|02:16||we6jbo has joined IRC (email@example.com)|
|02:34||we6jbo has left IRC (firstname.lastname@example.org, Ping timeout: 256 seconds)|
|02:47||we6jbo has joined IRC (email@example.com)|
|05:16||vagrantc has left IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:20, Quit: leaving)|
|05:53||alkisg_irc1 has joined IRC (alkisg_irc1!~Thunderbi@srv1-dide.ioa.sch.gr)|
|05:55||alkisg_irc has left IRC (alkisg_irc!~Thunderbi@2a02:587:744e:8500:c24a:ff:fe02:bc1e, Ping timeout: 240 seconds)|
|05:55||alkisg_irc1 is now known as alkisg_irc|
|06:11||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Quit: Ping timeout (120 seconds))|
Try to convince people there to use shared folders, not shared accounts :)
|06:55||eu^broadband-46- has joined IRC (firstname.lastname@example.org)|
|06:58||alkisg_irc has left IRC (alkisg_irc!~Thunderbi@srv1-dide.ioa.sch.gr, Read error: Connection reset by peer)|
|07:00||eu^broadband-46- has left IRC (email@example.com, Ping timeout: 260 seconds)|
|07:01||alkisg_irc has joined IRC (alkisg_irc!~Thunderbi@2a02:587:744e:8500:c24a:ff:fe02:bc1e)|
<alkisg> "Try to convince people there..." <- No way. We can't do anything with the existing users. Can only add some extra steps while login process
If you want to explain that, we might be able to help, otherwise sure, go for insecurity :)
Is just a quick workaround for the decreasing insecure hole
After that will come more complex solution.
|07:13||ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)|
Developing a pam module is certainly not a quick task
If i have x32 intel based thin client, am I able to use "ltsp image i386" or I need "ltsp image x86_64" instead? It's just about chroot folders only or it's depend or architecture too?
What's the exact cpu model and how much RAM does the client have?
<alkisg> "Developing a pam module is..." <- I guess I haven't any better solutions. Maybe fix somehow old LTSP version without PAM. But it doesn't seems like faster solution
If you care to explain the restrictions, it's possible that we may propose a better solution. If you can't do that, no point in discussing it more, you can select whatever you feel is faster even if it's not
<alkisg> "What's the exact cpu model and..." <- 4gb with G1820 Intel (x64). But I'm not sure about all ours hardware are the same
You said x32, that's x64...
For such clients, you don't need a 32bit chroot, you can use 64bit chrootless
alkisg: We can try.
The main restriction - we can't drop shared accounts. But we need to personalize them somehow
Sorry I don't have enough time to play hide and seek. If you can explain, OK, otherwise let me get back to coding, I have a family to feed :D
alkisg: This is test suite configuration. I'm not quite sure about target real hardware. They might be only x32
alkisg: Sorry to taking your time.
But I don't understand, what I need to explain more? You mean why we have that strange restriction?
Yes, usually such cases are called a XY problem, https://xyproblem.info/
So we spent a lot of time regarding pam, but you had ltsp5 which doesn't even use pam,
while if you explain the actual restrictions it might turn out you don't need a pam module at all
Then, me wasting e.g. 1 hour will help you avoid 100 hours of development. That's a good investment
...while wasting 1 hour discussing pam and turning out that you don't need pam would be a very bad investment of time
So we have a typical system installation, that consists of headless unix server and a couple thin clients. We also have users. Users amount > thin clients: say 10 against 2.
On the server we have fixed login/pass pairs for 5 users. That login/pass pairs are known for all of that users.
We need to know, which user is logged
<alkisg> "Yes, usually such cases are..." <- Good point
OK, try to explain the exact reason why you can't move to "one account per user". It will be difficult for them to learn a new username, when they'll have all their data there?
alkisg: Yeah. They can't learn a new username with password
You're going to teach them authenticator devices, but they can't remember "user1"?
Because they had bad education, I guess
Then they won't be able to learn about authenticator devices either
So there's no solutio
I cant explain it in detail, cause I haven't the better picture
OK. Then sorry, that's all the time I could spend on this
Wishing you the best of luck, /me goes back to coding :)
Ok. Thank you anyway.
I'll post it here, then the story will end
|08:00||woernie has joined IRC (firstname.lastname@example.org)|
|08:00||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|08:36||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Ping timeout: 255 seconds)|
|08:55||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|09:00||MaradelCarmenCar has left IRC (MaradelCarmenCar!~maricarme@2001:470:69fc:105::2:a292, Quit: You have been kicked for being idle)|
alkisg: Feeling bad about our last conversation, cause I spended your time. I didn't want to. You was right it's defenetly XY Problem.... (full message at <https://libera.ems.host/_matrix/media/v3/download/libera.chat/88bef084f0c08775f5c293a832c99f0e101aef3e>)
2FA is to increase security. You just want to separate users. Just use a simple session script; it will even show a nice dialog for them.
In your case security is non existent because any user can steal all the passwords etc of any user, they can get their bank accounts and everything
|10:23||john has joined IRC (email@example.com)|
|10:24||john is now known as Guest9347|
alkisg: What does it mean "simple session script"? Can you give an example?
