Re: [gentoo-user] {OT} Allow work from home?
On Sun, 6 Mar 2016 12:05:17 -0800, Daniel Frey wrote: > >> Ah, I wasn't aware. I am using it with KDE and haven't seen any > >> issues. > > > > It works with KDE4 but not KDE5, so if you're on stable you'll be OK, > > for now. > > > > http://wiki.x2go.org/doku.php/doc:de-compat > > > > > > Good to know, thanks for that link. If it really comes down to it I can > move to xfce on that server for what I use it for. I'm going to wait out > on KDE5 anyhow, I did make an early jump to KDE4 (knowing there was > issues) and don't particularly want to go through that again. I held off on KDE4 and still fund it unusable for a few more releases. KDE5 is nowhere near such a dramatic change, there were a few issues at first but it's good now. I installed LXDE for x2go but XFCE will do just as well. -- Neil Bothwick When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl. pgpeY4xmMaepc.pgp Description: OpenPGP digital signature
Re: [gentoo-user] {OT} Allow work from home?
On 03/06/2016 09:36 AM, Neil Bothwick wrote: > On Sun, 6 Mar 2016 08:43:09 -0800, Daniel Frey wrote: > >>> I'm using it with the latest testing xorg-server and it works fine. >>> There are some DEs it has problems with, which are well documented, >>> but not the X server. > >> Ah, I wasn't aware. I am using it with KDE and haven't seen any issues. > > It works with KDE4 but not KDE5, so if you're on stable you'll be OK, for > now. > > http://wiki.x2go.org/doku.php/doc:de-compat > > Good to know, thanks for that link. If it really comes down to it I can move to xfce on that server for what I use it for. I'm going to wait out on KDE5 anyhow, I did make an early jump to KDE4 (knowing there was issues) and don't particularly want to go through that again. Dan
Re: [gentoo-user] {OT} Allow work from home?
On Sun, 6 Mar 2016 08:43:09 -0800, Daniel Frey wrote: > > I'm using it with the latest testing xorg-server and it works fine. > > There are some DEs it has problems with, which are well documented, > > but not the X server. > Ah, I wasn't aware. I am using it with KDE and haven't seen any issues. It works with KDE4 but not KDE5, so if you're on stable you'll be OK, for now. http://wiki.x2go.org/doku.php/doc:de-compat -- Neil Bothwick Most software is about as user-friendly as a cornered rat! pgpc9DmrzS6Nh.pgp Description: OpenPGP digital signature
Re: [gentoo-user] {OT} Allow work from home?
On 03/05/2016 01:22 AM, Neil Bothwick wrote: > On Sat, 05 Mar 2016 00:55:17 +0100, lee wrote: > >>> I'm using the most recent stable and it works for me: >>> >>> $ equery list xorg-server >>> * Searching for xorg-server ... >>> [IP-] [ ] x11-base/xorg-server-1.17.4:0/1.17.4 >> >> Maybe the problem has been recently fixed entirely. > > I'm using it with the latest testing xorg-server and it works fine. There > are some DEs it has problems with, which are well documented, but not the > X server. > > Ah, I wasn't aware. I am using it with KDE and haven't seen any issues. Dan
Re: [gentoo-user] {OT} Allow work from home?
On Sat, 05 Mar 2016 00:55:17 +0100, lee wrote: > >>> Still using x2go, still works wonderfully. > >> > >> IIRC, I wanted to try it, and it turned out to be incompatible with > >> current X servers --- perhaps they fixed that in the meantime ... > >> > > > > What version are you using? > > I'm not using it because I would have had to downgrade the X server to > be able to install it. There was a bug report about something which > lead to mark the package as incompatible with current X servers. > > > I'm using the most recent stable and it works for me: > > > > $ equery list xorg-server > > * Searching for xorg-server ... > > [IP-] [ ] x11-base/xorg-server-1.17.4:0/1.17.4 > > Maybe the problem has been recently fixed entirely. I'm using it with the latest testing xorg-server and it works fine. There are some DEs it has problems with, which are well documented, but not the X server. -- Neil Bothwick Q: How does a Zen Master order a hot dog? A: "Make me one with everything." pgpEfGTAFbVLF.pgp Description: OpenPGP digital signature
Re: [gentoo-user] {OT} Allow work from home?
Daniel Frey writes: > On 02/21/2016 04:36 PM, lee wrote: >> Daniel Frey writes: >> >>> On 02/20/2016 02:27 AM, lee wrote: Daniel Frey writes: > I looked up x2go and rebuilt openssh on my home server as it suggested > to try it out. >>> >>> I should mention I undid the hpn USE-flag change (x2go suggested >>> building without it) and it works fine, the newer versions have patches >>> that don't require hpn to be disabled. >>> >>> Still using x2go, still works wonderfully. >> >> IIRC, I wanted to try it, and it turned out to be incompatible with >> current X servers --- perhaps they fixed that in the meantime ... >> > > What version are you using? I'm not using it because I would have had to downgrade the X server to be able to install it. There was a bug report about something which lead to mark the package as incompatible with current X servers. > I'm using the most recent stable and it works for me: > > $ equery list xorg-server > * Searching for xorg-server ... > [IP-] [ ] x11-base/xorg-server-1.17.4:0/1.17.4 Maybe the problem has been recently fixed entirely.
Re: [gentoo-user] {OT} Allow work from home?
On 02/21/2016 04:36 PM, lee wrote: > Daniel Frey writes: > >> On 02/20/2016 02:27 AM, lee wrote: >>> Daniel Frey writes: I looked up x2go and rebuilt openssh on my home server as it suggested to try it out. >> >> I should mention I undid the hpn USE-flag change (x2go suggested >> building without it) and it works fine, the newer versions have patches >> that don't require hpn to be disabled. >> >> Still using x2go, still works wonderfully. > > IIRC, I wanted to try it, and it turned out to be incompatible with > current X servers --- perhaps they fixed that in the meantime ... > What version are you using? I'm using the most recent stable and it works for me: $ equery list xorg-server * Searching for xorg-server ... [IP-] [ ] x11-base/xorg-server-1.17.4:0/1.17.4 Dan
Re: [gentoo-user] {OT} Allow work from home?
Daniel Frey writes: > On 02/20/2016 02:27 AM, lee wrote: >> Daniel Frey writes: >>> I looked up x2go and rebuilt openssh on my home server as it suggested >>> to try it out. > > I should mention I undid the hpn USE-flag change (x2go suggested > building without it) and it works fine, the newer versions have patches > that don't require hpn to be disabled. > > Still using x2go, still works wonderfully. IIRC, I wanted to try it, and it turned out to be incompatible with current X servers --- perhaps they fixed that in the meantime ...
Re: [gentoo-user] {OT} Allow work from home?
On 02/20/2016 02:27 AM, lee wrote: > Daniel Frey writes: >> I looked up x2go and rebuilt openssh on my home server as it suggested >> to try it out. I should mention I undid the hpn USE-flag change (x2go suggested building without it) and it works fine, the newer versions have patches that don't require hpn to be disabled. Still using x2go, still works wonderfully. Dan
Re: [gentoo-user] {OT} Allow work from home?
On Sat, Feb 20, 2016 at 5:55 AM, lee wrote: > Rich Freeman writes: > >> develop. (Before somebody points out LUKS, be aware that Bitlocker >> lets you do full-disk encyption that is secure without having to >> actually type a decryption key at any point. Remove the hard drive or >> boot from a CD, and the disks are unreadable - you can only read them >> if you boot off them on the original PC.) > > And how do you read the disks when this original machine is broken? > Well, in general you still want to have backups. I believe many of these sorts of solutions do let you escrow a key elsewhere. > It doesn't seem very secure, either. When your laptop that uses > Bitlocker gets into the wrong hands, whoever has it can read the disks. Kinda-sorta. They can boot the machine, but now they're stuck at a login prompt. In order to extract data from the computer they need to defeat password-throttling, the kernel, and so on. They have to go through the front-door. The main protection is against offline password cracking/etc. I'd think the biggest vulnerability of something like Bitlocker would be against direct memory attacks. I assume that the session keys are stored in RAM - I can't imagine that all drive reads/writes are streamed through the TPM. So, extracting the keys from RAM after bootup would be the biggest risk. If the user data is encrypted using user-entered passwords you're still going to have all the security of a LUKS-like solution but with the advantage of rate limiting of attacks. In ChromeOS they took a different approach. They use UEFI secure boot to protect the OS, and then encrypt user data using a key derived from the user's password and the TPM, using the TPM to rate-limit attacks. In this design only the user's private data is protected from reading, but to crack it they still have to boot the system normally and go through the front door. There is no way to offline-crack the user's weak hand-entered password. They either need to send that password through the TPM (I'm not sure if they can do that offline or not - probably they can, but it is still rate-limited by the TPM itself), or they need to directly brute-force the AES key which is of course impractical. The problem with LUKS is that it doesn't do anything to rate-limit attacks since there is no hardware component to it. Of course it is designed to make attacks more expensive using multiple rounds/etc to make up for the weakness of memorized passwords. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
Rich Freeman writes: > develop. (Before somebody points out LUKS, be aware that Bitlocker > lets you do full-disk encyption that is secure without having to > actually type a decryption key at any point. Remove the hard drive or > boot from a CD, and the disks are unreadable - you can only read them > if you boot off them on the original PC.) And how do you read the disks when this original machine is broken? It doesn't seem very secure, either. When your laptop that uses Bitlocker gets into the wrong hands, whoever has it can read the disks.
Re: [gentoo-user] {OT} Allow work from home?
Rich Freeman writes: > On Mon, Jan 18, 2016 at 7:57 PM, lee wrote: >> Rich Freeman writes: >>> On Sun, Jan 17, 2016 at 7:26 PM, lee wrote: Rich Freeman writes: > However, while an RDP-like solution protects you from some types of > attacks, it still leaves you open to many client-side problems like > keylogging. I don't know any major corporation that lets people RDP > into their applications in general. What do they use instead? >>> >>> As I mentioned in my previous email - they just hand all their >>> employees laptops. Control the hardware, control the software, >>> control the security... >> >> I mean instead of rdp. It's a simple solution which works really well >> on a LAN with Windoze. What's the equivalent that works with Linux? > > Well, I've never been in a company that runs Linux on the desktop, or > which even provides VDIs for Windows. I'm doing that at work, and nothing speaks against doing it on the thin-clients other than that the users would need to get used to it and the poor graphics performance --- you can't really call that "performance" --- of thin clients. Other than that, we'd be much better off. What we would need are cheap thin clients that can drive at least two 4k displays each, and there are none that could even drive one. I don't understand why they make thin-clients that aren't usable because their graphics "performance" is from the '90ies. > The most common solution is to provide windows laptops to users with > various software packages for management/security/etc. Laptops have slightly better graphics and add a maintenance overhead thin-clients don't have, and they cost more. Other than that, they could replace the thin-clients, and nothing speaks against putting Gentoo onto them. Desktop machines require too much electricity. That's another thing I don't understand: Why can't they finally manufacture hardware which is really power efficient /and/ provides decent performance? > The closest thing to RDP for Linux that I'm aware of us various > NX-based implementations, like x2go, which I've mentioned a few times. > It can be somewhat finicky. And of course there is VNC, which is much > less efficient. I don't think either really gets to the level of RDP > in general. > > I do sometimes wonder how the #1 server OS in the world somehow lacks > decent facilities for graphical remote login, and for sharing files > across the network. (For the latter NFS is a real pain to set up in a > remotely secure fashion - part of the problem is that it is hard to > use some kind of a UUID to drive file permissions, and kerberos/etc is > a pain to set up. There is certainly nothing approaching the ease of > just setting a password on a share or connecting to a windows domain > (even a samba-driven one)). Indeed, it's really strange that there's such a big lack.
Re: [gentoo-user] {OT} Allow work from home?
Daniel Frey writes: > On 01/17/2016 10:10 AM, Rich Freeman wrote: >> On Sun, Jan 17, 2016 at 1:03 PM, J. Roeleveld wrote: >>> >>> I would prefer a method that is independent of OS used. And provides server >>> side limitations with regards to filesharing and clipboard access. >>> >> >> x2go is just X11, so it should be OS-independent as long as you have a >> client/server for it. It just logs in as the appropriate user on the >> remote host, so access beyond that is whatever you'd get if you just >> logged in on a console. >> >> Now, I can't vouch for how many OSes anybody has bothered to implement it on. >> > > Thanks for that tip on x2go - I'd struggled with freenx and eventually > gave up and freenx isn't even in the tree anymore. > > I looked up x2go and rebuilt openssh on my home server as it suggested > to try it out. Other than restarting sshd, I didn't have to do any > configuration and it just *worked*. I've, like, never ever had that > happen before. Even when I set up my tigervnc with xinetd it was days of > experimenting before I got it to work. tigervnc also was hanging up X > upgrades, so now I can successfully ditch tigervnc. > > x2go is so much faster it's unbelievable. I have a gigabit LAN here at > home and VNC was lagging pretty badly (to the point where I decided > against even trying to use it remotely.) > > Some things to note: there's no android client, but there is one for > Windows/linux/MacOS. I haven't tried it on my Windows laptop yet, but > one of these days I'll dig it out and try it. Thank you for letting us know, I'll keep x2go in mind. > Makes me wonder if it would be possible to spin up a VM on demand with > x2go on and preconfigured if OP requires users not to be on the same host. It probably is; I guess you'd need something to start the VM when a connection is attempted.
Re: [gentoo-user] {OT} Allow work from home?
On Sunday 24 Jan 2016 13:44:12 Rich Freeman wrote: > On Sun, Jan 24, 2016 at 1:36 PM, Mick wrote: > > On Sunday 24 Jan 2016 11:40:04 Rich Freeman wrote: > >> On Sun, Jan 24, 2016 at 10:56 AM, Grant wrote: > >> > So the user is safe if I send all internet requests from her remote > >> > laptop through the Zerotier connection (instead of only sending > >> > requests to my server through Zerotier)? > >> > >> It depends on what you mean by "safe." If you mean that there is no > >> possibility of malware stealing or messing with your data this is the > >> case if: > >> > >> As long as: > >> 1. You ensure that no malware enters through zerotier. > >> 2. No malware is present before you set up zerotier. > >> 3. No network connections are ever used other than zerotier. > >> > >> If you mean safe to mean that nothing bad happens to the user's system > >> that wouldn't have happened if they use their own internet connect, > >> there is no real harm in using yours, assuming you don't leak your own > >> malware onto their system. > > > > As Rich alludes to if through Zerotier the user can only connect to your > > webserver and no connections of the user are forwarded (through your > > Zerotier- LAN, or your webserver) to the Internet, the XSS kind of > > threats will be contained. > > > > However, as I understand it the Zerotier provides a split tunnel > > arrangement. The user will be able to use their browser to connect > > through Zerotier to your LAN, while through another window on the same > > browser they will be able to connect to the Internet using their own > > network. > > That, and after they disconnect from zerotier the malware that has > been logging everything can go ahead and phone home to report in > without going through whatever protections you'd have on your own > network for outbound connections. To cover most eventualities big corporates I know use: a) Company issued laptops, which are completely locked down in terms of applications and settings and connect to the corporate LAN via VPN with client SSL certificate authentication. b) For BYODs, Virtualised Citrix XenDesktop, totally controlled by the corporate sysadmins, with DPI and webfiltering at the corporate firewall for outgoing connections. Connections to Facebook, Twitter, prawn, etc. are blocked. Both of the above are provided as work tools and the users understand that restrictions are part of their employment contract and at company time they are not meant to spend their mornings organising junior's birthday party on Facebook. I don't know to what extent your users can be trusted and relied upon to follow good working practices. Full VPN tunnel to the corporate LAN, plus up to date antivirus products if they are using MSWindows and up to date Linux PCs should protect from most attack vectors. Alternatively, locked down Chrome books as Rich has already suggested and regular back ups should hopefully protect your corporate data from irretrievable damage. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] {OT} Allow work from home?
On Sun, Jan 24, 2016 at 1:36 PM, Mick wrote: > On Sunday 24 Jan 2016 11:40:04 Rich Freeman wrote: >> On Sun, Jan 24, 2016 at 10:56 AM, Grant wrote: >> > So the user is safe if I send all internet requests from her remote >> > laptop through the Zerotier connection (instead of only sending >> > requests to my server through Zerotier)? >> >> It depends on what you mean by "safe." If you mean that there is no >> possibility of malware stealing or messing with your data this is the >> case if: >> >> As long as: >> 1. You ensure that no malware enters through zerotier. >> 2. No malware is present before you set up zerotier. >> 3. No network connections are ever used other than zerotier. >> >> If you mean safe to mean that nothing bad happens to the user's system >> that wouldn't have happened if they use their own internet connect, >> there is no real harm in using yours, assuming you don't leak your own >> malware onto their system. > > As Rich alludes to if through Zerotier the user can only connect to your > webserver and no connections of the user are forwarded (through your Zerotier- > LAN, or your webserver) to the Internet, the XSS kind of threats will be > contained. > > However, as I understand it the Zerotier provides a split tunnel arrangement. > The user will be able to use their browser to connect through Zerotier to your > LAN, while through another window on the same browser they will be able to > connect to the Internet using their own network. That, and after they disconnect from zerotier the malware that has been logging everything can go ahead and phone home to report in without going through whatever protections you'd have on your own network for outbound connections. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Sunday 24 Jan 2016 11:40:04 Rich Freeman wrote: > On Sun, Jan 24, 2016 at 10:56 AM, Grant wrote: > > So the user is safe if I send all internet requests from her remote > > laptop through the Zerotier connection (instead of only sending > > requests to my server through Zerotier)? > > It depends on what you mean by "safe." If you mean that there is no > possibility of malware stealing or messing with your data this is the > case if: > > As long as: > 1. You ensure that no malware enters through zerotier. > 2. No malware is present before you set up zerotier. > 3. No network connections are ever used other than zerotier. > > If you mean safe to mean that nothing bad happens to the user's system > that wouldn't have happened if they use their own internet connect, > there is no real harm in using yours, assuming you don't leak your own > malware onto their system. As Rich alludes to if through Zerotier the user can only connect to your webserver and no connections of the user are forwarded (through your Zerotier- LAN, or your webserver) to the Internet, the XSS kind of threats will be contained. However, as I understand it the Zerotier provides a split tunnel arrangement. The user will be able to use their browser to connect through Zerotier to your LAN, while through another window on the same browser they will be able to connect to the Internet using their own network. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] {OT} Allow work from home?
