal option for LTSP There are some primary security issues here. Here are some priorities 1. encrypt all data over the wire 2. completely replace NIS with real LDAP authentication for local apps 3. figure out a better ssh key storage system than NFS home directories. -- DerekDresser - 21 Apr 2004 I just got a prototype working. Starting with a normal LTSP 4 installation with local apps (NIS), I was able to start a display manager (XDM) on a terminal, then log in as a user and bring up just an xterm. From that X term, i started a window manager on the server with X11 forwarding. Once the window manager is running over ssh, anything started from within it also gets tunnelled through ssh. It works fine. Obviously the NFS traffic (between the terminal server and file server) is still outside the ssh tunnel, but all the X traffic is encrypted over the wire. very cool!! It is certainly a start towards more security with X terminals. Next step is probably to work on a screen script, Then play with the LDAP/NIS gateway. Ok, this is getting better. I realized earlier that I was still authenticating with NIS and that was bad, so I went looking for something to replace the display manager to allow me to only send ssh over the wire. I found something called S-Terminal (https://freshmeat.net/projects/sterminal/) which is a secure X terminal addon for Knoppix. It worked fine. I needed to install the following things with apt-get tclx8.0.4 expect I also had to make the following link ln -s /usr/lib/libexpect5.32.so.1 /usr/lib/libexpect5.32.so I also had to modify /usr/local/src/sterminal/sterminal.xsession.tcl I changed the flag on the ssh comand from -C to -X configuration of sterminal in /usr/local/src/sterminal/sterminal.conf just required changing the hostname and setting the Xsession path. I used /etc/gdm/Sessions/Xsession In debian, I added the following to the end of the inittab to test this on the second display w2:2:wait:/bin/sleep 2 x2:2:respawn:/usr/X11R6/bin/X :1 st:2:respawn:/usr/local/src/sterminal/sterminal.pl :1 #cw:2:respawn:/etc/cron-watcher.pl -- DerekDresser - 21 Apr 2004 Setting up S-terminal This file comes as a .zip file so first you must unzip it mkdir /usr/local/src/sterminal mv sterminal.....zip /usr/local/src/sterminal cd /usr/local/src/sterminal Next, you want to untar the configuration files. You can do this with tar -jpPxf configs.tbz You Should now have a directory that looks like this muddy:/usr/local/src/sterminal# ls -al total 232 drwxr-sr-x 3 root staff 4096 Apr 23 10:23 . drwxrwsr-x 7 root staff 4096 Apr 23 10:14 .. -r--r--r-- 1 root staff 18009 Mar 7 2003 LICENSE.txt -rw-rw-r-- 1 root staff 3811 Mar 7 2003 README -rw-rw-r-- 1 root staff 42040 Mar 9 2003 configs.tbz -rwxr-xr-x 1 500 500 263 Mar 7 2003 cron-watcher.pl -rw-r--r-- 1 500 500 640 Mar 7 2003 crontab drwxrwxr-x 2 root staff 4096 Mar 7 2003 examples -rwxrwxr-x 1 500 500 196 Mar 4 2003 getgeom.sh -rw-r--r-- 1 500 500 2406 Mar 7 2003 inittab -rw-r--r-- 1 root staff 420 Mar 5 2003 knoppix.sh -rw-rw-r-- 1 root staff 1039 Mar 7 2003 making-a-cd.txt -rw-rw-r-- 1 500 500 4421 Mar 7 2003 sterminal-lib.pl -rw-r--r-- 1 500 500 18673 Mar 6 2003 sterminal-splash.gif -rwxrwxr-x 1 500 500 780 Mar 9 2003 sterminal-update.pl -rwxrwxr-x 1 500 500 43 Mar 7 2003 sterminal-update.script -rw-rw-r-- 1 500 500 407 Mar 9 2003 sterminal.conf -rw-rw-r-- 1 500 500 11669 Feb 28 2003 sterminal.gif -rwxrwxr-x 1 500 500 2535 Mar 7 2003 sterminal.pl -rwxr-xr-x 1 500 500 9947 Mar 9 2003 sterminal.xsession.tcl -rw------- 1 dsd dsd 52865 Apr 23 10:14 sterminal.zip -rw-rw-r-- 1 500 500 3238 Mar 6 2003 tux.gif -- Derek Dresser http://network.gouldacademy.org/ Gould Academy Bethel, ME 04217 (207)824-7700 "What is research but a blind date with knowledge?" --Will Harvey ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
