IRC chat logs for #ltsp on irc.libera.chat (webchat)


Channel log from 3 February 2023   (all times are UTC)

01:21vagrantc has left IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:40, Ping timeout: 248 seconds)
01:26vagrantc has joined IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:40)
06:28woernie has joined IRC (woernie!~werner@p5dded9bd.dip0.t-ipconnect.de)
06:35wyre is back
07:04ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)
07:07wyre is now away: Auto away at Fri Feb 3 07:05:55 2023 UTC
07:32wyre is back
07:57vagrantc has left IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:40, Quit: leaving)
10:20
<vsuojanen[m]>
I am deploying ltsp remotapp for ltsp clients, the clients are configured to boot chrootless image. There won't be any sensitive or personal running on the clients so the clients share one autologin account with kiosk style NFS homedirs.
10:22
If I wish passwordless SSH should I setup one SSH key in the autologin user public keys or one SSH key for each client machine?
10:27
I know it works but I can't choose where to keep the keys on the clients for ensuring some security for the autologin account
10:35
<alkisg>
vsuojanen: for kiosks, it's best not to use sshfs at all. Either use tmpfs home, or if you need server-side space, use e.g. 5 GB home loopback files, one per client, encrypted and mounted over nfs
10:37
If you opt to use sshfs after all, use one account per pc, and the "sshfs chroot" trick to restrict their access on the server
10:37
You can't use a single home for all of them. Not only it's a security issue, but apps will start losing data or crashing
10:39
<vsuojanen[m]>
we are using the /home/nfs/$MAC_ADDRESS/home setup, https://github.com/ltsp/ltsp/wiki/Single-guest-session-over-NFS
10:40
<alkisg>
That's fine, then why do you need ssh keys?
10:43
<vsuojanen[m]>
The app isn't available/published to the client network, that's why I use the ltsp server where we have another network connection with xfreerdp
10:44
clients will launch xfreerdp as ltsp remoteapp
10:44
<alkisg>
You can't use a single account for multiple sessions
10:46
I don't get one thing though. If it's all passwordless, that means that anyone can run xfreerdp and get the app without a password
10:46
So why don't you make it available to the network?
10:46
Is it related to security, or the app just won't run in the clients due to its design?
10:48
<vsuojanen[m]>
both actually, the app is now launched with Citrix Workspace and it doesn't work well in the Citrix server.
10:50
the app is now moved to separate isolated servers (one virtual machine for each user)
10:50
<alkisg>
And they get there without a password, or they need to enter a username/password in xfreerdp?
10:51
And why would you run xfreerdp over remoteeapps (=very slow) instead of running it directly on the clients?
10:52
<vsuojanen[m]>
it's one xfreerdp connection, without passwords. only issue is should I implement the ssh keys and how?
10:53
<alkisg>
I can't answer while I'm missing key information
10:53
Why can't the xfreerdp run directly on the clients?
10:54
What you described so far needs no server state, so why does xfreerdp need to run on the ltsp server...
10:56
<vsuojanen[m]>
I'm sorry. the rdp connection to the appservers can't be opened in the network where the clients are. I thought it would be easier with ltsp remoteapps
10:56
<alkisg>
vsuojanen: it sounds like you need net forwarding, not application forwarding
10:57
Xorg forwarding means a lot of cpu and network usage due to screen capturing, transfering, rendering, and then again capturing and transfering
10:57
While if you use a simple proxy server on the ltsp server, or wireguard, or iptables, you don't have any of these issues, AND you don't need to give a server user account to kiosk users
10:58
Of course you can do it with ltsp remoteapps too, but its performance will be a lot worse, and its resource requiremens a lot more
11:02
<vsuojanen[m]>
I think you have a point, I already did forwarding but I guess I need more thinking. I haven't luckily spent too much here time with the ltsp remoteapps
11:04
thank you alkisg for your support, I appreciate it
11:04
<alkisg>
👍️
11:06
<vsuojanen[m]>
yes, thanks I'm now getting back on the idea
11:08
the app needed very much work in firewall, then I thought ltsp again would save me with some shortcut
11:09
<alkisg>
You can use wireguard between the ltsp clients and the ltsp server if you must; it requires only one port; and it'll be a looooot faster than remoteapps
11:12
<vsuojanen[m]>
yeah I've heard you and other talking about it here, but hadn't started getting to know it yet
12:15highvoltage is back
12:43
<alkisg>
vsuojanen: man xfreerdp ==> see the /proxy parameter there, it looks like the fastest and more efficient way forward
12:43
So you'd run xfreerdp on the ltsp clients, and a proxy server in the ltsp server
12:44
<vsuojanen[m]>
yes. good timing.
12:49
hmm. i was doing iptables. i will check that too, thanks
13:27wyre is now away: Auto away at Fri Feb 3 13:26:08 2023 UTC
13:29woernie has left IRC (woernie!~werner@p5dded9bd.dip0.t-ipconnect.de, Ping timeout: 260 seconds)
13:29woernie has joined IRC (woernie!~werner@www.velometrik.eu)
14:13woernie has left IRC (woernie!~werner@www.velometrik.eu, Ping timeout: 248 seconds)
14:14woernie has joined IRC (woernie!~werner@p5dded9bd.dip0.t-ipconnect.de)
14:18sunweaver is back
14:35woernie has left IRC (woernie!~werner@p5dded9bd.dip0.t-ipconnect.de, Ping timeout: 255 seconds)
14:35woernie has joined IRC (woernie!~werner@www.velometrik.eu)
15:26sunweaver is now away: not here ...
16:14woernie has left IRC (woernie!~werner@www.velometrik.eu, Ping timeout: 260 seconds)
16:14woernie_ has joined IRC (woernie_!~werner@p5dded9bd.dip0.t-ipconnect.de)
17:08wyre is back
18:21wyre is now away: Auto away at Fri Feb 3 18:20:21 2023 UTC
18:24vagrantc has joined IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:40)
21:36wyre is back
21:51jgee1186922 has left IRC (jgee1186922!~jgee@186.80.49.20, Quit: The Lounge - https://thelounge.chat)
21:53jgee1186922 has joined IRC (jgee1186922!~jgee@186.80.49.20)
22:42ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)
23:41sunweaver is back