On Sun, Jan 24, 2016 at 10:56 AM, Grant wrote: > > So the user is safe if I send all internet requests from her remote > laptop through the Zerotier connection (instead of only sending > requests to my server through Zerotier)? > It depends on what you mean by "safe." If you mean that there is no possibility of malware stealing or messing with your data this is the case if: As long as: 1. You ensure that no malware enters through zerotier. 2. No malware is present before you set up zerotier. 3. No network connections are ever used other than zerotier. If you mean safe to mean that nothing bad happens to the user's system that wouldn't have happened if they use their own internet connect, there is no real harm in using yours, assuming you don't leak your own malware onto their system. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
>> >> > However, this won't do away with XSS, or other similar attack vectors >> >> > if >> >> > the users are not careful with their browsing habits. >> >> >> >> Can you give me an example? >> > >> > If your coder has another website page open in his/her browser which >> > contains for example XSS or CSRF code, then the webpage of your company's >> > web app could be potentially compromised by your user inadvertently >> > executing state changing commands on it. By providing a XSS payload the >> > attacker could execute commands to change username/passwd, change email >> > address, etc. This is one reason that Internet Banking providers always >> > advise their users to log out and then exit their browser when they have >> > finished their online banking. > >> The other obvious attack would be simply stealing your session cookies >> or SSL client certificate+key out of the browser's RAM, or off of >> disk. > > Yes, session hi/sidejacking is possible, as well as obtaining sensitive > information that the browser has happened to cache. High value information > like credit card details should have a no-cache, no-store, Expires:0, but I > bet there are some websites out there which do not guard against this threat. > I would have thought SSL certificates/keys would be protected in RAM, but if > you have a Man-In-The-Browser attack I guess they wouldn't be. > > If you are using a VPN connection as a split-tunnel then although your > connection to the LAN would be secure, browser credentials could still be > stolen by browser sessions connecting to suspect websites outside the tunnel. > It has to be a full VPN tunnel with forwarding Internet access blocked at the > VPN gateway, for clients to mitigate this threat. So the user is safe if I send all internet requests from her remote laptop through the Zerotier connection (instead of only sending requests to my server through Zerotier)? - Grant
Re: [gentoo-user] {OT} Allow work from home?
On Sat, Jan 23, 2016 at 12:17 PM, Mick wrote: > I would have thought SSL certificates/keys would be protected in RAM, but if > you have a Man-In-The-Browser attack I guess they wouldn't be. > As far as I'm aware linux doesn't do anything to protect process RAM from other processes with the same UID, at least not without SELinux and such. But, I could be wrong on that. I'd expect that malware running under your uid or of course as root could read your browser's RAM. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Saturday 23 Jan 2016 09:55:35 Rich Freeman wrote: > On Sat, Jan 23, 2016 at 8:25 AM, Mick wrote: > > On Tuesday 19 Jan 2016 15:59:25 Grant wrote: > >> > If a user certificate is lost of feared compromised, you revoke it with > >> > your CA and upload the CRL to the server. > >> > > >> > However, this won't do away with XSS, or other similar attack vectors > >> > if > >> > the users are not careful with their browsing habits. > >> > >> Can you give me an example? > > > > If your coder has another website page open in his/her browser which > > contains for example XSS or CSRF code, then the webpage of your company's > > web app could be potentially compromised by your user inadvertently > > executing state changing commands on it. By providing a XSS payload the > > attacker could execute commands to change username/passwd, change email > > address, etc. This is one reason that Internet Banking providers always > > advise their users to log out and then exit their browser when they have > > finished their online banking. > The other obvious attack would be simply stealing your session cookies > or SSL client certificate+key out of the browser's RAM, or off of > disk. Yes, session hi/sidejacking is possible, as well as obtaining sensitive information that the browser has happened to cache. High value information like credit card details should have a no-cache, no-store, Expires:0, but I bet there are some websites out there which do not guard against this threat. I would have thought SSL certificates/keys would be protected in RAM, but if you have a Man-In-The-Browser attack I guess they wouldn't be. If you are using a VPN connection as a split-tunnel then although your connection to the LAN would be secure, browser credentials could still be stolen by browser sessions connecting to suspect websites outside the tunnel. It has to be a full VPN tunnel with forwarding Internet access blocked at the VPN gateway, for clients to mitigate this threat. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] {OT} Allow work from home?
On Thursday, January 21, 2016 11:17:05 PM lee wrote: > "J. Roeleveld" writes: > > On Tuesday, January 19, 2016 11:22:02 PM lee wrote: > >> "J. Roeleveld" writes: > >> > [...] > >> > If disk-space is considered too expensive, you could even have every VM > >> > use > >> > the same base image. And have them store only the differences of the > >> > disk. > >> > eg: > >> > 1) Create a VM > >> > 2) Snapshot the disk (with the VM shutdown) > >> > 3) create a new VM based on the snapshot > >> > > >> > Repeat 2 and 3 for as many clones you want. > >> > > >> > Most installs don't change that much when dealing with standardized > >> > desktops. > >> > >> How does that work? IIUC, when you created a snapshot, any changes you > >> make to the snapshotted (or how that is called) file system are being > >> referenced by the snapshot which you can either destroy or abandon. > >> When you destroy it, the changes you made are being applied to the > >> file system you snapshotted (because someone decided to use a very > >> misleading terminology), and when you abandon it, the changes are thrown > >> away and you end up with the file system as it was before the snapshot > >> was created. > >> > >> In any case, you do not get multiple versions (which only reference the > >> changes made) of the file system you snapshotted but only one current > >> version. > >> > >> Do you need to use a special file system or something which provides > >> this kind of multiple copies when you make snapshots? > > > > I use LVM for this. > > > > Steps are simple: > > 1) Create a LV (lv_1) > > 2) Create and install a VM using this LV (lv_1) > > 3) Stop the VM > > 4) Create multiple snapshots based on lv_1 (slv_1a, slv_1b, ..) > > 5) Create multiple VMs using the snapshots (vm1a -> slv_1a, vm1b, > > slv_1b,.) > > > > Start the VMs > > > > This way you can overcommit on the actual diskspace as only changes are > > taking up diskspace. > > If you force everyone on the same base-image, the differences should not > > be too large. > > I don't use lvm anymore. It requires you to have unused space in the > same VG to make a snapshot (which, of course, I didn't have), and when > you need to move a volume from one machine to another, you're screwed > because you can't get the volume out of the volume group other than > moving it to a different media after attaching this media to the VG and > detaching it after the move. Moving the volume to the new machine is > likewise a pita. I lost a whole VM when I did that, and I have no idea > what might have happened to it. I did copy it, and yet it somehow > disappeared. Keeping unassigned space available for growth and snapshots is common practice for me. I always have unassigned space which can be assigned quickly. And when wanting the option to move VMs, put the "disks" on SANs. If you want to do it on the cheap, you need to do a lot more manually. > > If you also force users to store files on a shared filesystem, it > > shouldn't be too much of a difficulty to occasionally move everyone to a > > new base-image when the updates are causing the snapshots to grow too > > much. > > How do you force users to do that? I tried that with some windoze 7 > VMs, and according to the rules, users are not allowed to save anything > on their desktops, and nonetheless they can do that. The installed > applications also create data in the disk space of the VM. Their MUAs > do that, for example, and you may find users who have accumulated over > 300GB for email storage. Make the disk read-only, and the VM probably > won't even start. Not difficult, as long as you do NOT make everyone local admin and limit permissions. Do not give them write-permissions everywhere and put a limited quota on their profiles. And for email, do not allow the MUAs to store all the email locally, enforce a central mailserver. I'm sorry, but you are expecting people on this list to provide you with all the answers which a simple google search should be able to answer. And which is also covered in basic sys-admin documentation and courses. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Sat, Jan 23, 2016 at 8:25 AM, Mick wrote: > On Tuesday 19 Jan 2016 15:59:25 Grant wrote: > >> > If a user certificate is lost of feared compromised, you revoke it with >> > your CA and upload the CRL to the server. >> > >> > However, this won't do away with XSS, or other similar attack vectors if >> > the users are not careful with their browsing habits. >> >> Can you give me an example? > > If your coder has another website page open in his/her browser which contains > for example XSS or CSRF code, then the webpage of your company's web app could > be potentially compromised by your user inadvertently executing state changing > commands on it. By providing a XSS payload the attacker could execute > commands to change username/passwd, change email address, etc. This is one > reason that Internet Banking providers always advise their users to log out > and then exit their browser when they have finished their online banking. > The other obvious attack would be simply stealing your session cookies or SSL client certificate+key out of the browser's RAM, or off of disk. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Tuesday 19 Jan 2016 15:59:25 Grant wrote: > >> > I'm sorry, I meant can I lock down access to my web stuff so that a > >> > particular user can only come from a particular device (or from any > >> > device containing a key). > > > > You can use apache client authentication with SSL certificates only. Of > > course you will need to create a self-signed CA, which you will use to > > create the web server public/private key pair and also sign each client's > > certificate and upload it along with your CA certificate to the user's > > browser. This explains the principle: > > > > http://wiki.cacert.org/HELP/9 > > > > > > Ditto with the VPN connection - should you still want to use VPN. > > Let me see if I'm following. I could create a certificate and point > the browser to it in config and configure my web server to require the > certificate for HTTP basic authentication? Well, yes, but it won't be HTTP. It will be HTTPS. The server will request a client certificate, verify that it has been signed by the CA you defined in SSLCACertificateFile and allow it to access the web directory. You can allow different certificates per directory on your server, if you so wish and define in SSLRequire directive which SSL_CLIENT_S_DN_OU values are acceptable; e.g. SSLRequire %{SSL_CLIENT_S_DN_O} eq "Grant's Software, Ltd." \ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "Testers", "Dev"} You will need to have the Client Certificate and private key imported in the user's browser, or in MSWindows also import them using certmgr.msc to make them available to any Windows-centric applications. > Can I require a > username/password along with the certificate? Can I require the > certificate only for certain users? Yes, but for specifics have a look under SSLOptions: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions Read FakeBasicAuth and StrictRequire. So, for example: SSLOptions +FakeBasicAuth +StrictRequire will allow client SSL certificate authentication as an alternative to Basic passwd authentication. > > If a user certificate is lost of feared compromised, you revoke it with > > your CA and upload the CRL to the server. > > > > However, this won't do away with XSS, or other similar attack vectors if > > the users are not careful with their browsing habits. > > Can you give me an example? If your coder has another website page open in his/her browser which contains for example XSS or CSRF code, then the webpage of your company's web app could be potentially compromised by your user inadvertently executing state changing commands on it. By providing a XSS payload the attacker could execute commands to change username/passwd, change email address, etc. This is one reason that Internet Banking providers always advise their users to log out and then exit their browser when they have finished their online banking. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] {OT} Allow work from home?
lee wrote: > Rich Freeman writes: > > > On Tue, Jan 19, 2016 at 5:22 PM, lee wrote: > >> "J. Roeleveld" writes: > >> > >> How does that work? IIUC, when you created a snapshot, any changes you > >> make to the snapshotted (or how that is called) file system are being > >> referenced by the snapshot which you can either destroy or abandon. > >> When you destroy it, the changes you made are being applied to the > >> file system you snapshotted (because someone decided to use a very > >> misleading terminology), and when you abandon it, the changes are thrown > >> away and you end up with the file system as it was before the snapshot > >> was created. > >> > >> In any case, you do not get multiple versions (which only reference the > >> changes made) of the file system you snapshotted but only one current > >> version. > >> > >> Do you need to use a special file system or something which provides > >> this kind of multiple copies when you make snapshots? > >> > > > > And that is exactly what zfs and btrfs provide. Snapshots are full > > citizens. If I create a snapshot of a directory in btrfs it is > > essentially indistinguishable from running cp -a on the directory, > > except the snapshot takes only seconds to create almost entirely > > regardless of size, and takes almost no space until changes are made. > > Later I can delete the snapshot, or delete the original, or keep both > > indefinitely making changes to either. > > Hm, I must be misunderstanding snapshots entirely. > > What happens when you remove a snapshot after you modified the > "original" /and/ the snapshot? You destroy at least one of them, so you > can never get rid of the snapshot in a non-destructive way? > > My understanding is that when you make a snapshot, you get a copy that > doesn't change which you can somehow use to make backups. When the > backup is finished, you can remove the snapshot, and the changes that > were made in the meantime are not lost --- unless you decide to throw > them away when removing the snapshot, in which case you get a rollback. > > To make things more complicated, I've seen zfs refusing to remove a > snapshot and saying that something is recursive (IIRC), and it didn't > make any sense anymore. So I left everything as it was because I didn't > want to loose data, and a while later, I removed this very same snapshot > without getting issues as before. Weird behaviour makes snapshots > rather scary, so I avoid them now. > > There seems to be some sort of relationship between a snapshot and the > "original" which limits what you can do with a snapshot, like the > snapshot is somehow attached to the "original". At least that makes > some sense to me because no real copy is created when you make a > snapshot. But how do you detach a snapshot from the "original" so that > you could savely modify both? In zfs you can clone the snapshot and it will be independent, but I am new at zfs, so check it out. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
Re: [gentoo-user] {OT} Allow work from home?
On Thu, Jan 21, 2016 at 5:00 PM, lee wrote: > Hm, I must be misunderstanding snapshots entirely. > Well, in the case of zfs/btrfs you are. Different implementations have different snapshotting features. > What happens when you remove a snapshot after you modified the > "original" /and/ the snapshot? You destroy at least one of them, so you > can never get rid of the snapshot in a non-destructive way? If you remove a snapshot it goes away. If you remove the original it goes away. There isn't anything strange going on. With btrfs I can do this: btrfs su create a touch a/file btrfs su snap a b touch b/file2 echo "hello" >> a/file a now contains file with the text hello in it. b now contains file which is empty and file2 which is empty. If I delete a then it disappears. If I delete b then it disappears. They exist completely independently of each other. In btrfs the command "btrufs su snap a b" is somewhat equivalent to "cp -a a b" unless you look at what is going on closely. The main difference is that the first command takes almost zero time to execute, and consumes little additional space. This is true even if a is a directory containing a million text files or 10TB of video. Snapshots in btrfs just look like directories. They're subvolumes, and only subvolumes can be snapshotted. I imagine that zfs is slightly different, but with the same overall concept. > My understanding is that when you make a snapshot, you get a copy that > doesn't change which you can somehow use to make backups. You can certainly use snapshots to make backups. The snapshot is already a backup, though stored on the same media. > When the > backup is finished, you can remove the snapshot, and the changes that > were made in the meantime are not lost --- unless you decide to throw > them away when removing the snapshot, in which case you get a rollback. With btrfs at least there is no way to rollback a snapshot. You can of course just "mv a a.old ; mv b a ; btrfs su del a.old" and now your snapshot has replaced the original copy (aside from any files which happen to be open). > > To make things more complicated, I've seen zfs refusing to remove a > snapshot and saying that something is recursive (IIRC), and it didn't > make any sense anymore. So I left everything as it was because I didn't > want to loose data, and a while later, I removed this very same snapshot > without getting issues as before. Weird behaviour makes snapshots > rather scary, so I avoid them now. I couldn't tell you what that means. Perhaps you discovered a bug. Btrfs should always allow you to remove a subvolume (including one created as a snapshot). I believe they can be removed if they're in use, and the effect is similar to removing a file that is in use. > There seems to be some sort of relationship between a snapshot and the > "original" which limits what you can do with a snapshot, like the > snapshot is somehow attached to the "original". At least that makes > some sense to me because no real copy is created when you make a > snapshot. But how do you detach a snapshot from the "original" so that > you could savely modify both? > In btrfs there is no relationship between a snapshot and the original subvolume, other than them happening to share the same tree nodes initially. It isn't unlike what happens in git when you create a new branch. You end up with a new reference pointing to the same commit and everything below that is shared between the two branches initially. If you touch one file then most of trees/blobs between the branches are still shared, but the modified blob and all of its parent trees are now separated. Btrfs does mark snapshots as snapshots for some reason, but other than a yes/no flag snapshots are the same as any subvolume. They're not linked in any way to the original and there is no straightforward way to tell where a snapshot came from (well, other than either comparing it against all the other subvolumes, ideally looking for shared tree nodes). -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Thu, Jan 21, 2016 at 4:35 PM, lee wrote: > And I thought vnc sends a copy of what is displayed on the screen, so if > you were running a program that renders something on the screen and > uses/requires a graphics card for that, you should be able to see what > it renders. If you can't see that, vnc is of very limited use. How > does RDP deal with this? VNC sends a copy of what is in the framebuffer, which may or may not be displayed on a physical screen. You can have a framebuffer on a machine that has no display outputs at all. You can have 10,000 different framebuffers running on the PC you're working on right now assuming you have the RAM for it. I haven't set this up recently, but I believe that's basically what x2go does out of the box (except it uses NX instead of VNC). RDP is capable of functioning without physical console attached. Consumer versions of windows may block doing much of this for licensing reasons, but certainly at work we've had 20+ users connected a single citrix server at once. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
"J. Roeleveld" writes: > On Wednesday, January 20, 2016 01:46:29 AM lee wrote: >> "J. Roeleveld" writes: >> > On Tuesday, January 19, 2016 01:46:45 AM lee wrote: >> >> "J. Roeleveld" writes: >> >> > On Monday, January 18, 2016 02:02:27 AM lee wrote: >> >> >> "J. Roeleveld" writes: > >> >> > >> >> > Yes >> >> > >> >> >> That would be a huge waste of resources, >> >> > >> >> > Diskspace and CPU can easily be overcommitted. >> >> >> >> Overcommitting disk space sounds like a very bad idea. Overcommitting >> >> memory is not possible with xen. >> > >> > Overcommitting diskspace isn't such a bad idea, considering most installs >> > never utilize all the available diskspace. >> >> When they do not use it anyway, there is no reason to give it to them in >> the first place. And when they do use it, how do the VMs handle the >> problem that they have plenty disk space available, from their point of >> view, while the host which they don't know about doesn't allow them to >> use it? > > 1 word: Monitoring. > When you overcommit any resource, you need to put monitoring in place. > Then you also need to ensure you have the ability to increase that resource > when required. So you more or less frequently shrink your VMs back when the monitoring informs you that you need to do that? Isn't it more reasonable not to overcommit but to increase the resource when required? >> Besides, overcommitting disk space means to intentionally create a setup >> which involves that the host can run out of disk space easily. That is >> not something I would want to create for a host which is required to >> function reliably. > > The host should not crash when a VM does or when the storage assigned to VMs > fills up. > If it does, go back to the drawing board and fix your design. I didn't say that the host would crash. I wouldn't consider a VM which is bound to run out of disk space as reliable, especially when it is bound run out of disk space because other VMs which are also bound to run out of disk space use the disk space which the VM would need that's running out. >> And how much do you need to worry about the security of the VMs when you >> build in a way for the users to bring the whole machine, or at least >> random VMs, down by using the disk space which has been assigned to >> them? The users are somewhat likely to do that even unintentionally, >> the more the more you overcommit. > > See comment about monitoring. > If all your users tend to fill up all available diskspace, you obviously can > not overcommit on diskspace. Have you ever seen a disk that doesn't fill up, the larger the disk, the more it fills? >> > Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At >> > least, I seem to remember reading that somewhere) >> >> That would be a nice feature. > > For VDIs, I might consider using it. > But considering most OSs tend to fill up all available memory with caches, I > expect performance issues. It depends on how you use it. >> >> >> plus having to take care of a lot of VMs, >> >> > >> >> > Automated. >> >> >> >> Like how? >> > >> > How do you manage a large amount of physical machines? >> > Just change physical to VMs and do it the same. >> > With VMs you have more options for automation. >> >> Individually, in lack of a better way. Per user when it comes to >> setting up their MUAs and the like, in lack of any better way. It >> doesn't make a difference if it's a VM or not, provided that you have >> remote access to the machine. > > This is where management tools come into play. (Same methods apply to > physical > and virtual) > > When talking MS Windows, domains with their policies are very useful. Couple > that with WSUS for the patching and software distribution tools for the > additional software installs, and you have a very nice setup. I don't like what they call "domains". They tend to get in the way, and when you want to take a machine out of one, all the users need to be set up anew. Is WSUS of any use without domains? If it is, I should take a look at it. > For Linux, I would recommend tools like Ansible or Puppet to control the > software on the machines. Does it really have an advantage over logging in remotely? > For any OS, I would prevent my users from installing random software. And > what > is installed, would be mostly pre-configured out-of-the-box. And how do you preconfigure everything for each user? It would sure be nice if I could, say, install seamonkey and have every existing and new user set up they way they are supposed to be set up without having to do that for every user individually, on a number of VMs. >> When you one VM for many users, you install the MUA only once, and when >> you need to do updates, you do them only once. When you have many VMs, >> like one for each user, you have to install and update many times, once >> on each VM. > > Management tools. like? >> > Depends on the requirements. It's cheaper then
Re: [gentoo-user] {OT} Allow work from home?
Alec Ten Harmsel writes: > On Tue, Jan 19, 2016 at 10:56:21PM +0100, lee wrote: >> Alec Ten Harmsel writes: >> > >> > Depends on how the load is. Right now I have a 500GB HDD at work. I use >> > VirtualBox and vagrant for testing various software. Every VM in >> > VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time. >> > Add in all the other stuff on my system, which includes a 200GB dataset, >> > and the disk is overcommitted. Of course, none of the VirtualBox disks >> > use anywhere near 50GB. >> >> True, that's for testing when you do know that the disk space will not >> be used and have no trouble when it is. When you have the VMs in >> production and users (employees) using them, you don't know when they >> will run out of disk space and trouble ensues. > > Almost. Here is an equal example: I am an admin on an HPC cluster. We > have a shared Lustre filesystem that people store work files in while > they are running jobs. It has around 1PB of capacity. As strange as this > may sound, this filesystem is overcommitted (we have 20,000 cores, > that's only 52GB per core, not even close to enough for more than half a > year of data accumulation). Unused data is deleted after 90 days, which > is why it can be overcommitted. Why do you need to overcommit in the first place when you don't need that much disk space anyway? And it only works because you "shrink" the disk space used by deleting data. > Extending this to a more realistic example without automatic data > deletion is trivial. Imagine you are a web hosting provider. You allow > each client unlimited disk space, so you're automatically overcommitted. > In the aggregate, even though one client may increase their usage > extremely quickly, total usage rises slowly, giving you more than enough > time to increase the storage capacity of whatever backing filesystem is > hosting their files. I'm a customer of such a provider that used to do that, and they stopped giving their customers unlimited disk space years ago. I guess they found out that they can't possibly keep up with the demand, at least not without charging more. >> > All Joost is saying is that most resources can be overcommitted, since >> > all the users will not be using all their resources at the same time. >> >> How do you overcommit disk space and then shrink the VMs automatically >> when disk usage gets lower again? >> > > Sorry, my previous example was bad, since the normal strategy is to > expand when necessary as far as I know. See above. Well, that's exactly the problem. Once a VM has grown, it won't shrink automatically, which soon breaks the overcommitment.
Re: [gentoo-user] {OT} Allow work from home?
Rich Freeman writes: > On Tue, Jan 19, 2016 at 5:22 PM, lee wrote: >> "J. Roeleveld" writes: >> >> How does that work? IIUC, when you created a snapshot, any changes you >> make to the snapshotted (or how that is called) file system are being >> referenced by the snapshot which you can either destroy or abandon. >> When you destroy it, the changes you made are being applied to the >> file system you snapshotted (because someone decided to use a very >> misleading terminology), and when you abandon it, the changes are thrown >> away and you end up with the file system as it was before the snapshot >> was created. >> >> In any case, you do not get multiple versions (which only reference the >> changes made) of the file system you snapshotted but only one current >> version. >> >> Do you need to use a special file system or something which provides >> this kind of multiple copies when you make snapshots? >> > > And that is exactly what zfs and btrfs provide. Snapshots are full > citizens. If I create a snapshot of a directory in btrfs it is > essentially indistinguishable from running cp -a on the directory, > except the snapshot takes only seconds to create almost entirely > regardless of size, and takes almost no space until changes are made. > Later I can delete the snapshot, or delete the original, or keep both > indefinitely making changes to either. Hm, I must be misunderstanding snapshots entirely. What happens when you remove a snapshot after you modified the "original" /and/ the snapshot? You destroy at least one of them, so you can never get rid of the snapshot in a non-destructive way? My understanding is that when you make a snapshot, you get a copy that doesn't change which you can somehow use to make backups. When the backup is finished, you can remove the snapshot, and the changes that were made in the meantime are not lost --- unless you decide to throw them away when removing the snapshot, in which case you get a rollback. To make things more complicated, I've seen zfs refusing to remove a snapshot and saying that something is recursive (IIRC), and it didn't make any sense anymore. So I left everything as it was because I didn't want to loose data, and a while later, I removed this very same snapshot without getting issues as before. Weird behaviour makes snapshots rather scary, so I avoid them now. There seems to be some sort of relationship between a snapshot and the "original" which limits what you can do with a snapshot, like the snapshot is somehow attached to the "original". At least that makes some sense to me because no real copy is created when you make a snapshot. But how do you detach a snapshot from the "original" so that you could savely modify both?
Re: [gentoo-user] {OT} Allow work from home?
Rich Freeman writes: > On Tue, Jan 19, 2016 at 5:08 PM, lee wrote: >> >> BTW, is it as easy to give a graphics card to a container as it is to >> give it a network card? > > I've never tried it, but I'd think that the container could talk to a > graphics card. Maybe ... it's really easy with network cards. >> What if you have a container for each user who >> somehow logs in remotely to an X session? Do (can) you run X sessions >> that do not have a console and do not need a (dedicated) graphics card >> (just for users logging in remotely)? > > You don't need to even have a graphics card to serve X11 via vnc or > nx. You could probably serve them even if your only server console > was a serial console. Just run x11vnc or whatever it is called - it > is an X server whose only framebuffer is a VNC session. I think NX > uses the same server, but I'd have to check. Of course, you wouldn't > have 3D accelleration with this server, not that you'd be using it > over NX/VNC. That might be a problem when you want to use kde or gnome? And I thought vnc sends a copy of what is displayed on the screen, so if you were running a program that renders something on the screen and uses/requires a graphics card for that, you should be able to see what it renders. If you can't see that, vnc is of very limited use. How does RDP deal with this?
Re: [gentoo-user] {OT} Allow work from home?
"J. Roeleveld" writes: > On Tuesday, January 19, 2016 11:22:02 PM lee wrote: >> "J. Roeleveld" writes: >> > [...] >> > If disk-space is considered too expensive, you could even have every VM >> > use >> > the same base image. And have them store only the differences of the disk. >> > eg: >> > 1) Create a VM >> > 2) Snapshot the disk (with the VM shutdown) >> > 3) create a new VM based on the snapshot >> > >> > Repeat 2 and 3 for as many clones you want. >> > >> > Most installs don't change that much when dealing with standardized >> > desktops. >> How does that work? IIUC, when you created a snapshot, any changes you >> make to the snapshotted (or how that is called) file system are being >> referenced by the snapshot which you can either destroy or abandon. >> When you destroy it, the changes you made are being applied to the >> file system you snapshotted (because someone decided to use a very >> misleading terminology), and when you abandon it, the changes are thrown >> away and you end up with the file system as it was before the snapshot >> was created. >> >> In any case, you do not get multiple versions (which only reference the >> changes made) of the file system you snapshotted but only one current >> version. >> >> Do you need to use a special file system or something which provides >> this kind of multiple copies when you make snapshots? > > I use LVM for this. > > Steps are simple: > 1) Create a LV (lv_1) > 2) Create and install a VM using this LV (lv_1) > 3) Stop the VM > 4) Create multiple snapshots based on lv_1 (slv_1a, slv_1b, ..) > 5) Create multiple VMs using the snapshots (vm1a -> slv_1a, vm1b, > slv_1b,.) > > Start the VMs > > This way you can overcommit on the actual diskspace as only changes are > taking > up diskspace. > If you force everyone on the same base-image, the differences should not be > too > large. I don't use lvm anymore. It requires you to have unused space in the same VG to make a snapshot (which, of course, I didn't have), and when you need to move a volume from one machine to another, you're screwed because you can't get the volume out of the volume group other than moving it to a different media after attaching this media to the VG and detaching it after the move. Moving the volume to the new machine is likewise a pita. I lost a whole VM when I did that, and I have no idea what might have happened to it. I did copy it, and yet it somehow disappeared. > If you also force users to store files on a shared filesystem, it shouldn't > be > too much of a difficulty to occasionally move everyone to a new base-image > when > the updates are causing the snapshots to grow too much. How do you force users to do that? I tried that with some windoze 7 VMs, and according to the rules, users are not allowed to save anything on their desktops, and nonetheless they can do that. The installed applications also create data in the disk space of the VM. Their MUAs do that, for example, and you may find users who have accumulated over 300GB for email storage. Make the disk read-only, and the VM probably won't even start.
Re: [gentoo-user] {OT} Allow work from home?
On 01/17/2016 10:10 AM, Rich Freeman wrote: > On Sun, Jan 17, 2016 at 1:03 PM, J. Roeleveld wrote: >> >> I would prefer a method that is independent of OS used. And provides server >> side limitations with regards to filesharing and clipboard access. >> > > x2go is just X11, so it should be OS-independent as long as you have a > client/server for it. It just logs in as the appropriate user on the > remote host, so access beyond that is whatever you'd get if you just > logged in on a console. > > Now, I can't vouch for how many OSes anybody has bothered to implement it on. > Thanks for that tip on x2go - I'd struggled with freenx and eventually gave up and freenx isn't even in the tree anymore. I looked up x2go and rebuilt openssh on my home server as it suggested to try it out. Other than restarting sshd, I didn't have to do any configuration and it just *worked*. I've, like, never ever had that happen before. Even when I set up my tigervnc with xinetd it was days of experimenting before I got it to work. tigervnc also was hanging up X upgrades, so now I can successfully ditch tigervnc. x2go is so much faster it's unbelievable. I have a gigabit LAN here at home and VNC was lagging pretty badly (to the point where I decided against even trying to use it remotely.) Some things to note: there's no android client, but there is one for Windows/linux/MacOS. I haven't tried it on my Windows laptop yet, but one of these days I'll dig it out and try it. Makes me wonder if it would be possible to spin up a VM on demand with x2go on and preconfigured if OP requires users not to be on the same host. Dan
Re: [gentoo-user] {OT} Allow work from home?
On Wed, 20 Jan 2016 16:21:42 -0800, Grant wrote: > I would > need to be able to rsync to the laptop and I'd rather not be involved > in the remote employee's router config. Is there an easier solution > for that than OpenVPN? There is ZeroTier as a replacement for OpenVPN, and Syncthing for syncing. Both are P2P solutions and you can run your own discovery servers if you don't want any traffic going through a 3rd party (although they don't send data through the servers). I've no idea whether that would meet your security criteria but it certainly fulfils the "easier than OpenVPN" one. It will take only a few minutes to install and setup using the public servers, although, as I said, your network is never public, so you can check whether they do what you want. Then you can look at hosting your own server for security. https://www.zerotier.com/ https://syncthing.net/ -- Neil Bothwick Software: (n.) That which hardware manufacturers can blame for physical failures. pgpGms6Ipu1S5.pgp Description: OpenPGP digital signature
Re: [gentoo-user] {OT} Allow work from home?
On Wed, Jan 20, 2016 at 7:21 PM, Grant wrote: > Despite Rich's best efforts (thank you Rich! :-) ) I'm still > considering a Gentoo laptop for this along with a Chromebook. No worries. Gentoo laptops are great. There's a reason that Google decided to use them as the starting point for creating the Chromebook. :) -- Rich
Re: [gentoo-user] {OT} Allow work from home?
>>> > I'm sorry, I meant can I lock down access to my web stuff so that a >>> > particular user can only come from a particular device (or from any >>> > device containing a key). >>> >> You can use apache client authentication with SSL certificates only. Of >> course you will need to create a self-signed CA, which you will use to create >> the web server public/private key pair and also sign each client's >> certificate >> and upload it along with your CA certificate to the user's browser. This >> explains the principle: >> >> http://wiki.cacert.org/HELP/9 >> >> >> Ditto with the VPN connection - should you still want to use VPN. > > > Let me see if I'm following. I could create a certificate and point > the browser to it in config and configure my web server to require the > certificate for HTTP basic authentication? Can I require a > username/password along with the certificate? Can I require the > certificate only for certain users? > > >> If a user certificate is lost of feared compromised, you revoke it with your >> CA and upload the CRL to the server. >> >> However, this won't do away with XSS, or other similar attack vectors if the >> users are not careful with their browsing habits. > > > Can you give me an example? Despite Rich's best efforts (thank you Rich! :-) ) I'm still considering a Gentoo laptop for this along with a Chromebook. I would need to be able to rsync to the laptop and I'd rather not be involved in the remote employee's router config. Is there an easier solution for that than OpenVPN? If not, perhaps OpenVPN is the way to go since I could use it both to provide rsync access and for authentication. Still I'd love to avoid it if possible. Can I have OpenVPN prompt the desktop user on the client for login credentials? - Grant
Re: [gentoo-user] {OT} Allow work from home?
On Wednesday, January 20, 2016 01:46:29 AM lee wrote: > "J. Roeleveld" writes: > > On Tuesday, January 19, 2016 01:46:45 AM lee wrote: > >> "J. Roeleveld" writes: > >> > On Monday, January 18, 2016 02:02:27 AM lee wrote: > >> >> "J. Roeleveld" writes: > >> > > >> > Yes > >> > > >> >> That would be a huge waste of resources, > >> > > >> > Diskspace and CPU can easily be overcommitted. > >> > >> Overcommitting disk space sounds like a very bad idea. Overcommitting > >> memory is not possible with xen. > > > > Overcommitting diskspace isn't such a bad idea, considering most installs > > never utilize all the available diskspace. > > When they do not use it anyway, there is no reason to give it to them in > the first place. And when they do use it, how do the VMs handle the > problem that they have plenty disk space available, from their point of > view, while the host which they don't know about doesn't allow them to > use it? 1 word: Monitoring. When you overcommit any resource, you need to put monitoring in place. Then you also need to ensure you have the ability to increase that resource when required. > Besides, overcommitting disk space means to intentionally create a setup > which involves that the host can run out of disk space easily. That is > not something I would want to create for a host which is required to > function reliably. The host should not crash when a VM does or when the storage assigned to VMs fills up. If it does, go back to the drawing board and fix your design. > And how much do you need to worry about the security of the VMs when you > build in a way for the users to bring the whole machine, or at least > random VMs, down by using the disk space which has been assigned to > them? The users are somewhat likely to do that even unintentionally, > the more the more you overcommit. See comment about monitoring. If all your users tend to fill up all available diskspace, you obviously can not overcommit on diskspace. > > Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At > > least, I seem to remember reading that somewhere) > > That would be a nice feature. For VDIs, I might consider using it. But considering most OSs tend to fill up all available memory with caches, I expect performance issues. > >> >> plus having to take care of a lot of VMs, > >> > > >> > Automated. > >> > >> Like how? > > > > How do you manage a large amount of physical machines? > > Just change physical to VMs and do it the same. > > With VMs you have more options for automation. > > Individually, in lack of a better way. Per user when it comes to > setting up their MUAs and the like, in lack of any better way. It > doesn't make a difference if it's a VM or not, provided that you have > remote access to the machine. This is where management tools come into play. (Same methods apply to physical and virtual) When talking MS Windows, domains with their policies are very useful. Couple that with WSUS for the patching and software distribution tools for the additional software installs, and you have a very nice setup. For Linux, I would recommend tools like Ansible or Puppet to control the software on the machines. For any OS, I would prevent my users from installing random software. And what is installed, would be mostly pre-configured out-of-the-box. > When you one VM for many users, you install the MUA only once, and when > you need to do updates, you do them only once. When you have many VMs, > like one for each user, you have to install and update many times, once > on each VM. Management tools. > > Depends on the requirements. It's cheaper then a few hundred seperate > > windows licenses. > > It's still more expensive than one, or than a handful, isn't it? The same cost applies to running physical boxes instead of VMs. > > Last time I had to fully reinstall a windows machine it took me a day to > > do > > all the updates. Microsoft even has server software that will keep them > > locally and push them to the clients. > > That would be useful to have. Where could I download that? > > Last time I installed a VM, it took a week until the updates where > finally installed, and you have to check on it every now and then to > find out if it's even doing anything at all. The time before, it wasn't > a VM but a very slow machine, and that also took a week. You can have > the fastest machine on the world and Windoze always manages to bring it > down to a slowness we wouldn't have accepted even 20 years ago. Google for "WSUS". It's been around for a very long time now (since 2005). > >> The hardware has already been replaced, and the problem persists. Other > >> machines of identical hardware that don't run xen don't show any issues. > > > > I still say the hardware is buggy. With replacing, I meant replace it with > > different hardware, not a different version of the same buggy stuff. > > The hardware is known to be 100% reliable by own experi
Re: [gentoo-user] {OT} Allow work from home?
