[prev in list] [next in list] [prev in thread] [next in thread]
List: ltsp-discuss
Subject: Re: [Ltsp-discuss] SSH login to LTSP client
From: John Hupp <ltsp () prpcompany ! com>
Date: 2012-12-06 21:42:11
Message-ID: 50C11133.5000209 () prpcompany ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 12/6/2012 12:10 AM, Alkis Georgopoulos wrote:
> The ssh server keys are omitted from the image by default because it's a
> security risk.
> To keep them, remove the respective line from ltsp-update-image.excludes:
>
> $ grep ssh /etc/ltsp/ltsp-update-image.excludes
> etc/ssh/ssh_host_*_key
Thanks, Alkis, that was the key bit of info. (Thanks also to Vagrant C
for pondering the question.) I hadn't thought about the excludes file.
That got me past the initial error.
After that, when trying to log in under one or another of the user
accounts, I was getting "Permission denied" errors. But then the light
dawned for me: Since "ltsp-update-image --cleanup" removes the
(user-created) user accounts, and since I am trying to log into the
local client session, there are no user accounts there. So even with the
keys preserved, logging in as root is the only option.
But needless to say (except for newbies like me, who will be surprised),
if one successfully logs in as root, the local client keys will be
entered in the ssh known_hosts file. If one then updates the image
again, new client keys will be created, and when one tries to log in to
the client again as root, there will be a key mismatch and ssh will
issue a stiff warning about a man-in-the-middle attack. The existing
keys for that client address must first be removed with "ssh-keygen -R"
before one can log in again as root.
[Attachment #5 (text/html)]
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 12/6/2012 12:10 AM, Alkis
Georgopoulos wrote:<br>
</div>
<blockquote cite="mid:50C028CA.1050403@gmail.com" type="cite">
<pre wrap="">The ssh server keys are omitted from the image by default because it's a
security risk.
To keep them, remove the respective line from ltsp-update-image.excludes:
$ grep ssh /etc/ltsp/ltsp-update-image.excludes
etc/ssh/ssh_host_*_key
</pre>
</blockquote>
<font size="-1">Thanks, Alkis, that was the key bit of info.
(Thanks also to Vagrant C for pondering the question.) I hadn't
thought about the excludes file. That got me past the initial
error<font size="-1">.</font><br>
<br>
After that, when trying to log in under one or another of the user
accounts, I was getting "Permission denied" errors. But then the
light dawned for me: Since "ltsp-update-image --cleanup" removes
the (user-created) user accounts, and since I am trying to log
into the local client session, there are no user accounts there.
So even <font size="-1">wit<font size="-1">h the keys preserved,
</font></font>logging in as root is the only option.</font><br>
<br>
<font size="-1">But needless to say (except for newbies like me, who
will be surprised), if one successfully logs in as root, the local
client keys will be entered in the ssh known_hosts file. If one
then updates the image again, new client keys will be created, and
when one tries to log in to the client again as root, there will
be a key mismatch and ssh will issue a stiff warning about a
man-in-the-middle attack. The existing keys for that client
address must first be removed with "ssh-keygen -R" before one can
log in again as root.</font><br>
</body>
</html>
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic