Re: [Ltsp-discuss] No ssh into clients due to missing client host keys

2013-07-24 Thread Jakob Unterwurzacher
On 24.07.2013 09:11, Jakob Unterwurzacher wrote: > With RSA, the sessions should be protected using a random per-session > key exchanged using diffie-hellmann that does not depend on the > private key for its security. > > I will try to find a definitive source for that and follow-up here. Found

Re: [Ltsp-discuss] No ssh into clients due to missing client host keys

2013-07-24 Thread Jakob Unterwurzacher
On 24.07.2013 07:22, Alkis Georgopoulos wrote: > If my assumption above is true, that a leaked ssh server private key > means that the ssh connections are no longer private, then this applies > to key-based authentication as well. > Ok, thanks for the clarification! After the Debian weak key issu

Re: [Ltsp-discuss] No ssh into clients due to missing client host keys

2013-07-23 Thread Alkis Georgopoulos
Στις 24/07/2013 01:03 πμ, ο/η Jakob Unterwurzacher έγραψε: > This means that you won't know the client ssh host key. That's not > better than a publicly-known one - either way you can't be sure the box > you are connecting to is not spoofed. Not knowing the ssh server public key == trust issue (

Re: [Ltsp-discuss] No ssh into clients due to missing client host keys

2013-07-23 Thread Jakob Unterwurzacher
On 21.07.2013 22:51, Alkis Georgopoulos wrote: > Στις 21/07/2013 11:02 μμ, ο/η Rüdiger Kupper έγραψε: >> Now given this change, and accepted that it is a security measure, >> let me rephrase my question: >> >> -> Since ssh login to running clients is a security risk, what >> other measure can I tak

Re: [Ltsp-discuss] No ssh into clients due to missing client host keys

2013-07-21 Thread Alkis Georgopoulos
Στις 21/07/2013 11:02 μμ, ο/η Rüdiger Kupper έγραψε: > Now given this change, and accepted that it is a security measure, > let me rephrase my question: > > -> Since ssh login to running clients is a security risk, what > other measure can I take to allow remote shutdown of a running > client? I

Re: [Ltsp-discuss] No ssh into clients due to missing client host keys

2013-07-21 Thread Rüdiger Kupper
> -> Since ssh login to running clients is a security risk, what other > measure can I take to allow remote shutdown of a running client? Hmmm, allow me to suggest an answer to my own question. It may not be the most elegant of ways, but... -> Do not push, but poll: In the client chroot, install

Re: [Ltsp-discuss] No ssh into clients due to missing client host keys

2013-07-21 Thread Rüdiger Kupper
On 21.07.2013 17:36, Alkis Georgopoulos wrote: > sshd in the chroot is disabled by default, for security reasons, i.e. > all the clients would have the same sshd host keys, and any non-LTSP > client could read them by just mounting the NBD image. I see. I am aware of this problem, but I always con

Re: [Ltsp-discuss] No ssh into clients due to missing client host keys

2013-07-21 Thread Alkis Georgopoulos
Στις 21/07/2013 05:47 μμ, ο/η Rüdiger Kupper έγραψε: > The reason is that clients have no ssh host keys! They are > actively removed during generation of client chroots, due to the > following line in /etc/ltsp/ltsp-update-image.excludes: ... My > question: How am I supposed to ssh into a running c

[Ltsp-discuss] No ssh into clients due to missing client host keys

2013-07-21 Thread Rüdiger Kupper
Hello list, we have sshd installed in our client chroots, so that root can have remote access to running clients. (We mainly use this for remote shutdown of clients.) After upgrade from 12.04 LTS to 13.04, root cannot connect to running clients, although sshd is running. The reason is that clien