On Tuesday, January 19, 2016 11:22:02 PM lee wrote: > "J. Roeleveld" writes: > > [...] > > If disk-space is considered too expensive, you could even have every VM > > use > > the same base image. And have them store only the differences of the disk. > > eg: > > 1) Create a VM > > 2) Snapshot the disk (with the VM shutdown) > > 3) create a new VM based on the snapshot > > > > Repeat 2 and 3 for as many clones you want. > > > > Most installs don't change that much when dealing with standardized > > desktops. > How does that work? IIUC, when you created a snapshot, any changes you > make to the snapshotted (or how that is called) file system are being > referenced by the snapshot which you can either destroy or abandon. > When you destroy it, the changes you made are being applied to the > file system you snapshotted (because someone decided to use a very > misleading terminology), and when you abandon it, the changes are thrown > away and you end up with the file system as it was before the snapshot > was created. > > In any case, you do not get multiple versions (which only reference the > changes made) of the file system you snapshotted but only one current > version. > > Do you need to use a special file system or something which provides > this kind of multiple copies when you make snapshots? I use LVM for this. Steps are simple: 1) Create a LV (lv_1) 2) Create and install a VM using this LV (lv_1) 3) Stop the VM 4) Create multiple snapshots based on lv_1 (slv_1a, slv_1b, ..) 5) Create multiple VMs using the snapshots (vm1a -> slv_1a, vm1b, slv_1b,.) Start the VMs This way you can overcommit on the actual diskspace as only changes are taking up diskspace. If you force everyone on the same base-image, the differences should not be too large. If you also force users to store files on a shared filesystem, it shouldn't be too much of a difficulty to occasionally move everyone to a new base-image when the updates are causing the snapshots to grow too much. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Tue, Jan 19, 2016 at 7:18 PM, Grant wrote: > > Is an SSL key stored on a smartcard better than a TOTP password? They > seem roughly equivalent to me. I don't think either would restrict > access by device. > They'd be roughly equivalent, especially if the TOTP is backed by a smartcard. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Tue, Jan 19, 2016 at 5:08 PM, lee wrote: > > BTW, is it as easy to give a graphics card to a container as it is to > give it a network card? I've never tried it, but I'd think that the container could talk to a graphics card. > What if you have a container for each user who > somehow logs in remotely to an X session? Do (can) you run X sessions > that do not have a console and do not need a (dedicated) graphics card > (just for users logging in remotely)? You don't need to even have a graphics card to serve X11 via vnc or nx. You could probably serve them even if your only server console was a serial console. Just run x11vnc or whatever it is called - it is an X server whose only framebuffer is a VNC session. I think NX uses the same server, but I'd have to check. Of course, you wouldn't have 3D accelleration with this server, not that you'd be using it over NX/VNC. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Tue, Jan 19, 2016 at 5:22 PM, lee wrote: > "J. Roeleveld" writes: > > How does that work? IIUC, when you created a snapshot, any changes you > make to the snapshotted (or how that is called) file system are being > referenced by the snapshot which you can either destroy or abandon. > When you destroy it, the changes you made are being applied to the > file system you snapshotted (because someone decided to use a very > misleading terminology), and when you abandon it, the changes are thrown > away and you end up with the file system as it was before the snapshot > was created. > > In any case, you do not get multiple versions (which only reference the > changes made) of the file system you snapshotted but only one current > version. > > Do you need to use a special file system or something which provides > this kind of multiple copies when you make snapshots? > And that is exactly what zfs and btrfs provide. Snapshots are full citizens. If I create a snapshot of a directory in btrfs it is essentially indistinguishable from running cp -a on the directory, except the snapshot takes only seconds to create almost entirely regardless of size, and takes almost no space until changes are made. Later I can delete the snapshot, or delete the original, or keep both indefinitely making changes to either. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Tue, Jan 19, 2016 at 10:56:21PM +0100, lee wrote: > Alec Ten Harmsel writes: > > > > Depends on how the load is. Right now I have a 500GB HDD at work. I use > > VirtualBox and vagrant for testing various software. Every VM in > > VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time. > > Add in all the other stuff on my system, which includes a 200GB dataset, > > and the disk is overcommitted. Of course, none of the VirtualBox disks > > use anywhere near 50GB. > > True, that's for testing when you do know that the disk space will not > be used and have no trouble when it is. When you have the VMs in > production and users (employees) using them, you don't know when they > will run out of disk space and trouble ensues. Almost. Here is an equal example: I am an admin on an HPC cluster. We have a shared Lustre filesystem that people store work files in while they are running jobs. It has around 1PB of capacity. As strange as this may sound, this filesystem is overcommitted (we have 20,000 cores, that's only 52GB per core, not even close to enough for more than half a year of data accumulation). Unused data is deleted after 90 days, which is why it can be overcommitted. Extending this to a more realistic example without automatic data deletion is trivial. Imagine you are a web hosting provider. You allow each client unlimited disk space, so you're automatically overcommitted. In the aggregate, even though one client may increase their usage extremely quickly, total usage rises slowly, giving you more than enough time to increase the storage capacity of whatever backing filesystem is hosting their files. > > All Joost is saying is that most resources can be overcommitted, since > > all the users will not be using all their resources at the same time. > > How do you overcommit disk space and then shrink the VMs automatically > when disk usage gets lower again? > Sorry, my previous example was bad, since the normal strategy is to expand when necessary as far as I know. See above. Alec
Re: [gentoo-user] {OT} Allow work from home?
"J. Roeleveld" writes: > [...] > If disk-space is considered too expensive, you could even have every VM use > the same base image. And have them store only the differences of the disk. > eg: > 1) Create a VM > 2) Snapshot the disk (with the VM shutdown) > 3) create a new VM based on the snapshot > > Repeat 2 and 3 for as many clones you want. > > Most installs don't change that much when dealing with standardized desktops. How does that work? IIUC, when you created a snapshot, any changes you make to the snapshotted (or how that is called) file system are being referenced by the snapshot which you can either destroy or abandon. When you destroy it, the changes you made are being applied to the file system you snapshotted (because someone decided to use a very misleading terminology), and when you abandon it, the changes are thrown away and you end up with the file system as it was before the snapshot was created. In any case, you do not get multiple versions (which only reference the changes made) of the file system you snapshotted but only one current version. Do you need to use a special file system or something which provides this kind of multiple copies when you make snapshots?
Re: [gentoo-user] {OT} Allow work from home?
"J. Roeleveld" writes: > On Tuesday, January 19, 2016 01:46:45 AM lee wrote: >> "J. Roeleveld" writes: >> > On Monday, January 18, 2016 02:02:27 AM lee wrote: >> >> "J. Roeleveld" writes: >> >> > On 17 January 2016 18:35:20 CET, Mick >> >> > wrote: >> >> > >> >> > [...] >> >> > >> >> >>I use the icaclient provided by Citrix to access my virtual desktop at >> >> >>work, >> >> >>but have never tried to set up something similar at home. What >> >> >>opensource >> >> >>software would I need for this? Is there a wiki somewhere to follow? >> >> >> >> >> > I'd love to do this myself as well. >> >> > >> >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you >> >> > need >> >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into >> >> > the >> >> > VM display. (Spice or VNC) >> >> > >> >> > Then you need some way of authenticating users and providing access to >> >> > the >> >> > client software. [...] >> >> >> >> You would have a full VM for each user? >> > >> > Yes >> > >> >> That would be a huge waste of resources, >> > >> > Diskspace and CPU can easily be overcommitted. >> >> Overcommitting disk space sounds like a very bad idea. Overcommitting >> memory is not possible with xen. > > Overcommitting diskspace isn't such a bad idea, considering most installs > never utilize all the available diskspace. When they do not use it anyway, there is no reason to give it to them in the first place. And when they do use it, how do the VMs handle the problem that they have plenty disk space available, from their point of view, while the host which they don't know about doesn't allow them to use it? Besides, overcommitting disk space means to intentionally create a setup which involves that the host can run out of disk space easily. That is not something I would want to create for a host which is required to function reliably. And how much do you need to worry about the security of the VMs when you build in a way for the users to bring the whole machine, or at least random VMs, down by using the disk space which has been assigned to them? The users are somewhat likely to do that even unintentionally, the more the more you overcommit. > Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At > least, I seem to remember reading that somewhere) That would be a nice feature. >> >> plus having to take care of a lot of VMs, >> > >> > Automated. >> >> Like how? > > How do you manage a large amount of physical machines? > Just change physical to VMs and do it the same. > With VMs you have more options for automation. Individually, in lack of a better way. Per user when it comes to setting up their MUAs and the like, in lack of any better way. It doesn't make a difference if it's a VM or not, provided that you have remote access to the machine. When you one VM for many users, you install the MUA only once, and when you need to do updates, you do them only once. When you have many VMs, like one for each user, you have to install and update many times, once on each VM. >> >> plus having to buy a lot of Windoze licenses >> > >> > Volume licensing takes care of that. >> >> expensive > > Depends on the requirements. It's cheaper then a few hundred seperate windows > licenses. It's still more expensive than one, or than a handful, isn't it? >> >> and taking about a week to install the updates >> >> after installing a VM. >> > >> > Never heard of VM templates? >> >> It still takes a week to put the updates onto the template. > > Last time I had to fully reinstall a windows machine it took me a day to do > all the updates. Microsoft even has server software that will keep them > locally and push them to the clients. That would be useful to have. Where could I download that? Last time I installed a VM, it took a week until the updates where finally installed, and you have to check on it every now and then to find out if it's even doing anything at all. The time before, it wasn't a VM but a very slow machine, and that also took a week. You can have the fastest machine on the world and Windoze always manages to bring it down to a slowness we wouldn't have accepted even 20 years ago. >> >> Add to that that the xen host goes down at >> >> random time intervals (because the sending queue of the network card >> >> times out for reasons that cannot be determined) which can be as long as >> >> a day, a week or even up to three weeks, and you are likely to become a >> >> rather unhappy administrator. >> > >> > Sorry, but I consider that a bug in your hardware. If it's really that >> > unstable, replace it. >> > I've been running Xen enabled servers for nearly 15 years. Never had >> > issues >> > like that. If it were truly that unstable, it wouldn't be gaining >> > popularity. >> The hardware has already been replaced, and the problem persists. Other >> machines of identical hardware that don't run xen don't show any issues. > > I still say
Re: [gentoo-user] {OT} Allow work from home?
Rich Freeman writes: > On Mon, Jan 18, 2016 at 9:45 PM, Alec Ten Harmsel > wrote: >> >> All Joost is saying is that most resources can be overcommitted, since >> all the users will not be using all their resources at the same time. >> > > Don't want to sound like a broken record, but this is precisely why > containers are so attractive. You can set hard limits wherever you > want, but otherwise absolutely everything can be > over-comitted/shared/etc to the degree you desire. They're just > processes and namespaces and cgroups and so on. You just have to be > willing to live with whatever kernel is running on the host. Of > course, it isn't a solution for Windows, and there aren't any mature > VDI-oriented solutions I'm aware of. However, running as non-root in > a container should be very secure so there is no reason it couldn't be > done. I just spun up a new container yesterday to test out burp > (alas, ago beat me to the stablereq) and the server container is using > all of 54M total / 3M RSS (some of that because I like to run sshd and > so on inside). I can afford to run a LOT of those. Yes, I prefer containers over xen and kvm. They are easy to set up, have basically no overhead, no noticeable performance impact or loss, and handing over devices, like a network card, to a container is easy and painless. Unfortunately, as you say, you can't use them when you need Windoze VMs. BTW, is it as easy to give a graphics card to a container as it is to give it a network card? What if you have a container for each user who somehow logs in remotely to an X session? Do (can) you run X sessions that do not have a console and do not need a (dedicated) graphics card (just for users logging in remotely)? Having a container for each user would be much less painful than having a VM for each user. That brings back the question what to use when you want to log in remotely to an X session ...
Re: [gentoo-user] {OT} Allow work from home?
Alec Ten Harmsel writes: > On Tue, Jan 19, 2016 at 01:46:45AM +0100, lee wrote: >> "J. Roeleveld" writes: >> >> > On Monday, January 18, 2016 02:02:27 AM lee wrote: >> >> "J. Roeleveld" writes: >> >> > On 17 January 2016 18:35:20 CET, Mick wrote: >> >> > >> >> > [...] >> >> > >> >> >>I use the icaclient provided by Citrix to access my virtual desktop at >> >> >>work, >> >> >>but have never tried to set up something similar at home. What >> >> >>opensource >> >> >>software would I need for this? Is there a wiki somewhere to follow? >> >> >> >> >> > I'd love to do this myself as well. >> >> > >> >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you >> >> > need >> >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into >> >> > the >> >> > VM display. (Spice or VNC) >> >> > >> >> > Then you need some way of authenticating users and providing access to >> >> > the >> >> > client software. [...] >> >> >> >> You would have a full VM for each user? >> > >> > Yes >> > >> >> That would be a huge waste of resources, >> > >> > Diskspace and CPU can easily be overcommitted. >> >> Overcommitting disk space sounds like a very bad idea. Overcommitting >> memory is not possible with xen. >> > > Depends on how the load is. Right now I have a 500GB HDD at work. I use > VirtualBox and vagrant for testing various software. Every VM in > VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time. > Add in all the other stuff on my system, which includes a 200GB dataset, > and the disk is overcommitted. Of course, none of the VirtualBox disks > use anywhere near 50GB. True, that's for testing when you do know that the disk space will not be used and have no trouble when it is. When you have the VMs in production and users (employees) using them, you don't know when they will run out of disk space and trouble ensues. > All Joost is saying is that most resources can be overcommitted, since > all the users will not be using all their resources at the same time. How do you overcommit disk space and then shrink the VMs automatically when disk usage gets lower again?
Re: [gentoo-user] {OT} Allow work from home?
>> You can use apache client authentication with SSL certificates only. Of >> course you will need to create a self-signed CA, which you will use to create >> the web server public/private key pair and also sign each client's >> certificate >> and upload it along with your CA certificate to the user's browser. This >> explains the principle: >> > Now, a solution a more traditional desktop is to use an SSL key stored > on a smartcard, which I'm sure Diego has blogged about on > planet.gentoo.org as he is into those. That has all the advantage of > the TPM as far as key security goes. However, you're still vulnerable > to xss and keyloggers and such. Is an SSL key stored on a smartcard better than a TOTP password? They seem roughly equivalent to me. I don't think either would restrict access by device. - Grant
Re: [gentoo-user] {OT} Allow work from home?
>> > I'm sorry, I meant can I lock down access to my web stuff so that a >> > particular user can only come from a particular device (or from any >> > device containing a key). >> > You can use apache client authentication with SSL certificates only. Of > course you will need to create a self-signed CA, which you will use to create > the web server public/private key pair and also sign each client's certificate > and upload it along with your CA certificate to the user's browser. This > explains the principle: > > http://wiki.cacert.org/HELP/9 > > > Ditto with the VPN connection - should you still want to use VPN. Let me see if I'm following. I could create a certificate and point the browser to it in config and configure my web server to require the certificate for HTTP basic authentication? Can I require a username/password along with the certificate? Can I require the certificate only for certain users? > If a user certificate is lost of feared compromised, you revoke it with your > CA and upload the CRL to the server. > > However, this won't do away with XSS, or other similar attack vectors if the > users are not careful with their browsing habits. Can you give me an example? > This won't resolve problems with lost laptops and the like either, so previous > suggestions for disk encryption, or chromebooks apply, if this is a > considerable risk with your users. No sensitive data on the client systems. They're actually auto-wiped daily. - Grant
Re: [gentoo-user] {OT} Allow work from home?
On Tue, Jan 19, 2016 at 6:26 PM, Mick wrote: > > You can use apache client authentication with SSL certificates only. Of > course you will need to create a self-signed CA, which you will use to create > the web server public/private key pair and also sign each client's certificate > and upload it along with your CA certificate to the user's browser. This > explains the principle: > > If a user certificate is lost of feared compromised, you revoke it with your > CA and upload the CRL to the server. The problem is, how would you know? In a traditional browser (including Mozilla and Chrome on anything but a Chromebook) the key associated with the certificate is stored in a file on disk. Sure, it might be encrypted with a hand-typed password, but those passwords are not hard to brute force, and susceptible to keyloggers anyway. Those keys also are unencrypted in RAM while in use. If something stole a copy of your key, you'd likely never know. But, I agree they can be revoked if you discover the issue. Now, a solution a more traditional desktop is to use an SSL key stored on a smartcard, which I'm sure Diego has blogged about on planet.gentoo.org as he is into those. That has all the advantage of the TPM as far as key security goes. However, you're still vulnerable to xss and keyloggers and such. Sorry to nitpick. I'd love to see more linux-based options for an ultra-secure platform. It is impressive that Google managed to commercialize one - you can accomplish quite a lot with FOSS tools if you put the time into it. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Tuesday 19 Jan 2016 17:46:27 Rich Freeman wrote: > On Tue, Jan 19, 2016 at 2:32 PM, Grant wrote: > > I'm sorry, I meant can I lock down access to my web stuff so that a > > particular user can only come from a particular device (or from any > > device containing a key). > > It looks like this hasn't been widely implemented, but it looks like > they do have the ability to generate TPM-backed client certificates > which could then be used for authentication (and you can set a policy > to auto-authenticate using the certificate). It looks like you need > to use an extension to generate the key and csr, and load the > certificate. Google wrote an extension that does this for active > directory, but for any other certificate authority it looks like you > basically have to write your own (and probably publish it as FOSS). > > So, the idea would be that you'd provision the device and then log > into it. The device would auto-install the certificate installer and > then you'd run that extension to load a certificate and mark it for > use for all users on the device. Then any user on that device could > authenticate using the certificate. The key would be stored in the > TPM and would never leave the device, and wiping the device would > destroy the key. > > You mentioned GPG keys, and this stuff is all RSA-backed, but SSL > client certificates don't use GPG itself. All of this is FOSS as far > as I can tell. All browsers can load and use client certificates, but > the advantage of a chromebook is that the key can be generated by the > TPM and never leave it. You can use apache client authentication with SSL certificates only. Of course you will need to create a self-signed CA, which you will use to create the web server public/private key pair and also sign each client's certificate and upload it along with your CA certificate to the user's browser. This explains the principle: http://wiki.cacert.org/HELP/9 Ditto with the VPN connection - should you still want to use VPN. If a user certificate is lost of feared compromised, you revoke it with your CA and upload the CRL to the server. However, this won't do away with XSS, or other similar attack vectors if the users are not careful with their browsing habits. This won't resolve problems with lost laptops and the like either, so previous suggestions for disk encryption, or chromebooks apply, if this is a considerable risk with your users. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] {OT} Allow work from home?
