Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use ssh-copy-id for authentication #369

Open
alkisg opened this issue Jan 7, 2021 · 3 comments
Open

Use ssh-copy-id for authentication #369

alkisg opened this issue Jan 7, 2021 · 3 comments

Comments

@alkisg
Copy link
Member

alkisg commented Jan 7, 2021

LTSP5 used a master/control SSH socket for LOCAL_APPS_EXTRAMOUNTS and to run additional commands on the server.
In the new LTSP we opted not to use a control socket in order to avoid keeping an SSH connection to the server alive, at least when SSHFS isn't used. So LOCAL_APPS_EXTRAMOUNTS wasn't implemented, but some users need it, for example see #368.

A different approach would be for pamltsp to generate a temporary SSH key for each authenticating user, and use ssh-copy-id for the initial authentication. If that succeeds, then root on the client can run sshfs user@server: /home/user passwordlessly. This also means that LOCAL_APPS_EXTRAMOUNTS can be more easily implemented, and even SSHFS reconnections might work.

I plan to implement this next year, along with making pamltsp an ltsp applet, so that it can directly read ltsp.conf parameters.
Additionally, the actual mount command might be implemented as part of ltsp session instead of pamltsp, we'll see about that part.
@alkisg alkisg mentioned this issue Jan 7, 2021
Closed
@alkisg
Copy link
Member Author

alkisg commented Oct 11, 2021

A different approach would be:

  1. Since a network service will be implemented in LTSP for e.g. downloading ltsp.img, the same service can be used for authentication. No need for the SSH server package to be installed anymore; but the LTSP package will be mandatory for login servers while now it's not.
  2. That service can transfer a local login "PAM chat" over a secure tunnel to the client, so that even password expiry and renewal can be handled.
  3. After logging in on the server, an SSH ID can be generated for that user, and be sent to pamltsp on the client. The user will never have access to it; it will be placed somewhere under /run/ltsp/pamltsp. Pamltsp will use it to connect via SSHFS, if needed, while the server can accept it using AuthorizedKeysCommand in sshd_config.d.
  4. The same authentication scheme could also be used to mount the home dir over samba; this might even avoid the SSHFS issues we're seeing. Also, it could be used to unlock a loopback encrypted file and mount it as /home/username.

@Soylor
Copy link

Soylor commented Feb 18, 2023

Is this implemented as an applet yet?

@alkisg
Copy link
Member Author

alkisg commented Feb 19, 2023

No, this ticket is still open. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alkisg @Soylor