package: italc
severity: wishlist
x-debbugs-cc: debian-...@lists.debian.org
On Dienstag, 30. Dezember 2008, Valerio Pachera wrote:
In a previous mail I worte I wish ITALC to be preconfigured for the
next debian edu released and you ask instruction/help fot it.
Here it is the analisys I made.
---
Well, I try to explain how I would preset italc on debian edu.
The point is that different actions have to be taken on the base of
the different profile we are working with.
Profile
-main
-ltsp
-workstation
-diskless workstation (dws)
Short introduciton:
italc is made by two programs:
1-the client (called ica). It is a daemon that runs on the computers
we want to control (also called clients)
2-the main application italc that teachers use to check and control
students.
Italc uses keys to increase security.
The private keys have to be presente on the computers where teachers
want to run the main application.
Actualy we don't know wich computer they will use so I think it's a
good idea so I suggest to make the private key available on all
computers/profiles.
The public key has off course to be present on all computers and to be
readable by anyone (or at least, all students).
So, shortly, the actions needed after italc installation are two:
1-keys generation
2-run the ica daemon on all clients and on the ltsp server(s)
Focus on the firt step:
-
### STEP 1: KEY GENERATIONS ###
keys has to be generated once and be available to all clients. I think
the best way to do it is to generate them on the main
profile/machine because every computer on the debian edu network are
in contact with it.
--MAIN PROFILE
here we need to install only italc client (ica).
We do not need to run it but we have to generate the keys
# ica -createkeypair
This will create the directory
/etc/italc/keys/ wich contains public and private folders with the
respective keys.
It's now a good idea to assign the private keys to the teachers
group and be sure tey can read them (and none else).
# chgrp -R teachers /etc/italc/private
# for key in $(find /etc/italc/private/ key); do chmod 640 done
We have to ensure that public keys have 644 permission.
isntalla itcal client e guarda i permessi di default. Idem per le
chiavi private
The public keys are already readable by anyone do we don't need to do
anything.
We have to make available the keys to the other hosts on the net so we
export them using nfs with something like that in /etc/exports
/usr/share/keys 10.0.2.0/23(ro,subtree_check)
192.168.0.0/24(ro,subtree_check)
--THIN CLIENTS
we don't have to do anything special about keys because the thin
clinets runs on the server and the keys are already there
We just have to
--WORKSTATION
Both italc client (ica) and italc master have to be installed by
deafult on this profile.
We need the same keys that are on the MAIN server. We simply have to
create the folder /etc/italc and mount the shared folde by /etc/fstab
with something like
10.0.2.1:/etc/italc /etc/italc nfs ro 0 0
--DISKLESS WORKSTATION
We can do the samething we did for theworkstation: mount the
/etc/italc folder by fstab.
### STEP 2: RUN ITALC CLIET (ICA) ###
--MAIN PROFILE
we do not need to run the daemon here. None have to control this
machine or use italc master on it.
--LTSP PROFILE
thin client run o this machine so we have to run ica to control them.
Because we have to run n istances of ica for n thin clinet
connected, we MUST use a different port for each ica session.
To aim that is sufficent call a small script instead of calling
directly /usr/bib/ica.
This script take care of running ica using an unique port wich number
is the sum of the last part of the thin clinet IP plus 11.000.
(Note: on the master application to refear to a thin client we have to
specify the ltsp server address WITH the unique port).
--THIN CLIENT
we do not have to do anything because we did it on the ltsp server
--WORKSTATION
we do not need any modification about ports here. We need only to
execute ica when the usr log in.
--DISKLESS WORKSTATION
the same as workstation
---
ITALC MASTER CONFIGURATION
italc master, like any other apllication, save its own configuration
file in the user home folder.
That means a teacher may configre it in the finest way but the other
teachers will have to repeat the same process.
We can avoid that using a global configuration file. We already
exportet the folder /etc/italc that is reachable by any host of the
debian edu netowrk, so we can simply put the configuration file in
this folder.
Copy the file configured by the teacher in that directory
cp ~/.italc/globalconfig.xml /etc/italc/
It may be a good idea to not give write permission to all teacher but
only to teacher of group teacher+.
# chown teacher+:teacher+ /usr/share/italc.conf
# chmod 640 /etc/italc/globalconfig.xml
Now we need