On Tue, Jan 19, 2016 at 2:32 PM, Grant wrote: > > I'm sorry, I meant can I lock down access to my web stuff so that a > particular user can only come from a particular device (or from any > device containing a key). > It looks like this hasn't been widely implemented, but it looks like they do have the ability to generate TPM-backed client certificates which could then be used for authentication (and you can set a policy to auto-authenticate using the certificate). It looks like you need to use an extension to generate the key and csr, and load the certificate. Google wrote an extension that does this for active directory, but for any other certificate authority it looks like you basically have to write your own (and probably publish it as FOSS). So, the idea would be that you'd provision the device and then log into it. The device would auto-install the certificate installer and then you'd run that extension to load a certificate and mark it for use for all users on the device. Then any user on that device could authenticate using the certificate. The key would be stored in the TPM and would never leave the device, and wiping the device would destroy the key. You mentioned GPG keys, and this stuff is all RSA-backed, but SSL client certificates don't use GPG itself. All of this is FOSS as far as I can tell. All browsers can load and use client certificates, but the advantage of a chromebook is that the key can be generated by the TPM and never leave it. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
>> If that's the case then it sounds like 2FA doesn't really provide any >> extra assurance. It's another layer but if the machine is hacked then >> it sounds like it becomes a very thin layer. >> >> I'd most like to allow the remote employee to use their own computer, >> but is there any way to have reasonable assurance that a remote >> attacker can't log into my web stuff if the employee's computer is >> compromised? >> >> With a Chromebook, how can I be assured that the employee is only able >> to log into my web stuff with the Chromebook? >> > > It looks like this is possible to do with a Google Apps account: > https://www.google.com/intl/en/chrome/business/devices/features-management-console.html > https://support.google.com/chrome/a/answer/2657289 > https://support.google.com/chrome/a/answer/1375678 > > You can control who can log in, and what sites they can visit (just > blacklist * and then whitelist specific sites). Schools commonly use > this so that they don't have to deal with kids visiting sites of ill > repute. You can also control application/extension installation. I'm sorry, I meant can I lock down access to my web stuff so that a particular user can only come from a particular device (or from any device containing a key). > It looks like you can also use remote attestation if your application > supports it which prevents access from a tampered device even if it > has the right credentials/etc. (That's the whole "trusted/treacherous > computing" thing.) You could in theory have security such that your > application works with single-sign-on but doesn't work unless > connected to using a trusted device (but I'd have to do more research > on that). It seems like that would be necessary in my case or the remote employee might prefer working from their own device instead of using the Chromebook. Can I somehow require something like a PGP key in order to authenticate successfully in a browser? - Grant
Re: [gentoo-user] {OT} Allow work from home?
On Tue, Jan 19, 2016 at 9:02 AM, Grant wrote: > > If that's the case then it sounds like 2FA doesn't really provide any > extra assurance. It's another layer but if the machine is hacked then > it sounds like it becomes a very thin layer. > > I'd most like to allow the remote employee to use their own computer, > but is there any way to have reasonable assurance that a remote > attacker can't log into my web stuff if the employee's computer is > compromised? > > With a Chromebook, how can I be assured that the employee is only able > to log into my web stuff with the Chromebook? > It looks like this is possible to do with a Google Apps account: https://www.google.com/intl/en/chrome/business/devices/features-management-console.html https://support.google.com/chrome/a/answer/2657289 https://support.google.com/chrome/a/answer/1375678 You can control who can log in, and what sites they can visit (just blacklist * and then whitelist specific sites). Schools commonly use this so that they don't have to deal with kids visiting sites of ill repute. You can also control application/extension installation. It looks like you can also use remote attestation if your application supports it which prevents access from a tampered device even if it has the right credentials/etc. (That's the whole "trusted/treacherous computing" thing.) You could in theory have security such that your application works with single-sign-on but doesn't work unless connected to using a trusted device (but I'd have to do more research on that). The one thing you will have to be careful about is printing. They can only print to PDF, or to cloud print. I'm not sure if that is an issue for your use case. I've never used it personally, but it is apparently quite popular with schools. I'd suggest looking into it. The service isn't free - you need google apps to make it work. However, it sounds like it is relatively cheap. I'd certainly be interested in hearing from anybody who knows more about it, but if I had a small business that was purely web-based I'd strongly consider a solution like this. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Tuesday 19 Jan 2016 08:42:07 J. Roeleveld wrote: > On Tuesday, January 19, 2016 01:57:38 AM lee wrote: > > Rich Freeman writes: > > > On Sun, Jan 17, 2016 at 7:26 PM, lee wrote: > > >> Rich Freeman writes: > > >>> However, while an RDP-like solution protects you from some types of > > >>> attacks, it still leaves you open to many client-side problems like > > >>> keylogging. I don't know any major corporation that lets people RDP > > >>> into their applications in general. > > >> > > >> What do they use instead? > > > > > > As I mentioned in my previous email - they just hand all their > > > employees laptops. Control the hardware, control the software, > > > control the security... > > > > I mean instead of rdp. It's a simple solution which works really well > > on a LAN with Windoze. What's the equivalent that works with Linux? > > > > I wouldn't try it over an internet connection, though, it requires too > > much bandwidth. > > RDP works over an internet connection, even when running it through a VPN > using a dodgy wifi link over a busy road and a slowish ADSL link. > > VNC also, but only when reducing the quality of the display a lot. > > Not tried other methods yet. > > -- > Joost As far as I understand it RDP is different to VNC, in the sense that instead of sending every pixel down the line it only sends compressed semantic information *about* a desktop component (e.g. the start button, a control signal, etc.) and the client interprets this locally as a button or a control command. It is also using caching to minimise retransmission. In some sense it is similar with x2go's NoMachine's NX technology (caching and compressing) but as far as I know NX is not as 'intelligent' as RDP. It just sends X protocol data with synchronous round trips and although cached and compressed it is not as efficient as the latest versions of RDP. In many companies MSWindows desktops have been virtualised (XenDesktop) running on MSWindows (VM) Servers and accessed using thin-clients, or with BYOD remotely, using icaclient as a browser plugin, or a desktop client application (Citrix Receiver). The OS is a standardised MSWindows image and an individual user's profile (with all their personal settings, approved apps, policy settings, etc.) are loaded whenever a desktop instance boots up and the customer logs in. I'm guessing that the Citrix Receiver is using RDP for MSWindows, but I don't really know. It feels quite efficient when I use it, even over slow bandwidth connections. In any case, the opensource equivalent to this is what I was suggesting Grant may find useful and it can work over VPN if required, although the session between client and server is encrypted over SSL anyway. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] {OT} Allow work from home?
> In any case, if you aren't going to own the client hardware, you > basically are going to have to assume it is vulnerable since nobody > maintains their PCs well. That means keyboard sniffing, cookie > stealing, and so on. If you're web-based a hostile browser could just > open another session in the background after the user authenticates > (2-factor or otherwise) and do whatever it wants to. Granted, I don't > know if anything is out in the wild which actually does this, and it > would probably need to be somewhat targeted to work (unless somebody > has a rootkit that just lets them interactively fire up another > browser on a VNC display or something using the same browser session). If that's the case then it sounds like 2FA doesn't really provide any extra assurance. It's another layer but if the machine is hacked then it sounds like it becomes a very thin layer. I'd most like to allow the remote employee to use their own computer, but is there any way to have reasonable assurance that a remote attacker can't log into my web stuff if the employee's computer is compromised? With a Chromebook, how can I be assured that the employee is only able to log into my web stuff with the Chromebook? - Grant
Re: [gentoo-user] {OT} Allow work from home?
On Tue, Jan 19, 2016 at 12:22 AM, wrote: > > I'm an absolute windows noop. I only use it for graphics work. I even > didn't know that such a kind of file sharing is possible with it. :-) > No worries - I think that is a great place to be. However, it is useful to understand what ideas are out there, since some of them are actually good ones. The foundation of these kinds of features in windows is that their user IDs are essentially GUIDs (a combination of an authentication server and a unique ID I believe): https://en.wikipedia.org/wiki/Security_Identifier This is in contrast to a linux UID, which is just a small number. You might be UID 0 on your box, and I'm UID on mine. The UID of the administrator account of every windows box out there is unique. That avoids all kinds of issues, like the whole nfs root-is-nobody design. You can "chown" a windows file to a UID which isn't native to the machine - the machine would authenticate anybody trying to read it against the machine that assigned the UID. It isn't perfect, but it seems like a better foundation for this sort of thing. > > That's right. I think that the effort and the outlay to implement all > these features into Linux is relative high. It seems that no vendor > is willing to assume such a financial risk. > > Maybe it is time for another crowd founding campaign? ;-) > Well, changing how user IDs would be a big task (as far as I'm aware). However, the bit about Bitlocker isn't actually. You just need to use trusted grub, some vanilla kernel config options, and probably some logic in the initramfs and userspace. There is already a linux solution for TPM at every layer of the boot chain, which allows a userspace program in an initramfs to store an encryption key in the TPM and retrieve it only if the boot chain isn't tampered with. You just need to put together the pieces. I could probably hack something together in a few days. The trick is getting it to survive things like kernel updates and for it to be robust. You need to ensure that anything that legitimately changes your boot chain updates all the settings in the TPM so that on the next boot the keys are still delivered. Otherwise your drive becomes unreadable, and difficult to recover (well, unless you escrow the encryption keys somewhere, which you certainly can do). -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Tuesday, January 19, 2016 02:15:17 AM lee wrote: > writes: > > lee wrote: > >> Rich Freeman writes: > >> > On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: > >> >> Suppose you use a VPN connection. How do does the client > >> >> (employee) secure their own network and the machine they're using > >> >> to work remotely then? > >> > > >> > Poorly, most likely. Your data is probably not nearly as important > >> > to them as their data is, and most people don't take great care of > >> > their own data. > >> > >> That's not what I meant to ask. Assume you are an employee supposed > >> to work from home through a VPN connection: How do you protect your > >> LAN? > > > > Depends on the VPN connection. If you use an OpenVPN client on your PC > > then it is sufficient to use a well configured firewall (ufw, iptables > > or whatever) on this PC. > > The PC would be connected to the LAN, even if only to have an internet > connection for the VPN. I can only guess: Wouldn't that require to put > this PC behind a firewall that separates it from the LAN to protect the > LAN? > > > If you use a VPN gateway then you could > > configure this gateway (or a firewall behind) in a way that it blocks > > incoming connections from the VPN tunnel. > > Hm. I'd prefer to avoid having to run another machine as such a > firewall because electricity is way too expensive here. And I don't > know if the gateway could be configure in such a way. > > > IMHO there is no more risk to use a VPN connection than with any other > > Internet connection. > > But it's a double connection, one to the internet, and another one to > another network, so you'd have to somehow manage to set up some sort of > double protection. Setting up a VPN alone is more than difficult enough > already. Some of the companies I work with have the laptops set up that when they are not connected to the office-LAN, they will only talk via a VPN link to the company. No network connectivity (apart from what's necessary for the VPN) will work till the VPN is set up. Any ideas on how to do this using Linux without having to become root to set it up myself? I like network manager for the ease of setting up WIFI links. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Monday, January 18, 2016 08:35:20 PM Rich Freeman wrote: > On Mon, Jan 18, 2016 at 7:57 PM, lee wrote: > > Rich Freeman writes: > >> On Sun, Jan 17, 2016 at 7:26 PM, lee wrote: > >>> Rich Freeman writes: > However, while an RDP-like solution protects you from some types of > attacks, it still leaves you open to many client-side problems like > keylogging. I don't know any major corporation that lets people RDP > into their applications in general. > >>> > >>> What do they use instead? > >> > >> As I mentioned in my previous email - they just hand all their > >> employees laptops. Control the hardware, control the software, > >> control the security... > > > > I mean instead of rdp. It's a simple solution which works really well > > on a LAN with Windoze. What's the equivalent that works with Linux? > > Well, I've never been in a company that runs Linux on the desktop, or > which even provides VDIs for Windows. The most common solution is to > provide windows laptops to users with various software packages for > management/security/etc. VDIs are gaining ground in bigger companies as part of the BYOD push. Especially using Citrix XenDesktop with the icaclient, this works really well. > The closest thing to RDP for Linux that I'm aware of us various > NX-based implementations, like x2go, which I've mentioned a few times. > It can be somewhat finicky. And of course there is VNC, which is much > less efficient. I don't think either really gets to the level of RDP > in general. > > I do sometimes wonder how the #1 server OS in the world somehow lacks > decent facilities for graphical remote login, and for sharing files > across the network. (For the latter NFS is a real pain to set up in a > remotely secure fashion - part of the problem is that it is hard to > use some kind of a UUID to drive file permissions, and kerberos/etc is > a pain to set up. There is certainly nothing approaching the ease of > just setting a password on a share or connecting to a windows domain > (even a samba-driven one)). I'd love to get something similar to RDP working on linux. But I'm not sufficiently skilled to implement it all myself. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Tuesday, January 19, 2016 01:57:38 AM lee wrote: > Rich Freeman writes: > > On Sun, Jan 17, 2016 at 7:26 PM, lee wrote: > >> Rich Freeman writes: > >>> However, while an RDP-like solution protects you from some types of > >>> attacks, it still leaves you open to many client-side problems like > >>> keylogging. I don't know any major corporation that lets people RDP > >>> into their applications in general. > >> > >> What do they use instead? > > > > As I mentioned in my previous email - they just hand all their > > employees laptops. Control the hardware, control the software, > > control the security... > > I mean instead of rdp. It's a simple solution which works really well > on a LAN with Windoze. What's the equivalent that works with Linux? > > I wouldn't try it over an internet connection, though, it requires too > much bandwidth. RDP works over an internet connection, even when running it through a VPN using a dodgy wifi link over a busy road and a slowish ADSL link. VNC also, but only when reducing the quality of the display a lot. Not tried other methods yet. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Tuesday, January 19, 2016 01:46:45 AM lee wrote: > "J. Roeleveld" writes: > > On Monday, January 18, 2016 02:02:27 AM lee wrote: > >> "J. Roeleveld" writes: > >> > On 17 January 2016 18:35:20 CET, Mick > >> > wrote: > >> > > >> > [...] > >> > > >> >>I use the icaclient provided by Citrix to access my virtual desktop at > >> >>work, > >> >>but have never tried to set up something similar at home. What > >> >>opensource > >> >>software would I need for this? Is there a wiki somewhere to follow? > >> >> > >> > I'd love to do this myself as well. > >> > > >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you > >> > need > >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into > >> > the > >> > VM display. (Spice or VNC) > >> > > >> > Then you need some way of authenticating users and providing access to > >> > the > >> > client software. [...] > >> > >> You would have a full VM for each user? > > > > Yes > > > >> That would be a huge waste of resources, > > > > Diskspace and CPU can easily be overcommitted. > > Overcommitting disk space sounds like a very bad idea. Overcommitting > memory is not possible with xen. Overcommitting diskspace isn't such a bad idea, considering most installs never utilize all the available diskspace. Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At least, I seem to remember reading that somewhere) > >> plus having to take care of a lot of VMs, > > > > Automated. > > Like how? How do you manage a large amount of physical machines? Just change physical to VMs and do it the same. With VMs you have more options for automation. > >> plus having to buy a lot of Windoze licenses > > > > Volume licensing takes care of that. > > expensive Depends on the requirements. It's cheaper then a few hundred seperate windows licenses. > >> and taking about a week to install the updates > >> after installing a VM. > > > > Never heard of VM templates? > > It still takes a week to put the updates onto the template. Last time I had to fully reinstall a windows machine it took me a day to do all the updates. Microsoft even has server software that will keep them locally and push them to the clients. > >> Add to that that the xen host goes down at > >> random time intervals (because the sending queue of the network card > >> times out for reasons that cannot be determined) which can be as long as > >> a day, a week or even up to three weeks, and you are likely to become a > >> rather unhappy administrator. > > > > Sorry, but I consider that a bug in your hardware. If it's really that > > unstable, replace it. > > I've been running Xen enabled servers for nearly 15 years. Never had > > issues > > like that. If it were truly that unstable, it wouldn't be gaining > > popularity. > The hardware has already been replaced, and the problem persists. Other > machines of identical hardware that don't run xen don't show any issues. I still say the hardware is buggy. With replacing, I meant replace it with different hardware, not a different version of the same buggy stuff. > >> Try kvm instead, and you'll find that > >> it's impossible to migrate the VMs from xen to to kvm when you want to > >> use virtio drivers because you can't install them on an existing Windoze > >> VM. > > > > Not a problem with the virtualisation technology. It is an issue with > > driver management inside MS Windows. > > There are ways to migrate VMs succesfully, I just don't see the point in > > wasting time for that. > > It's time consuming when you have to reinstall the VMs to migrate them > to kvm. And when you don't have the installers of all the software > that's on some of the VMs and can't get them, you either have to run > them without virtio drivers or you can't migrate them. There are Howtos on the internet describing how to migrate VMs from 1 technology to another. Shouldn't be too hard. And keeping the installers at hand is, in my opinion, a requirement of sane system management. I have installers for all the versions of software I deal with. > > The biggest reason why I don't use KVM is the lack of full snapshot > > functionality. Snapshotting disks is nice, but you end up with an unclean- > > shutdown situation and anything that's not yet committed to disk is gone. > > I'm not sure what you mean. When you take a snapshot while the VM is not > shut down, what difference does it make whether you use xen or kvm? A "snapshot" for KVM is ONLY the disks. With Xen, VMWare and Virtualbox, I can also make a snapshot/copy of what's in memory. It's that which makes the difference. > >> Then there's the question how well vnc or spice connections work over a > >> VPN that goes over the internet. > > > > VNC works quite well, as long as you use a minimal desktop. (like > > blackbox). Don't expect KDE or Gnome to be usable. > > I haven't tried Spice yet, but I've read that it performs better. > > It's not like you had a
Re: [gentoo-user] {OT} Allow work from home?
