On 21.07.2013 17:36, Alkis Georgopoulos wrote: > sshd in the chroot is disabled by default, for security reasons, i.e. > all the clients would have the same sshd host keys, and any non-LTSP > client could read them by just mounting the NBD image.
I see. I am aware of this problem, but I always considered it as acceptable, since there's nothing inside the client chroot that's secret (is this true?). Ssh spoofing by spying on the ssh host keys is admettedly a risk, though acceptable in our setup. > If you want to run sshd in ltsp clients even though it's insecure, you > can remove the ltsp-update-image.excludes line you mentioned. > > Or you could put something like this in lts.conf, so that the keys are > regenerated on client boot: > RCFILE_01="ssh-keygen -A" > RCFILE_02="service ssh start" Thanks for the tip! The second line is not even necessary, sshd is started as soon as it is installed in the client chroot. One thing that made it hard for me to debug the problem was that the behavior silently changed between 12.04 and 13.04. It would be helpful, if changes like these which may affect the function of existing installations upon updates were documented in a sort of changelog / update help. Now given this change, and accepted that it is a security measure, let me rephrase my question: -> Since ssh login to running clients is a security risk, what other measure can I take to allow remote shutdown of a running client? I believe that this is not an unusual wish, and I'd really appreciate if there was a method provided by LTSP. Timed shutdoẃn can be configured through lts.conf. But there is no way of requesting shutdown at arbitrary times. However, this is a relevant feature at all times when the server needs to be modified/updated/restarted. Server restart leaves running clients in an unusable state, and it is unfeasable for me to go physically to all of our 150 clients to press the reset button. I need a way of shutting them down cleanly. Any suggestions appreciated! Thanks to Alkis for your help and clarification, regards, Rüdiger -- Dr. Rüdiger Kupper <k...@kg-fds.de> Kepler-Gymnasium Freudenstadt
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
