[Pkg-ltsp-devel] Re: OpenVPN

[Marcin Kuk]

> > I have experiences in diskless workstations. I know vanilla LTSP.
> > Where can I find some how-to about yours project. I would like try it first.
>
> We don't have a how-to, but if you've a Debian sid installation somewhere, do:
> aptitude update
> aptitude install ltsp-server
> ltsp-build-client --dist sid --mirror http://http.us.debian.org/debian

I have Sarge, Etch and Ubuntu installations from Debian-like systems
but it's not problem for me. How I assume you insert devel tree into
sid but I could use it on slackware even.

> If everything goes well, you will have an ltsp chroot ready to go in
> /opt/ltsp/ . With your previous experience in LTSP, i think you won't
> have problems to boot thin-clients.

Earlier on Ubuntu I saw that kernel need to be insert into /boot
directory in the other way. I suppose that by the
ltsp-update-kernel.sh (I can be wrong - don't  remember). Why this is
separated?

> > I have some ideas to which could be implemented into LTSP.
> > I think about OpenVPN. This solution could improve security.
>
> Could you share your ideas?

NFS is the big security problem into LTSP. LTSP try to force ltspfs or
something like this. My idea is to use OpenVPN.

Client could query DHCP for settings and kernel with initrd. Load and
execute basic filesystem form initrd which OpenVPN tools. Make own
root-CA depend on hostname. Make key and request. Move request into
root-CA on server and sign it. Take ca-server.crt and client.crt from
server and use it for tunnel. Now NFS can be used over tunel.
This is simple way to make LTSP work over Internet.
We can write ltsp-make-boot.sh script which will make bootable CD,
floppy and USB devices.

What do you thing about?

> Btw, we do Debian's LTSP development using
> the Bazaar-NG version control system[0]. Ubuntu does the same and we
> share a lot of code.

I don't know Bazaar-NG but I will try to learn ;-)

Regards

Marcin Kuk