On Monday, January 18, 2016 09:45:28 PM Alec Ten Harmsel wrote: > On Tue, Jan 19, 2016 at 01:46:45AM +0100, lee wrote: > > "J. Roeleveld" writes: > > > On Monday, January 18, 2016 02:02:27 AM lee wrote: > > >> "J. Roeleveld" writes: > > >> > On 17 January 2016 18:35:20 CET, Mick > > >> > wrote: > > >> > > > >> > [...] > > >> > > > >> >>I use the icaclient provided by Citrix to access my virtual desktop > > >> >>at > > >> >>work, > > >> >>but have never tried to set up something similar at home. What > > >> >>opensource > > >> >>software would I need for this? Is there a wiki somewhere to follow? > > >> >> > > >> > I'd love to do this myself as well. > > >> > > > >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you > > >> > need > > >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into > > >> > the > > >> > VM display. (Spice or VNC) > > >> > > > >> > Then you need some way of authenticating users and providing access > > >> > to the > > >> > client software. [...] > > >> > > >> You would have a full VM for each user? > > > > > > Yes > > > > > >> That would be a huge waste of resources, > > > > > > Diskspace and CPU can easily be overcommitted. > > > > Overcommitting disk space sounds like a very bad idea. Overcommitting > > memory is not possible with xen. > > Depends on how the load is. Right now I have a 500GB HDD at work. I use > VirtualBox and vagrant for testing various software. Every VM in > VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time. > Add in all the other stuff on my system, which includes a 200GB dataset, > and the disk is overcommitted. Of course, none of the VirtualBox disks > use anywhere near 50GB. > > All Joost is saying is that most resources can be overcommitted, since > all the users will not be using all their resources at the same time. If disk-space is considered too expensive, you could even have every VM use the same base image. And have them store only the differences of the disk. eg: 1) Create a VM 2) Snapshot the disk (with the VM shutdown) 3) create a new VM based on the snapshot Repeat 2 and 3 for as many clones you want. Most installs don't change that much when dealing with standardized desktops. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
Rich Freeman wrote: > On Mon, Jan 18, 2016 at 10:33 PM, wrote: > > > > Sharing files can be done via SCP/SFTP. If a VPN connection is used, > > then even NFS or FTP are possibilities. > > I have 100 computers. I want a user on those 100 computers to be able > to share a file on their computer with just me. On windows they just > right-click and pick sharing, search for my name on the domain, and > grant me permissions. You're not going to get an experience anything > like that with scp or nfs or ftp. Heck, nfs is almost completely > insecure in the way most people use it. I'm an absolute windows noop. I only use it for graphics work. I even didn't know that such a kind of file sharing is possible with it. :-) > I don't just want to copy a file from point A to point B. I want to > have a robust set of permissions and security and so on behind that. > If a user changes their password, that password gets them access to > everything they used to have access to, and none of those random > clients ever see the password. > > Sure, you can do it on linux with lots of NFSv4 and kerberos and all > that. But it is painful to set up and almost nobody actually seems to > do it as a result. You can also do something like Bitlocker on linux, > but there isn't a single distro that supports it out of the box > because it uses a lot of features nobody has bothered to seriously > develop. (Before somebody points out LUKS, be aware that Bitlocker > lets you do full-disk encyption that is secure without having to > actually type a decryption key at any point. Remove the hard drive or > boot from a CD, and the disks are unreadable - you can only read them > if you boot off them on the original PC.) I never thought about such operating ranges. But maybe these are some of the reasons why windows held 43% of the server OS market share in Q4/2013, according to an article that I read some months ago. > It is just a bit frustrating to behold. But, I'm getting what I'm > paying for, so... :) That's right. I think that the effort and the outlay to implement all these features into Linux is relative high. It seems that no vendor is willing to assume such a financial risk. Maybe it is time for another crowd founding campaign? ;-) -- Regards wabe
Re: [gentoo-user] {OT} Allow work from home?
On Mon, Jan 18, 2016 at 10:33 PM, wrote: > > Sharing files can be done via SCP/SFTP. If a VPN connection is used, > then even NFS or FTP are possibilities. I have 100 computers. I want a user on those 100 computers to be able to share a file on their computer with just me. On windows they just right-click and pick sharing, search for my name on the domain, and grant me permissions. You're not going to get an experience anything like that with scp or nfs or ftp. Heck, nfs is almost completely insecure in the way most people use it. I don't just want to copy a file from point A to point B. I want to have a robust set of permissions and security and so on behind that. If a user changes their password, that password gets them access to everything they used to have access to, and none of those random clients ever see the password. Sure, you can do it on linux with lots of NFSv4 and kerberos and all that. But it is painful to set up and almost nobody actually seems to do it as a result. You can also do something like Bitlocker on linux, but there isn't a single distro that supports it out of the box because it uses a lot of features nobody has bothered to seriously develop. (Before somebody points out LUKS, be aware that Bitlocker lets you do full-disk encyption that is secure without having to actually type a decryption key at any point. Remove the hard drive or boot from a CD, and the disks are unreadable - you can only read them if you boot off them on the original PC.) It is just a bit frustrating to behold. But, I'm getting what I'm paying for, so... :) -- Rich
Re: [gentoo-user] {OT} Allow work from home?
Rich Freeman wrote: > I do sometimes wonder how the #1 server OS in the world somehow lacks > decent facilities for graphical remote login, and for sharing files > across the network. (For the latter NFS is a real pain to set up in a > remotely secure fashion - part of the problem is that it is hard to > use some kind of a UUID to drive file permissions, and kerberos/etc is > a pain to set up. There is certainly nothing approaching the ease of > just setting a password on a share or connecting to a windows domain > (even a samba-driven one)). I think Linux is only #1 in the area of web services. For this you don't really need a graphical remote login. I think the main reason for the windows terminal server is that windows couldn't be configured via console login (SSH) in the same way as Linux could. But of course it would be very nice to have a RDP like feature for Linux with the same efficiency as RDP under Windows. This would really expand the facilities of Linux as a desktop based server. Sharing files can be done via SCP/SFTP. If a VPN connection is used, then even NFS or FTP are possibilities. For all of these connections you can also use graphical clients. Just my two cents. I'm sure that you are already aware of this. -- Regards wabe
Re: [gentoo-user] {OT} Allow work from home?
On Mon, Jan 18, 2016 at 9:45 PM, Alec Ten Harmsel wrote: > > All Joost is saying is that most resources can be overcommitted, since > all the users will not be using all their resources at the same time. > Don't want to sound like a broken record, but this is precisely why containers are so attractive. You can set hard limits wherever you want, but otherwise absolutely everything can be over-comitted/shared/etc to the degree you desire. They're just processes and namespaces and cgroups and so on. You just have to be willing to live with whatever kernel is running on the host. Of course, it isn't a solution for Windows, and there aren't any mature VDI-oriented solutions I'm aware of. However, running as non-root in a container should be very secure so there is no reason it couldn't be done. I just spun up a new container yesterday to test out burp (alas, ago beat me to the stablereq) and the server container is using all of 54M total / 3M RSS (some of that because I like to run sshd and so on inside). I can afford to run a LOT of those. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
lee wrote: > writes: > > > lee wrote: > > > >> Rich Freeman writes: > >> > >> > On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: > >> >> Suppose you use a VPN connection. How do does the client > >> >> (employee) secure their own network and the machine they're > >> >> using to work remotely then? > >> > > >> > Poorly, most likely. Your data is probably not nearly as > >> > important to them as their data is, and most people don't take > >> > great care of their own data. > >> > >> That's not what I meant to ask. Assume you are an employee > >> supposed to work from home through a VPN connection: How do you > >> protect your LAN? > > > > Depends on the VPN connection. If you use an OpenVPN client on your > > PC then it is sufficient to use a well configured firewall (ufw, > > iptables or whatever) on this PC. > > The PC would be connected to the LAN, even if only to have an internet > connection for the VPN. I can only guess: Wouldn't that require to > put this PC behind a firewall that separates it from the LAN to > protect the LAN? Of course a separate firewall is better than a firewall on the PC, because it may protect the LAN even when the PC is compromised. But if the PC is compromised and has access to the LAN through the separate firewall (what is mostly the case) then the protection is more ore less porous (depending on the firewall rules). If you don't have a separate firewall but only a firewall on the (not compromised) PC, then the LAN should be safe as long as you don't have enabled IP forwarding on the PC and as long as the VPN is configured in a way that there is only a route to your PC and not to the rest of your LAN. Even if you have enabled IP forwarding on the PC and even if the VPN has a route to the whole LAN, the LAN should nevertheless be safe when the firewall on the PC is configured to block all incoming connections. Of course the blocking of all incoming connections implies, that the PC is acting as a client only. > > If you use a VPN gateway then you could > > configure this gateway (or a firewall behind) in a way that it > > blocks incoming connections from the VPN tunnel. > > Hm. I'd prefer to avoid having to run another machine as such a > firewall because electricity is way too expensive here. And I don't > know if the gateway could be configure in such a way. All VPN gateways that I know have also a build in firewall. If your gateway hasn't, then you should ask yourself, what is more expensive - a separate firewall or a hacked LAN? But in this case I would prefer to use the PC as OpenVPN client. > > IMHO there is no more risk to use a VPN connection than with any > > other Internet connection. > > But it's a double connection, one to the internet, and another one to > another network, so you'd have to somehow manage to set up some sort > of double protection. See above. > Setting up a VPN alone is more than difficult enough already. This depends on the VPN that you (have to) use. If you set up the VPN on both sides then you probably can choose what kind of VPN you wanna use. OpenVPN isn't really difficult to set up. If you don't wanna use PSK but X509 authorization, then the most complicated thing is the creation of the certs. But with the help of Google (or DuckDuckGo), this is quick done. There are lots of information about setting up an OpenVPN connection. -- Regards wabe
Re: [gentoo-user] {OT} Allow work from home?
On Tue, Jan 19, 2016 at 01:46:45AM +0100, lee wrote: > "J. Roeleveld" writes: > > > On Monday, January 18, 2016 02:02:27 AM lee wrote: > >> "J. Roeleveld" writes: > >> > On 17 January 2016 18:35:20 CET, Mick wrote: > >> > > >> > [...] > >> > > >> >>I use the icaclient provided by Citrix to access my virtual desktop at > >> >>work, > >> >>but have never tried to set up something similar at home. What > >> >>opensource > >> >>software would I need for this? Is there a wiki somewhere to follow? > >> >> > >> > I'd love to do this myself as well. > >> > > >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you need > >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into the > >> > VM display. (Spice or VNC) > >> > > >> > Then you need some way of authenticating users and providing access to > >> > the > >> > client software. [...] > >> > >> You would have a full VM for each user? > > > > Yes > > > >> That would be a huge waste of resources, > > > > Diskspace and CPU can easily be overcommitted. > > Overcommitting disk space sounds like a very bad idea. Overcommitting > memory is not possible with xen. > Depends on how the load is. Right now I have a 500GB HDD at work. I use VirtualBox and vagrant for testing various software. Every VM in VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time. Add in all the other stuff on my system, which includes a 200GB dataset, and the disk is overcommitted. Of course, none of the VirtualBox disks use anywhere near 50GB. All Joost is saying is that most resources can be overcommitted, since all the users will not be using all their resources at the same time. Alec
Re: [gentoo-user] {OT} Allow work from home?
On Mon, Jan 18, 2016 at 7:57 PM, lee wrote: > Rich Freeman writes: >> On Sun, Jan 17, 2016 at 7:26 PM, lee wrote: >>> Rich Freeman writes: >>> However, while an RDP-like solution protects you from some types of attacks, it still leaves you open to many client-side problems like keylogging. I don't know any major corporation that lets people RDP into their applications in general. >>> >>> What do they use instead? >>> >> >> As I mentioned in my previous email - they just hand all their >> employees laptops. Control the hardware, control the software, >> control the security... > > I mean instead of rdp. It's a simple solution which works really well > on a LAN with Windoze. What's the equivalent that works with Linux? Well, I've never been in a company that runs Linux on the desktop, or which even provides VDIs for Windows. The most common solution is to provide windows laptops to users with various software packages for management/security/etc. The closest thing to RDP for Linux that I'm aware of us various NX-based implementations, like x2go, which I've mentioned a few times. It can be somewhat finicky. And of course there is VNC, which is much less efficient. I don't think either really gets to the level of RDP in general. I do sometimes wonder how the #1 server OS in the world somehow lacks decent facilities for graphical remote login, and for sharing files across the network. (For the latter NFS is a real pain to set up in a remotely secure fashion - part of the problem is that it is hard to use some kind of a UUID to drive file permissions, and kerberos/etc is a pain to set up. There is certainly nothing approaching the ease of just setting a password on a share or connecting to a windows domain (even a samba-driven one)). -- Rich
Re: [gentoo-user] {OT} Allow work from home?
Rich Freeman writes: > On Sun, Jan 17, 2016 at 7:26 PM, lee wrote: >> Rich Freeman writes: >> >>> However, while an RDP-like solution protects you from some types of >>> attacks, it still leaves you open to many client-side problems like >>> keylogging. I don't know any major corporation that lets people RDP >>> into their applications in general. >> >> What do they use instead? >> > > As I mentioned in my previous email - they just hand all their > employees laptops. Control the hardware, control the software, > control the security... I mean instead of rdp. It's a simple solution which works really well on a LAN with Windoze. What's the equivalent that works with Linux? I wouldn't try it over an internet connection, though, it requires too much bandwidth.
Re: [gentoo-user] {OT} Allow work from home?
writes: > lee wrote: > >> Rich Freeman writes: >> >> > On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: >> >> Suppose you use a VPN connection. How do does the client >> >> (employee) secure their own network and the machine they're using >> >> to work remotely then? >> > >> > Poorly, most likely. Your data is probably not nearly as important >> > to them as their data is, and most people don't take great care of >> > their own data. >> >> That's not what I meant to ask. Assume you are an employee supposed >> to work from home through a VPN connection: How do you protect your >> LAN? > > Depends on the VPN connection. If you use an OpenVPN client on your PC > then it is sufficient to use a well configured firewall (ufw, iptables > or whatever) on this PC. The PC would be connected to the LAN, even if only to have an internet connection for the VPN. I can only guess: Wouldn't that require to put this PC behind a firewall that separates it from the LAN to protect the LAN? > If you use a VPN gateway then you could > configure this gateway (or a firewall behind) in a way that it blocks > incoming connections from the VPN tunnel. Hm. I'd prefer to avoid having to run another machine as such a firewall because electricity is way too expensive here. And I don't know if the gateway could be configure in such a way. > IMHO there is no more risk to use a VPN connection than with any other > Internet connection. But it's a double connection, one to the internet, and another one to another network, so you'd have to somehow manage to set up some sort of double protection. Setting up a VPN alone is more than difficult enough already.
Re: [gentoo-user] {OT} Allow work from home?
"J. Roeleveld" writes: > On Monday, January 18, 2016 02:02:27 AM lee wrote: >> "J. Roeleveld" writes: >> > On 17 January 2016 18:35:20 CET, Mick wrote: >> > >> > [...] >> > >> >>I use the icaclient provided by Citrix to access my virtual desktop at >> >>work, >> >>but have never tried to set up something similar at home. What >> >>opensource >> >>software would I need for this? Is there a wiki somewhere to follow? >> >> >> > I'd love to do this myself as well. >> > >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you need >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into the >> > VM display. (Spice or VNC) >> > >> > Then you need some way of authenticating users and providing access to the >> > client software. [...] >> >> You would have a full VM for each user? > > Yes > >> That would be a huge waste of resources, > > Diskspace and CPU can easily be overcommitted. Overcommitting disk space sounds like a very bad idea. Overcommitting memory is not possible with xen. >> plus having to take care of a lot of VMs, > > Automated. Like how? >> plus having to buy a lot of Windoze licenses > > Volume licensing takes care of that. expensive >> and taking about a week to install the updates >> after installing a VM. > > Never heard of VM templates? It still takes a week to put the updates onto the template. >> Add to that that the xen host goes down at >> random time intervals (because the sending queue of the network card >> times out for reasons that cannot be determined) which can be as long as >> a day, a week or even up to three weeks, and you are likely to become a >> rather unhappy administrator. > > Sorry, but I consider that a bug in your hardware. If it's really that > unstable, replace it. > I've been running Xen enabled servers for nearly 15 years. Never had issues > like that. If it were truly that unstable, it wouldn't be gaining popularity. The hardware has already been replaced, and the problem persists. Other machines of identical hardware that don't run xen don't show any issues. >> Try kvm instead, and you'll find that >> it's impossible to migrate the VMs from xen to to kvm when you want to >> use virtio drivers because you can't install them on an existing Windoze >> VM. > > Not a problem with the virtualisation technology. It is an issue with driver > management inside MS Windows. > There are ways to migrate VMs succesfully, I just don't see the point in > wasting time for that. It's time consuming when you have to reinstall the VMs to migrate them to kvm. And when you don't have the installers of all the software that's on some of the VMs and can't get them, you either have to run them without virtio drivers or you can't migrate them. > The biggest reason why I don't use KVM is the lack of full snapshot > functionality. Snapshotting disks is nice, but you end up with an unclean- > shutdown situation and anything that's not yet committed to disk is gone. I'm not sure what you mean. When you take a snapshot while the VM is not shut down, what difference does it make whether you use xen or kvm? >> Then there's the question how well vnc or spice connections work over a >> VPN that goes over the internet. > > VNC works quite well, as long as you use a minimal desktop. (like blackbox). > Don't expect KDE or Gnome to be usable. > I haven't tried Spice yet, but I've read that it performs better. It's not like you had a choice when you have Windoze VMs. >> It's not like the employees could get >> reliable internet connections with sufficient bandwidth, not to mention >> that the company would have to get one in the first place, which isn't >> much easier to get, if any. > > That depends on where you are. In this country, you have to be really lucky to find a place where you can get a decent internet connection. > The company could host the servers in a decent datacentre, which should take > care of the bandwidth issues. And give all their data out of hands? And how much does that cost? > For the employees, if they want to work from home, it's up to them to ensure > they have a reliable connection. It is as much problem of the company when they want the employees to work at home. And the employees don't have a choice, they can only get a connection they can get. >> It might work in theory. How would it be feasible in practise? > > Plenty of companies do it this way. If you don't want to pay for software > like > XenDesktop, you need to do all the work setting it up yourself. VNC is somewhat slow over a 1Gbit LAN. Did they find some way to overcome this problem? This sounds like it is for people with unlimited resources. BTW, access a VM through VNC, and you don't even have any way to make the mouse pointer in the VNC window actually follow the mouse pointer you're using, which makes it rather annoying to do anything in the VM you're looking at. If you found a solution for that, I'd be curious as to how y
Re: [gentoo-user] {OT} Allow work from home?
