Hi, > NFS can be forced over TCP and secured.
Or you could use http://www.math.ualberta.ca/imaging/snfs/ but basically you have a chicken and egg problem because your utilities used to tunnel nfs have to be present before mounting the root, but the root is nfs mounted. > Are you saying you have a method to tunnel through SSH the xdm > host selection and authentication dialogue? This UDP based No, no. There is no xdm in my setup. There is a ssh login and then ssh starts the window manager. > transaction would either have to be keyed (if tunneled) > against a token, or otherwise externally keyed, to avoid a > MitM interception and substitution at that cleartext phase, > would it not? With tftp, there is no possibility of avoiding MitM attack, anyway. > I'm not saying it cannot be -- but I do not see how, and am > unaware of such a working implementation ... (I would sure > like to see such a writeup) You may have a look at lts_ssh (under Xtras/Patrice Dumas). There is no graphical login, but it could be doable. We had a discussion about that with David Jhonston. > > It is not secure, but it is nfs read only. The only issue seems to me man in > > the middle attack providing bad binaries over nfs. > > This is solveable, post authentication -- the issue is earlier. If you use tftp, it seems to me (but I may be wrong) that there is no way of avoiding man in the middle. > no -- X messages and keystroke interception are cleartext > until it gets back to the X-server, unless a tunnel is set up > to catch all the traffic from before authentication starts -- That's what I do. > there is no 'event' to transition into a trustable crypto > layer which initiates entirely 'across the wire'. The keys > and patterns leading to the keying are exposed sufficiently > for reverseing, without external keying. You're right. Pat ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net