Hello everyone! I was here yesterday and got very far in my understanding on how to configure LTSP.
I just have one question in order for me to gauge the possibility of using LTSP with netboot, and that is how common is it for laptops to support PXE over IPv4? Or rather, is the risk significant that varied laptops with Windows 7 and newer on them are missing this capability.
Guest9347: all laptops that have ethernet cards support netbooting
Great, that's a relief. Thanks!
Nickolay Zaytsev: google for 'lightdm custom session script', it'll give you some hints, not time to discuss more about this issue
And creating a common template for many users does NOT mean they'll need to share the same account
alkisg: No quite right, I gues.
Our OTP is personal. So before you can get your own OTP, you need to login in mobile app with the separate personal accout. Like LDAP or something. It need to be done only one time, before the app usage.
Authentication is NOT the same as home directory. You can have multiple users with the same directory
Or you can clone a template directory to multiple users
The OTP is personal, but any user can install a keylogger in their own account, and record all keystrokes of all future users
So they'll be able to steal anything, even from private mode browsers
It's like leaving your front door wide open and then securely locking the chimney. Really worthless...
That seems like a big risk. How can you prevent users from installing keyloggers in their home dirs?
|10:41||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Quit: Ping timeout (120 seconds))|
Guest9347: I wasn't talking to you. You should just make sure that each user has their own account.
|10:58||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
<alkisg> "The OTP is personal, but any..." <- That's true.
But at this point we need just workarond that will make live of foreign users harder: you need an employee smartphone to login.
Users home folders doesn't contain any private information at all. Only software for work
Just create a session script, it's more than enough
Sounds great. I'll take it. Thank you again, mr. Alkis. Thank you for your work!
|12:07||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Quit: Ping timeout (120 seconds))|
|12:11||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|12:18||Guest9347 has left IRC (Guest9347firstname.lastname@example.org, Quit: Client closed)|
|12:50||woernie_ has joined IRC (email@example.com)|
|12:51||woernie has left IRC (firstname.lastname@example.org, Ping timeout: 256 seconds)|
|13:06||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Quit: Ping timeout (120 seconds))|
|13:15||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|13:49||woernie_ has left IRC (email@example.com, Remote host closed the connection)|
|15:11||we6jbo has left IRC (firstname.lastname@example.org, Remote host closed the connection)|
|15:59||woernie has joined IRC (email@example.com)|
|16:41||woernie has left IRC (firstname.lastname@example.org, Remote host closed the connection)|
|16:49||vagrantc has joined IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:20)|
|17:43||SunilThomasThoni has joined IRC (SunilThomasThoni!~vu2swmatr@2001:470:69fc:105::2:bf12)|
I am not sure whether this is the right forum to ask.
I am trying to create an image from vmdk
ln -rs /home/cea/VirtualBox\ VMs/deb/deb_1.vmdk /srv/ltsp/debian.img
(base) root@cea-OptiPlex-9010:/# ltsp image debian
LTSP command failed: blkid -po export /srv/ltsp/debian.img
I don't know how to mount /srv/ltsp/debian.img
right forum, not sure i have an answer though
wait around a while, someone might come along
I created a bare minimum vmdk and followed the install guide
Sunil Thomas Thonikuzhiyil: you want the deb_1-flat.vmdk, not the plain vmdk
i am new to virtualbox how to create a flat.vmdk
What do you have now, a .vdi?
ls -l "/home/cea/VirtualBox\ VMs/deb/"
-rw------- 1 alkisg alkisg 10737418240 Nov 7 09:26 bullseye-kde-flat.vmdk
-rw------- 1 alkisg alkisg 2958 Nov 11 17:01 bullseye-kde.vbox
-rw------- 1 alkisg alkisg 647 Nov 7 09:26 bullseye-kde.vmdk
vbox => VM description, plain vmdk => disk description, flat.vmdk => raw disk data
yes I can find a flat.vmdk
let me check again
Thanks it worked
One more question. Some sites allow me to download a vdi or vmdk. How d i make a flat.vmdk out of it
You should ask this in #vbox, not in #ltsp. E.g. something like: VBoxManage clonehd /vboxdata/old.vdi /vmwaredata/new.vmdk -format VMDK
Do not run that command, it's just an example, I haven't checked the exact syntax
Ah you don't even need a command, they have a dialog to do it via GUI, e.g. https://superuser.com/questions/73470/how-do-i-convert-a-virtualbox-vdi-file-to-a-vmware-vdmk
vagrantc: they allow this now?! /usr/share/doc/libphp-phpmailer/README.md.gz
No more man pages! Markdown ftw!
|18:53||* alkisg googles for a compressed markdown reader...|
alkisg: debian doesn't forbid markdown in the doc directory, but that doesn't mean no manpages
Eh, baby steps...
|19:19||* vagrantc just uses emacs to read most files :)|
|20:52||ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)|
|21:02||bcg has left IRC (email@example.com, Ping timeout: 240 seconds)|
|21:04||bcg has joined IRC (firstname.lastname@example.org)|