On Mon, Jan 18, 2016 at 12:06 PM, Grant wrote: > > I am 100% web-based. I don't want to administrate machines outside of > my LAN so I can imagine a Chromebook would end up vulnerable > eventually. The whole point of chromebooks is that they auto-update in a timely fashion, and have a guaranteed end-of-life policy years into the future. Sure, not quite as far as Microsoft guarantees, but nobody runs a Windows laptop for even the length of a typical Chromebook EOL. The chromebook also has secure boot and a signed OS, so if it is corrupted it will go into recovery mode. You just stick a USB drive with a rescue image on it (which you can create from any PC with a chrome browser or an installer) and it fixes itself. I don't think you can even turn off auto-updates - they're designed to be idiot-proof. I'm not sure if as an enterprise administrator you can set up a policy to force a reboot to update within n days or such if it hasn't been shut down already after an update. In any case, if you aren't going to own the client hardware, you basically are going to have to assume it is vulnerable since nobody maintains their PCs well. That means keyboard sniffing, cookie stealing, and so on. If you're web-based a hostile browser could just open another session in the background after the user authenticates (2-factor or otherwise) and do whatever it wants to. Granted, I don't know if anything is out in the wild which actually does this, and it would probably need to be somewhat targeted to work (unless somebody has a rootkit that just lets them interactively fire up another browser on a VNC display or something using the same browser session). Sure, a Chromebook will cost you $150, but that seems like a token expense for an employee and it buys you a LOT of security. You can do the same thing on another OS, but you're going to end up adding on a lot of stuff on top of the OS to make it work, and I'm certain the administrative overhead would be much higher. A chromebook is basically what you get if you take a linux desktop and lock everything down with TPM support and secure boot - they're even based on Gentoo. Sure, you can DIY, but you're not going to do better without the hardware support. > Someone mentioned 2-factor authentication which sounds interesting. > Are there good options for that besides SMS and Google Authenticator > (or a similar mobile app)? Is there a good 2FA server in Portage? Is > 2FA ever defeated in real life without the user's phone? Do you mean you don't want something that involves typing in a TOTP or similar? Google Authenticator just uses RFC 6238 so you can use any other compliant client to generate the codes - I'm sure those exist for Linux, but if you're going to do that you might as well just use an RSA-based authentication since if you can steal the client key you can steal the RFC6238 key. The whole point of 2-factor is that the second factor tends to be something that isn't on the same PC as the client. There is a PAM-based authenticator in portage for Google Authenticator, which again should work with anything RFC 6238 compliant. I use it for ssh password logins and it works great (well, aside from having to reach for my phone anytime I log in via an untrusted computer). A much older option is s/key. I'm sure that is still around as well, but I don't think it really has any advantages over RFC6238. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
>> Suppose you use a VPN connection. How do does the client (employee) >> secure their own network and the machine they're using to work remotely >> then? > > Poorly, most likely. Your data is probably not nearly as important to > them as their data is, and most people don't take great care of their > own data. This is the same mentality I have. > As I mentioned in my other post, there might be some exceptions if > you're dealing with highly-skilled IT security employees or something > like that, but most people don't take nearly the level of care with > their clients as you're probably going to want them to. Generally my employees are not technically inclined. > It sounds like Grant is concerned enough about his application to > restrict logins to a specific IP (presumably it uses SSL and sign-ons > as well). If you care THAT much about where valid users can connect > from, I don't see why you'd just let them VPN into your LAN running > who-knows-what-rootkit on their workstations. > > If you're truly 100% web-based I'd just go the chromebook route. If > not, I'd issue laptops that you control with full-disk encryption, and > you can then set them up however you need to. I am 100% web-based. I don't want to administrate machines outside of my LAN so I can imagine a Chromebook would end up vulnerable eventually. Someone mentioned 2-factor authentication which sounds interesting. Are there good options for that besides SMS and Google Authenticator (or a similar mobile app)? Is there a good 2FA server in Portage? Is 2FA ever defeated in real life without the user's phone? - Grant
Re: [gentoo-user] {OT} Allow work from home?
On Monday, January 18, 2016 06:07:33 AM Rich Freeman wrote: > On Mon, Jan 18, 2016 at 1:44 AM, J. Roeleveld wrote: > > On Monday, January 18, 2016 02:02:27 AM lee wrote: > >> You would have a full VM for each user? > > > > Yes > > > >> That would be a huge waste of resources, > > > > Diskspace and CPU can easily be overcommitted. > > > >... > > > > The biggest reason why I don't use KVM is the lack of full snapshot > > functionality. Snapshotting disks is nice, but you end up with an unclean- > > shutdown situation and anything that's not yet committed to disk is gone. > > Seems like on linux a straightforward design would be spinning up > containers on demand, with snapshots underneath. Granted, somebody > still needs to build it, but spinning up a container per user isn't > much more resource-intensive than just running x2go with multiple > users in a single namespace which is how it works today. It certainly > would be less wasteful than a full VM. They also launch and shutdown > super-fast. > > Of course, this is a linux-only solution (or BSD I believe). You're > not going to be able to do this with OSX/Windows guests. A similar solution is generally done with VDI implementations as well. Replace "container" with VM and you have the same. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Mon, Jan 18, 2016 at 1:44 AM, J. Roeleveld wrote: > On Monday, January 18, 2016 02:02:27 AM lee wrote: >> >> You would have a full VM for each user? > > Yes > >> That would be a huge waste of resources, > > Diskspace and CPU can easily be overcommitted. >... > The biggest reason why I don't use KVM is the lack of full snapshot > functionality. Snapshotting disks is nice, but you end up with an unclean- > shutdown situation and anything that's not yet committed to disk is gone. > Seems like on linux a straightforward design would be spinning up containers on demand, with snapshots underneath. Granted, somebody still needs to build it, but spinning up a container per user isn't much more resource-intensive than just running x2go with multiple users in a single namespace which is how it works today. It certainly would be less wasteful than a full VM. They also launch and shutdown super-fast. Of course, this is a linux-only solution (or BSD I believe). You're not going to be able to do this with OSX/Windows guests. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Monday, January 18, 2016 02:02:27 AM lee wrote: > "J. Roeleveld" writes: > > On 17 January 2016 18:35:20 CET, Mick wrote: > > > > [...] > > > >>I use the icaclient provided by Citrix to access my virtual desktop at > >>work, > >>but have never tried to set up something similar at home. What > >>opensource > >>software would I need for this? Is there a wiki somewhere to follow? > >> > > I'd love to do this myself as well. > > > > Citrix sells the full package as 'XenDesktop'. To do it yourself you need > > a VMserver (Xen or similar) and a remote desktop tool that hooks into the > > VM display. (Spice or VNC) > > > > Then you need some way of authenticating users and providing access to the > > client software. [...] > > You would have a full VM for each user? Yes > That would be a huge waste of resources, Diskspace and CPU can easily be overcommitted. > plus having to take care of a lot of VMs, Automated. > plus having to buy a lot of Windoze licenses Volume licensing takes care of that. > and taking about a week to install the updates > after installing a VM. Never heard of VM templates? > Add to that that the xen host goes down at > random time intervals (because the sending queue of the network card > times out for reasons that cannot be determined) which can be as long as > a day, a week or even up to three weeks, and you are likely to become a > rather unhappy administrator. Sorry, but I consider that a bug in your hardware. If it's really that unstable, replace it. I've been running Xen enabled servers for nearly 15 years. Never had issues like that. If it were truly that unstable, it wouldn't be gaining popularity. > Try kvm instead, and you'll find that > it's impossible to migrate the VMs from xen to to kvm when you want to > use virtio drivers because you can't install them on an existing Windoze > VM. Not a problem with the virtualisation technology. It is an issue with driver management inside MS Windows. There are ways to migrate VMs succesfully, I just don't see the point in wasting time for that. The biggest reason why I don't use KVM is the lack of full snapshot functionality. Snapshotting disks is nice, but you end up with an unclean- shutdown situation and anything that's not yet committed to disk is gone. > Then there's the question how well vnc or spice connections work over a > VPN that goes over the internet. VNC works quite well, as long as you use a minimal desktop. (like blackbox). Don't expect KDE or Gnome to be usable. I haven't tried Spice yet, but I've read that it performs better. > It's not like the employees could get > reliable internet connections with sufficient bandwidth, not to mention > that the company would have to get one in the first place, which isn't > much easier to get, if any. That depends on where you are. The company could host the servers in a decent datacentre, which should take care of the bandwidth issues. For the employees, if they want to work from home, it's up to them to ensure they have a reliable connection. > It might work in theory. How would it be feasible in practise? Plenty of companies do it this way. If you don't want to pay for software like XenDesktop, you need to do all the work setting it up yourself. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
lee wrote: > Rich Freeman writes: > > > On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: > >> Suppose you use a VPN connection. How do does the client > >> (employee) secure their own network and the machine they're using > >> to work remotely then? > > > > Poorly, most likely. Your data is probably not nearly as important > > to them as their data is, and most people don't take great care of > > their own data. > > That's not what I meant to ask. Assume you are an employee supposed > to work from home through a VPN connection: How do you protect your > LAN? Depends on the VPN connection. If you use an OpenVPN client on your PC then it is sufficient to use a well configured firewall (ufw, iptables or whatever) on this PC. If you use a VPN gateway then you could configure this gateway (or a firewall behind) in a way that it blocks incoming connections from the VPN tunnel. IMHO there is no more risk to use a VPN connection than with any other Internet connection. -- Regards wabe
Re: [gentoo-user] {OT} Allow work from home?
On Sun, Jan 17, 2016 at 7:26 PM, lee wrote: > Rich Freeman writes: > >> However, while an RDP-like solution protects you from some types of >> attacks, it still leaves you open to many client-side problems like >> keylogging. I don't know any major corporation that lets people RDP >> into their applications in general. > > What do they use instead? > As I mentioned in my previous email - they just hand all their employees laptops. Control the hardware, control the software, control the security... -- Rich
Re: [gentoo-user] {OT} Allow work from home?
"J. Roeleveld" writes: > On 17 January 2016 18:35:20 CET, Mick wrote: > [...] >>I use the icaclient provided by Citrix to access my virtual desktop at >>work, >>but have never tried to set up something similar at home. What >>opensource >>software would I need for this? Is there a wiki somewhere to follow? > > I'd love to do this myself as well. > > Citrix sells the full package as 'XenDesktop'. To do it yourself you need a > VMserver (Xen or similar) and a remote desktop tool that hooks into the VM > display. (Spice or VNC) > > Then you need some way of authenticating users and providing access to the > client software. > [...] You would have a full VM for each user? That would be a huge waste of resources, plus having to take care of a lot of VMs, plus having to buy a lot of Windoze licenses and taking about a week to install the updates after installing a VM. Add to that that the xen host goes down at random time intervals (because the sending queue of the network card times out for reasons that cannot be determined) which can be as long as a day, a week or even up to three weeks, and you are likely to become a rather unhappy administrator. Try kvm instead, and you'll find that it's impossible to migrate the VMs from xen to to kvm when you want to use virtio drivers because you can't install them on an existing Windoze VM. Then there's the question how well vnc or spice connections work over a VPN that goes over the internet. It's not like the employees could get reliable internet connections with sufficient bandwidth, not to mention that the company would have to get one in the first place, which isn't much easier to get, if any. It might work in theory. How would it be feasible in practise?
Re: [gentoo-user] {OT} Allow work from home?
Rich Freeman writes: > On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: >> Suppose you use a VPN connection. How do does the client (employee) >> secure their own network and the machine they're using to work remotely >> then? > > Poorly, most likely. Your data is probably not nearly as important to > them as their data is, and most people don't take great care of their > own data. That's not what I meant to ask. Assume you are an employee supposed to work from home through a VPN connection: How do you protect your LAN? > [...] >> What's the Linux equivalent of RDP sessions? Some sort of VNC seems to >> usually require a lot of bandwidth, and I wouldn't know how to run it as >> a service so that someone could just start a client (like rdesktop) and >> log in to the server as they can do with Windoze servers. --- I only >> found x11rdp which appears to be incompatible with current X servers. > > There is stuff like xtogo and other NX-like technologies, but the > trend seems to be towards client-side rendering which makes them > perform about as well as VNC. I mostly gave up on it ages ago - it > was fairly fragile to keep working as well. I do know one of the > maintainers - perhaps it has gotten better in recent years. > > However, while an RDP-like solution protects you from some types of > attacks, it still leaves you open to many client-side problems like > keylogging. I don't know any major corporation that lets people RDP > into their applications in general. What do they use instead? This sounds as if it's basically impossible to work from a remote location, at least when Linux comes into it at some point. > [...]
Re: [gentoo-user] {OT} Allow work from home?
On Sunday 17 Jan 2016 13:10:42 Rich Freeman wrote: > On Sun, Jan 17, 2016 at 1:03 PM, J. Roeleveld wrote: > > I would prefer a method that is independent of OS used. And provides > > server side limitations with regards to filesharing and clipboard access. > x2go is just X11, so it should be OS-independent as long as you have a > client/server for it. It just logs in as the appropriate user on the > remote host, so access beyond that is whatever you'd get if you just > logged in on a console. > > Now, I can't vouch for how many OSes anybody has bothered to implement it > on. I am not sure what Grant's requirements are, but I would think that devs will require their own desktop environment and OS instance, rather than x2go's shared OS. Instead of a remote display presentation layer, how could one setup a fully virtualised desktop? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] {OT} Allow work from home?
On Sun, Jan 17, 2016 at 1:03 PM, J. Roeleveld wrote: > > I would prefer a method that is independent of OS used. And provides server > side limitations with regards to filesharing and clipboard access. > x2go is just X11, so it should be OS-independent as long as you have a client/server for it. It just logs in as the appropriate user on the remote host, so access beyond that is whatever you'd get if you just logged in on a console. Now, I can't vouch for how many OSes anybody has bothered to implement it on. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On 17 January 2016 18:59:36 CET, Rich Freeman wrote: >On Sun, Jan 17, 2016 at 12:35 PM, Mick >wrote: >> I use the icaclient provided by Citrix to access my virtual desktop >at work, >> but have never tried to set up something similar at home. What >opensource >> software would I need for this? Is there a wiki somewhere to follow? >> > >There might be something newer, but something along the line of x2go >is what you'd want. It just tunnels over ssh (with a built-in ssh >client) and runs an X server on the remote host which the clients >connect to (you can just launch xfce or whatever for your DM - I'd >avoid anything with fancy 3D), and then it compresses the X11 protocol >and does the presentation on your local workstation. The X server can >provide immediate replies to clients on its side so that the effects >of latency are greatly diminished. But, if you launch something like >chromium be prepared to watch the screen paint since it uses >client-side rendering. All you'll get is big blobs of images sent >over the wire for that window. However, for anything rendered >server-side you'll get a very interactive experience since the >component on your workstation can do much of the rendering >independently of the actual X11 server, which operates on a delay. X2go and similar works like RDP for windows allowing multiple users on the same host. I would prefer a method that is independent of OS used. And provides server side limitations with regards to filesharing and clipboard access. -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] {OT} Allow work from home?
On Sun, Jan 17, 2016 at 12:35 PM, Mick wrote: > I use the icaclient provided by Citrix to access my virtual desktop at work, > but have never tried to set up something similar at home. What opensource > software would I need for this? Is there a wiki somewhere to follow? > There might be something newer, but something along the line of x2go is what you'd want. It just tunnels over ssh (with a built-in ssh client) and runs an X server on the remote host which the clients connect to (you can just launch xfce or whatever for your DM - I'd avoid anything with fancy 3D), and then it compresses the X11 protocol and does the presentation on your local workstation. The X server can provide immediate replies to clients on its side so that the effects of latency are greatly diminished. But, if you launch something like chromium be prepared to watch the screen paint since it uses client-side rendering. All you'll get is big blobs of images sent over the wire for that window. However, for anything rendered server-side you'll get a very interactive experience since the component on your workstation can do much of the rendering independently of the actual X11 server, which operates on a delay. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On 17 January 2016 18:35:20 CET, Mick wrote: >On Sunday 17 Jan 2016 16:51:00 J. Roeleveld wrote: >> On Sunday, January 17, 2016 10:46:38 AM Rich Freeman wrote: >> > On Sun, Jan 17, 2016 at 10:27 AM, J. Roeleveld >wrote: >> > > Actually, there are several large corporations that use RDP-like >> > > technologies. Although those are called "VDI" and usually use >XenDesktop >> > > on the server side and "icaclient" on the client. >> > > Runs through HTTPS and apart from keyloggers and screenloggers, >there is >> > > not much that can be done. >> > > Using 2-factor authentication (RSA-type keys or similar) they're >pretty >> > > secure. >> > >> > Yeah, I would agree with that. I've set up a few thin client >citrix >> > boxes ages ago. These days I'd say the web is the bigger trend, >and I >> > agree that 2-factor can greatly reduce the impact of keylogging. >One >> > of the nice things with one of the SaaS applications we're using at >> > work is that if we're having connection issues I can just wake up >my >> > console on my home PC next to my VPN'ed laptop and see if the >> > application is accessible with a complete different route (suffice >it >> > to say I sometimes dread using the office LAN for this reason - >I've >> > seen file transfers go faster over the VPN than the local WiFi). >> > >> > But, if you're still stuck with win32 applications Citrix is >certainly >> > a solution. I was thinking it might take over the corporate >desktop >> > until everything started moving more towards the web. >> >> XenDesktop is actually a lot nicer than the classical "Citrix". >> You end up with a full VM rather than a multi-user hack on top of a >single >> user OS. >> >> I prefer to work using VDI/icaclient than with the company supplied >laptops. >> Especially since my own laptop and desktop is nicer to type with and >the >> screen is better quality... >> >> -- >> Joost > >I use the icaclient provided by Citrix to access my virtual desktop at >work, >but have never tried to set up something similar at home. What >opensource >software would I need for this? Is there a wiki somewhere to follow? I'd love to do this myself as well. Citrix sells the full package as 'XenDesktop'. To do it yourself you need a VMserver (Xen or similar) and a remote desktop tool that hooks into the VM display. (Spice or VNC) Then you need some way of authenticating users and providing access to the client software. I have not been able to set all that up myself yet, but it is on my wish/todo list. Ideally, I'd like an affordable XenDesktop licencing scheme for a few simultaneous users. -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] {OT} Allow work from home?
