'Re: [Ltsp-discuss] SSH login to LTSP client'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ltsp-discuss
Subject:    Re: [Ltsp-discuss] SSH login to LTSP client
From:       John Hupp <ltsp () prpcompany ! com>
Date:       2012-12-06 21:42:11
Message-ID: 50C11133.5000209 () prpcompany ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On 12/6/2012 12:10 AM, Alkis Georgopoulos wrote:
> The ssh server keys are omitted from the image by default because it's a
> security risk.
> To keep them, remove the respective line from ltsp-update-image.excludes:
>
> $ grep ssh /etc/ltsp/ltsp-update-image.excludes
> etc/ssh/ssh_host_*_key
Thanks, Alkis, that was the key bit of info. (Thanks also to Vagrant C 
for pondering the question.)  I hadn't thought about the excludes file.  
That got me past the initial error.

After that, when trying to log in under one or another of the user 
accounts, I was getting "Permission denied" errors.  But then the light 
dawned for me: Since "ltsp-update-image --cleanup" removes the 
(user-created) user accounts, and since I am trying to log into the 
local client session, there are no user accounts there. So even with the 
keys preserved, logging in as root is the only option.

But needless to say (except for newbies like me, who will be surprised), 
if one successfully logs in as root, the local client keys will be 
entered in the ssh known_hosts file.  If one then updates the image 
again, new client keys will be created, and when one tries to log in to 
the client again as root, there will be a key mismatch and ssh will 
issue a stiff warning about a man-in-the-middle attack.  The existing 
keys for that client address must first be removed with "ssh-keygen -R" 
before one can log in again as root.

[Attachment #5 (text/html)]

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <div class="moz-cite-prefix">On 12/6/2012 12:10 AM, Alkis
      Georgopoulos wrote:<br>
    </div>
    <blockquote cite="mid:50C028CA.1050403@gmail.com" type="cite">
      <pre wrap="">The ssh server keys are omitted from the image by default because it's a
security risk.
To keep them, remove the respective line from ltsp-update-image.excludes:

$ grep ssh /etc/ltsp/ltsp-update-image.excludes
etc/ssh/ssh_host_*_key
</pre>
    </blockquote>
    <font size="-1">Thanks, Alkis, that was the key bit of info.&nbsp;
      (Thanks also to Vagrant C for pondering the question.)&nbsp; I hadn't
      thought about the excludes file.&nbsp; That got me past the initial
      error<font size="-1">.</font><br>
      <br>
      After that, when trying to log in under one or another of the user
      accounts, I was getting "Permission denied" errors.&nbsp; But then the
      light dawned for me: Since "ltsp-update-image --cleanup" removes
      the (user-created) user accounts, and since I am trying to log
      into the local client session, there are no user accounts there.&nbsp;
      So even <font size="-1">wit<font size="-1">h the keys preserved,
        </font></font>logging in as root is the only option.</font><br>
    <br>
    <font size="-1">But needless to say (except for newbies like me, who
      will be surprised), if one successfully logs in as root, the local
      client keys will be entered in the ssh known_hosts file.&nbsp; If one
      then updates the image again, new client keys will be created, and
      when one tries to log in to the client again as root, there will
      be a key mismatch and ssh will issue a stiff warning about a
      man-in-the-middle attack.&nbsp; The existing keys for that client
      address must first be removed with "ssh-keygen -R" before one can
      log in again as root.</font><br>
  </body>
</html>


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_____________________________________________________________________
Ltsp-discuss mailing list.   To un-subscribe, or change prefs, goto:
      https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help,   try #ltsp channel on irc.freenode.net


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic