Dev:LTSPPamNotes

= LTSP with PAM authentication. =

Here's a rough guide on getting a display manager, like LightDM going with libpam-python and the pam_sshauth.py script in a fatclient like environment.

Programs to install in the chroot:
You'll need to make sure the following programs/packages are installed in the chroot:


 * libpam-python
 * libnss-extrausers (make sure the nsswitch.conf file is configured. See libnss-extrausers instructions)
 * lightdm

Also in the chroot, you'll need ltsp-pam:

https://code.launchpad.net/~ltsp-upstream/+git/ltsp-pam

Install the files in src/* to the client's OS (the client chroot, or the server's / if using LTSP-PNP.

ssh modifications

 * In the thin client, as always,  should be set.


 * If you notice a delay in between typing in the username and the password, it's because the server's sshd is looking up the reverse DNS entry of the thin client, and not finding it. Either add the thin client's ip to   on the server, or, set   in the server's   file.


 * If you want password expiry, you must set  in the server's   file.

theory of operation
But here's the gist:
 * libpam-python calls pam-sshauth.py, which does the authentication, and creates an ssh tunnel.


 * nss-extrausers is installed, so we pull across the passwd entry, and all groups that mention user, into the nss-extrausers dir.


 * also, pam_mkhomedir runs, so the user gets a fresh homedir. /home will have to be mounted as a tmpfs or the like.


 * the ssh tunnel stays up for the length of the ssh session. When lightdm runs the close_session pam exits, the socket is cleanly shut down.

Current Progress

 * build chroot (.i.e. ltsp-build-client)


 * install (for debian) the ltsp-pam package from http://cascadia.debian.net/~vagrant/debian/pool/main/l/ltsp-pam/


 * add to chroot's sources.list:

deb http://cascadia.debian.net/~vagrant/debian UNRELEASED main


 * ltsp-chroot apt-get install ltsp-pam


 * add SCREEN_02=shell or SCREEN_02=null to lts.conf


 * add DEFAULT_DISPLAY_MANAGER=/usr/sbin/lightdm or to lts.conf.

testing

 * Boot the terminal, you should get a lightdm manager.
 * Log in as user, password.
 * Should get your desktop (in my case, http://mate-desktop.org)
 * Switch to ctl-alt-f1, log in as root. Should see the user logged in as themselves, with the ssh processes owned by them. Go back to ctl-alt-f7
 * Selecting "logout" should log you out clean, with no crud processes left on server, and dump you back to the lightdm login screen.
 * pressing the power button on the lightdm screen should shut the terminal down.