On Sunday 17 Jan 2016 16:51:00 J. Roeleveld wrote: > On Sunday, January 17, 2016 10:46:38 AM Rich Freeman wrote: > > On Sun, Jan 17, 2016 at 10:27 AM, J. Roeleveld wrote: > > > Actually, there are several large corporations that use RDP-like > > > technologies. Although those are called "VDI" and usually use XenDesktop > > > on the server side and "icaclient" on the client. > > > Runs through HTTPS and apart from keyloggers and screenloggers, there is > > > not much that can be done. > > > Using 2-factor authentication (RSA-type keys or similar) they're pretty > > > secure. > > > > Yeah, I would agree with that. I've set up a few thin client citrix > > boxes ages ago. These days I'd say the web is the bigger trend, and I > > agree that 2-factor can greatly reduce the impact of keylogging. One > > of the nice things with one of the SaaS applications we're using at > > work is that if we're having connection issues I can just wake up my > > console on my home PC next to my VPN'ed laptop and see if the > > application is accessible with a complete different route (suffice it > > to say I sometimes dread using the office LAN for this reason - I've > > seen file transfers go faster over the VPN than the local WiFi). > > > > But, if you're still stuck with win32 applications Citrix is certainly > > a solution. I was thinking it might take over the corporate desktop > > until everything started moving more towards the web. > > XenDesktop is actually a lot nicer than the classical "Citrix". > You end up with a full VM rather than a multi-user hack on top of a single > user OS. > > I prefer to work using VDI/icaclient than with the company supplied laptops. > Especially since my own laptop and desktop is nicer to type with and the > screen is better quality... > > -- > Joost I use the icaclient provided by Citrix to access my virtual desktop at work, but have never tried to set up something similar at home. What opensource software would I need for this? Is there a wiki somewhere to follow? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] {OT} Allow work from home?
On Sunday, January 17, 2016 10:46:38 AM Rich Freeman wrote: > On Sun, Jan 17, 2016 at 10:27 AM, J. Roeleveld wrote: > > Actually, there are several large corporations that use RDP-like > > technologies. Although those are called "VDI" and usually use XenDesktop > > on the server side and "icaclient" on the client. > > Runs through HTTPS and apart from keyloggers and screenloggers, there is > > not much that can be done. > > Using 2-factor authentication (RSA-type keys or similar) they're pretty > > secure. > > Yeah, I would agree with that. I've set up a few thin client citrix > boxes ages ago. These days I'd say the web is the bigger trend, and I > agree that 2-factor can greatly reduce the impact of keylogging. One > of the nice things with one of the SaaS applications we're using at > work is that if we're having connection issues I can just wake up my > console on my home PC next to my VPN'ed laptop and see if the > application is accessible with a complete different route (suffice it > to say I sometimes dread using the office LAN for this reason - I've > seen file transfers go faster over the VPN than the local WiFi). > > But, if you're still stuck with win32 applications Citrix is certainly > a solution. I was thinking it might take over the corporate desktop > until everything started moving more towards the web. XenDesktop is actually a lot nicer than the classical "Citrix". You end up with a full VM rather than a multi-user hack on top of a single user OS. I prefer to work using VDI/icaclient than with the company supplied laptops. Especially since my own laptop and desktop is nicer to type with and the screen is better quality... -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Sun, Jan 17, 2016 at 10:27 AM, J. Roeleveld wrote: > > Actually, there are several large corporations that use RDP-like technologies. > Although those are called "VDI" and usually use XenDesktop on the server side > and "icaclient" on the client. > Runs through HTTPS and apart from keyloggers and screenloggers, there is not > much that can be done. > Using 2-factor authentication (RSA-type keys or similar) they're pretty > secure. > Yeah, I would agree with that. I've set up a few thin client citrix boxes ages ago. These days I'd say the web is the bigger trend, and I agree that 2-factor can greatly reduce the impact of keylogging. One of the nice things with one of the SaaS applications we're using at work is that if we're having connection issues I can just wake up my console on my home PC next to my VPN'ed laptop and see if the application is accessible with a complete different route (suffice it to say I sometimes dread using the office LAN for this reason - I've seen file transfers go faster over the VPN than the local WiFi). But, if you're still stuck with win32 applications Citrix is certainly a solution. I was thinking it might take over the corporate desktop until everything started moving more towards the web. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Sunday, January 17, 2016 07:27:45 AM Rich Freeman wrote: > On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: > > Suppose you use a VPN connection. How do does the client (employee) > > secure their own network and the machine they're using to work remotely > > then? > > Poorly, most likely. Your data is probably not nearly as important to > them as their data is, and most people don't take great care of their > own data. > > As I mentioned in my other post, there might be some exceptions if > you're dealing with highly-skilled IT security employees or something > like that, but most people don't take nearly the level of care with > their clients as you're probably going to want them to. > > > What's the Linux equivalent of RDP sessions? Some sort of VNC seems to > > usually require a lot of bandwidth, and I wouldn't know how to run it as > > a service so that someone could just start a client (like rdesktop) and > > log in to the server as they can do with Windoze servers. --- I only > > found x11rdp which appears to be incompatible with current X servers. > > There is stuff like xtogo and other NX-like technologies, but the > trend seems to be towards client-side rendering which makes them > perform about as well as VNC. I mostly gave up on it ages ago - it > was fairly fragile to keep working as well. I do know one of the > maintainers - perhaps it has gotten better in recent years. > > However, while an RDP-like solution protects you from some types of > attacks, it still leaves you open to many client-side problems like > keylogging. I don't know any major corporation that lets people RDP > into their applications in general. Actually, there are several large corporations that use RDP-like technologies. Although those are called "VDI" and usually use XenDesktop on the server side and "icaclient" on the client. Runs through HTTPS and apart from keyloggers and screenloggers, there is not much that can be done. Using 2-factor authentication (RSA-type keys or similar) they're pretty secure. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: > Suppose you use a VPN connection. How do does the client (employee) > secure their own network and the machine they're using to work remotely > then? Poorly, most likely. Your data is probably not nearly as important to them as their data is, and most people don't take great care of their own data. As I mentioned in my other post, there might be some exceptions if you're dealing with highly-skilled IT security employees or something like that, but most people don't take nearly the level of care with their clients as you're probably going to want them to. > What's the Linux equivalent of RDP sessions? Some sort of VNC seems to > usually require a lot of bandwidth, and I wouldn't know how to run it as > a service so that someone could just start a client (like rdesktop) and > log in to the server as they can do with Windoze servers. --- I only > found x11rdp which appears to be incompatible with current X servers. There is stuff like xtogo and other NX-like technologies, but the trend seems to be towards client-side rendering which makes them perform about as well as VNC. I mostly gave up on it ages ago - it was fairly fragile to keep working as well. I do know one of the maintainers - perhaps it has gotten better in recent years. However, while an RDP-like solution protects you from some types of attacks, it still leaves you open to many client-side problems like keylogging. I don't know any major corporation that lets people RDP into their applications in general. It sounds like Grant is concerned enough about his application to restrict logins to a specific IP (presumably it uses SSL and sign-ons as well). If you care THAT much about where valid users can connect from, I don't see why you'd just let them VPN into your LAN running who-knows-what-rootkit on their workstations. If you're truly 100% web-based I'd just go the chromebook route. If not, I'd issue laptops that you control with full-disk encryption, and you can then set them up however you need to. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
Mick writes: > On Saturday 16 Jan 2016 09:39:24 Alan McKinnon wrote: >> On 16/01/2016 06:17, Grant wrote: >> > I'm considering allowing some employees to work from home but I'm >> > concerned about the security implications. Currently everybody shows up >> > and logs into their locked down Gentoo system and from there is able to >> > access the company webapps which are restricted to the office IP >> > address. I guess I would have to allow webapp access from any IP for >> > those users and trust that their computer is secure? Should that not be >> > scary? >> > >> > - Grant >> >> I have experience in this area. I work at ISPs where working from home >> is routine and required for overnight standby. >> >> You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers >> the security levels you need. Use the Layer3 routing option that uses >> tun drivers (not tap) and issue the certificates to the users yourself. >> Then allow your servers to accept connections from the VPN range as well >> as the internal office range >> >> As for the security levels of their personal machines, tell them what >> you require and from that point on you really have to trust your people >> so be security aware and with the program. > > Some other alternatives and thoughts to solutions already proposed are: > > 1. Only allow access through the office firewall and webapp servers to the > IP > addresses of your employees. This would only work if your employees have > static IP addresses and are few in number - otherwise you are creating an > administrative burden. I assume that the client connection to the webapp > server will be over some secure protocol, e.g. SSH, SSL/TLS. Otherwise, > you'll need an encrypted tunnel (see below). > > 2. Instead of OpenVPN which has been recommended I suggest that you take a > look at IPSec with IKEv2. IPSec + IKEv2 provides higher throughout because > encryption/decryption is performed in the kernel, rather than userspace and > because it allows for multi-threading, which last time I looked OpenVPN does > not. In addition, IKEv2 employs the MOBIKE protocol which allows mobile > client roaming. Changing client IP addresses is handled automatically, > without having to restart manually the VPN session. All this said, if your > use case has low throughput demand then OpenVPN would work fine. In both > cases, use strong encryption. > > 3. If you go with OpenVPN, following Alan's suggestion to use tun instead of > tap, I should add that if you have deployed MSWindows or other clients and > services with non-IP protocols, then you'll probably need a tap bridge to > make > sure that all services can get through. The client machines will then become > part of your LAN. Depending on client numbers you may need more than one > VLAN > segment and multiple OpenVPN servers. > > 4. An easier and simpler alternative may be to run SSH SOCKS proxy on the > server and proxychains on the clients. Any software run with proxychains on > the client will be tunnelled via SSH to the server and from a network > perspective will be connected to the office LAN. Webapps should be able to > run quite efficiently in this way and connect to the LAN server. Public key > authentication and an SSH high port should keep pests away. Suppose you use a VPN connection. How do does the client (employee) secure their own network and the machine they're using to work remotely then? What's the Linux equivalent of RDP sessions? Some sort of VNC seems to usually require a lot of bandwidth, and I wouldn't know how to run it as a service so that someone could just start a client (like rdesktop) and log in to the server as they can do with Windoze servers. --- I only found x11rdp which appears to be incompatible with current X servers. Then there's LTSP. Letting aside that there are no thin clients with sufficient graphics performance: would it be possible to do that over a VPN connection, provided that the VPN connection doesn't put the rest of the network on the client side at risk? Having that said, I'm finding OpenVNC anything but easy to set up. How is that with IPsec and IKEv2? Proxychains sounds interesting. Is it possible to run rdesktop through that?
Re: [gentoo-user] {OT} Allow work from home?
On Saturday 16 Jan 2016 09:39:24 Alan McKinnon wrote: > On 16/01/2016 06:17, Grant wrote: > > I'm considering allowing some employees to work from home but I'm > > concerned about the security implications. Currently everybody shows up > > and logs into their locked down Gentoo system and from there is able to > > access the company webapps which are restricted to the office IP > > address. I guess I would have to allow webapp access from any IP for > > those users and trust that their computer is secure? Should that not be > > scary? > > > > - Grant > > I have experience in this area. I work at ISPs where working from home > is routine and required for overnight standby. > > You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers > the security levels you need. Use the Layer3 routing option that uses > tun drivers (not tap) and issue the certificates to the users yourself. > Then allow your servers to accept connections from the VPN range as well > as the internal office range > > As for the security levels of their personal machines, tell them what > you require and from that point on you really have to trust your people > so be security aware and with the program. Some other alternatives and thoughts to solutions already proposed are: 1. Only allow access through the office firewall and webapp servers to the IP addresses of your employees. This would only work if your employees have static IP addresses and are few in number - otherwise you are creating an administrative burden. I assume that the client connection to the webapp server will be over some secure protocol, e.g. SSH, SSL/TLS. Otherwise, you'll need an encrypted tunnel (see below). 2. Instead of OpenVPN which has been recommended I suggest that you take a look at IPSec with IKEv2. IPSec + IKEv2 provides higher throughout because encryption/decryption is performed in the kernel, rather than userspace and because it allows for multi-threading, which last time I looked OpenVPN does not. In addition, IKEv2 employs the MOBIKE protocol which allows mobile client roaming. Changing client IP addresses is handled automatically, without having to restart manually the VPN session. All this said, if your use case has low throughput demand then OpenVPN would work fine. In both cases, use strong encryption. 3. If you go with OpenVPN, following Alan's suggestion to use tun instead of tap, I should add that if you have deployed MSWindows or other clients and services with non-IP protocols, then you'll probably need a tap bridge to make sure that all services can get through. The client machines will then become part of your LAN. Depending on client numbers you may need more than one VLAN segment and multiple OpenVPN servers. 4. An easier and simpler alternative may be to run SSH SOCKS proxy on the server and proxychains on the clients. Any software run with proxychains on the client will be tunnelled via SSH to the server and from a network perspective will be connected to the office LAN. Webapps should be able to run quite efficiently in this way and connect to the LAN server. Public key authentication and an SSH high port should keep pests away. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] {OT} Allow work from home?
On Sat, Jan 16, 2016 at 2:39 AM, Alan McKinnon wrote: > > As for the security levels of their personal machines, tell them what > you require and from that point on you really have to trust your people > so be security aware and with the program. > Most employers just issue laptops to their employees for this reason. Set them up with full disk encryption and VPN access. While I wouldn't recommend this to a general employer you might get away with the use of personal laptops if your employees all know what they're doing - I have no idea what line of business you're in. Most businesses are not 100% staffed by people who are qualified to properly maintain a workstation in a secure manner. I also view this as a matter of principle. If you're going to make employees provide their own hardware, you don't really have that much of a right to tell them exactly how you want it run. If you're the one providing the hardware, then you can provide it exactly how you need it to be. VPN is probably the easiest way to manage security though. It is far more secure than whitelisting IP addresses. It isn't the only solution - if you literally only need them to access a single web-based application you could use client ssl certificates or something like that, but you still need to control the security of the client either way. Just remember that laptops get lost so they really do need full disk encryption. Unfortunately on linux it seems LUKS and a hand-entered password is the only common solution for this (it looks like doing something TPM-based should be possible, but you basically have to DIY). Oh, if you are 100% web-based another solution is to just issue chromebooks. Those allow central provisioning/etc if you have a google apps account, and they do support VPN. Those have TPM-backed full disk encryption out of the box, and are probably going to be way easier for you to maintain, and certainly a lot cheaper. As far as I can tell (not having done this myself) they let you centrally provision VPN certificates and such and set up the networking settings. You just boot a new chromebook, hit Ctrl-Alt-E or whatever, and type in a google apps username/password that you gave access to provision devices. You also get remote wipe and all that other fun stuff, and from everything I've read the security on those is about as good as it gets. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On 16/01/2016 06:17, Grant wrote: > I'm considering allowing some employees to work from home but I'm > concerned about the security implications. Currently everybody shows up > and logs into their locked down Gentoo system and from there is able to > access the company webapps which are restricted to the office IP > address. I guess I would have to allow webapp access from any IP for > those users and trust that their computer is secure? Should that not be > scary? > > - Grant I have experience in this area. I work at ISPs where working from home is routine and required for overnight standby. You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers the security levels you need. Use the Layer3 routing option that uses tun drivers (not tap) and issue the certificates to the users yourself. Then allow your servers to accept connections from the VPN range as well as the internal office range As for the security levels of their personal machines, tell them what you require and from that point on you really have to trust your people so be security aware and with the program. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] {OT} Allow work from home?
On 01/15/2016 09:18 PM, waben...@gmail.com wrote: > Grant wrote: > >> I'm considering allowing some employees to work from home but I'm >> concerned about the security implications. Currently everybody shows >> up and logs into their locked down Gentoo system and from there is >> able to access the company webapps which are restricted to the office >> IP address. I guess I would have to allow webapp access from any IP >> for those users and trust that their computer is secure? Should that >> not be scary? >> >> - Grant > > I would use OpenVPN for that. If you don't trust their systems, you > could provide a Live-System media for them if that is possible. > > -- > Regards > wabe > > I would use VPN + an X server that can spawn sessions on demand. This way it all stays internal on the work network. I do something similar at work for our Windows clients, it was simple to set up there. I've set up my home server to act as a Windows-type terminal server using X and tigervnc. It actually works well, but I never got into multiuser and dealing with logon scripts and the like (you may or may not need this to deal with user documents and the like.) Dan
Re: [gentoo-user] {OT} Allow work from home?
Grant wrote: > I'm considering allowing some employees to work from home but I'm > concerned about the security implications. Currently everybody shows > up and logs into their locked down Gentoo system and from there is > able to access the company webapps which are restricted to the office > IP address. I guess I would have to allow webapp access from any IP > for those users and trust that their computer is secure? Should that > not be scary? > > - Grant I would use OpenVPN for that. If you don't trust their systems, you could provide a Live-System media for them if that is possible. -- Regards wabe