[K12OSN] Shutting clients down: was tight vnc connection to ltsp client refused (111 error)
Huck
dhuckaby at paasda.org
Tue May 30 20:46:08 UTC 2006
that clarifies a lot actually ;)
--Huck
Eric Harrison wrote:
> Huck wrote:
>> No way to code in a wrapper in the TeacherTool app to get a passwd even
>> if it is a static passwd that is set in a config file or something? To
>> use that option.
>>
>> --Huck
>
> The problem is not on the server side, it is on the terminal side.
> Adding a password, etc to applications running on the server-side
> doesn't fix the problem.
>
> Here is an example. Let's abuse a terminal, say one with the IP address
> 192.168.0.10
>
> Edit /opt/ltsp/i386/etc/lts.conf and append:
>
> [192.168.0.10]
> ALLOW_SHUTDOWN = Y
>
>
> and reboot the terminal.
>
> Now run this command logged in as any random user logged into any random
> terminal:
>
> echo shutdown | nc 192.168.0.10 9200
>
>
> So say you ban the use of netcat (nc). Well then, let's just use telnet:
>
> $ telnet 192.168.0.10 9200
> Trying 192.168.0.10...
> Connected to 192.168.0.10.
> Escape character is '^]'.
> shutdown
>
>
> Etc, etc. All you have to do is connect to TCP port 9200 on a terminal
> and type "shutdown" (or "reboot"). That's all there is to it. Note that
> there is no username or password required, there is no logging of who
> did the dastardly deed, no firewall protection for the terminals' port
> 9200, simply no protection what-so-ever.
>
> Hopefully that clearly illustrates why enabling ALLOW_SHUTDOWN is
> currently a REALLY BAD IDEA in most environments (especially in the
> environments targeted by K12LTSP).
>
>
> -Eric
>
>
>> Robert Arkiletian wrote:
>>> On 5/29/06, Eric Harrison <eharrison at mail.mesd.k12.or.us> wrote:
>>>>> What if you change the permission of ltspinfo to 754?
>>>> It would break a bunch of stuff yet will not fix this specific
>>>> problem...
>>>>
>>>>
>>>> No matter how you slice it or dice it, the "shutdown" feature is
>>>> currently
>>>> at best secured by obscurity. Security by obscurity is no security at
>>>> all,
>>>> especially when it is all in plain text.
>>>>
>>>> Just to make the point perfectly clear, there is currently no way to
>>>> secure or restrict this specific feature. I highly recommend that
>>>> this is
>>>> NOT ADDED to fl_tt or in any way encourage people to use it.
>>>>
>>>> It is not an accident that this is disabled and undocumented.
>>> I understand Eric. I will NOT add this feature. It's dropped. Sorry if
>>> I got some peoples hopes up. Thanks for letting me know about the
>>> issues concerning this before I spent time on it.
>>>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
>
More information about the K12OSN
mailing list