Summary

In order to improve securability of ssh, Edubuntu by default should set up two sshd instances, one dedicated to LTSP and one standard instance for other access. These instances might either bind to different tcp ports (eg 22 & 10022) or different IPs -- the latter requiring the server to have two ip addresses. The standard sshd could be disabled by default or have restricted access.

Rationale

Random ssh dictionary attacks are very common on the net. If the existing ssh setup is exposed to the net (eg for remote admin), all of the accounts are exposed to this. Accounts with weak passwords are at risk of being compromised. The risk of directed attacks (eg a student compromising a teacher's account) is also heightened.

Currently the only protection is use of TCP wrappers. All users must be accepted with simple password authentication for ltsp logins to work. With a second sshd instance, ssh facilities like AllowUsers, AllowGroups and unsetting PasswordAuthentication can be used (even by default) to restrict remote ssh access.

Use Cases

A school with a consultant, parent, etc. administering their server remotely discovers that he is (along with the rest of the net) getting frequent ssh brute force attacks.

A school who does not have their net access firewalled.

A school with low spec thin clients might wish to allow ltsp over an unencrypted ssh session, see. This probably should not be possible on an internet connected ssh.

Scope

This feature should, I think, be part of LTSP. As such it might be useful in Ubuntu more generally.

Design

Server

Client

Implementation

Outstanding Issues

BoF agenda and discussion


CategorySpec CategoryEdubuntuSpec

DedicatedLTSPSSH (last edited 2009-07-24 01:43:30 by acesuares)