Simplicity and Diskless Client Security // was Re: multiple thin client servers
Scott Balneaves
sbalneav at legalaid.mb.ca
Thu Nov 30 21:01:46 UTC 2006
On Wed, Nov 29, 2006 at 10:09:15AM +0000, Gavin McCullagh wrote:
> In order to use diskless clients you traditionally share out the home dirs
> (as well as system stuff) using nfs.
Well, for most THIN clients, no. Only the system dir. The client runs
X, and all the processes run up on the server, so the home dirs don't
need to be shared out.
What you're talking about is a fat client, where you actually run a full
system locally on the machine.
> This is basically unauthenticated and
> it's left up to the client machine to enforce permissions on users. The
> home dirs must be shared writable. This means that a malicious person
> could potentially plug in a laptop and mount the nfs share with full access
> to everyone's home dirs. This is a bit of a worry.
Not necessarily, if we work towards the kerberos authentication that's
currently becoming integrated into Edubuntu. NFSv4 should support
kerberos.
> If distros are planning on recommending diskless clients, I think the above
> should probably be addressed first or at least flagged as an issue to
> admins. Perhaps it already has been?
Yup, check on Launchpad. It's on the radar :)
Scott
--
Scott L. Balneaves | "Let us endeavor so to live that when we come to die
Systems Department | even the undertaker will be sorry."
Legal Aid Manitoba | -- Mark Twain, "Pudd'nhead Wilson's Calendar"
More information about the edubuntu-devel
mailing list