On Fri, Oct 12, 2012 at 09:44:50AM -0600, David Burgess wrote: > On Fri, Oct 12, 2012 at 8:56 AM, RĂ¼diger Kupper <[email protected]> wrote: > # Suppress meaningless host key messages in ssh client > # Note that this does not reduce security when connecting to thin > clients, but could compromise > # security when connecting to other ssh servers, as it defeats host key > checking > echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config > echo "UserKnownHostsFile=/dev/null" >> /etc/ssh/ssh_config
I have to contest that this actually doesn't reduce security- it allows someone to trivially man-in-the-middle your thin client. Depending on what you're running on the thin-client, that may be no big deal, but it is fundamentally insecure. You can also restrict specific ssh_config or ~/.ssh/config options conditionally, depending on what machines you're connecting to: Host ltspclient* 192.168.67.* # We're not worried about man-in-the-middle attacks for these particular # machines StrictHostKeyChecking no UserKnownHostsFile=/dev/null Other ways you could solve the problem... You could run a cron job on the thin client that communicates with the server periodically using netcat and an inetd service or ssh (with keys with restricted output-only commands or whatever). When using NFS, you can even run cron jobs that check for the presence or contents of particular files, and then modify those files in chroot to get your client to respond... (wouldn't work so easily for NBD) live well, vagrant ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
