|This article, like all articles in the Dev namespace can only be edited by LTSP developers.|
LTSP with PAM authentication.
Here's a rough guide on getting a display manager, like LightDM going with libpam-python and the pam_sshauth.py script in a fatclient like environment.
Programs to install in the chroot:
You'll need to make sure the following programs/packages are installed in the chroot:
- libnss-extrausers (make sure the nsswitch.conf file is configured. See libnss-extrausers instructions)
Also in the chroot, you'll need ltsp-pam:
Install the files in src/* to the client's OS (the client chroot, or the server's / if using LTSP-PNP.
- In the thin client, as always,
ssh_known_hostsshould be set.
- If you notice a delay in between typing in the username and the password, it's because the server's sshd is looking up the reverse DNS entry of the thin client, and not finding it. Either add the thin client's ip to
/etc/hostson the server, or, set
UseDNS noin the server's
- If you want password expiry, you must set
ChallengeResponseAuthentication yesin the server's
theory of operation
But here's the gist:
- libpam-python calls pam-sshauth.py, which does the authentication, and creates an ssh tunnel.
- nss-extrausers is installed, so we pull across the passwd entry, and all groups that mention user, into the nss-extrausers dir.
- also, pam_mkhomedir runs, so the user gets a fresh homedir. /home will have to be mounted as a tmpfs or the like.
- the ssh tunnel stays up for the length of the ssh session. When lightdm runs the close_session pam exits, the socket is cleanly shut down.
- build chroot (.i.e. ltsp-build-client)
- install (for debian) the ltsp-pam package from http://cascadia.debian.net/~vagrant/debian/pool/main/l/ltsp-pam/
- add to chroot's sources.list:
deb http://cascadia.debian.net/~vagrant/debian UNRELEASED main
- ltsp-chroot apt-get install ltsp-pam
- add SCREEN_02=shell or SCREEN_02=null to lts.conf
- add DEFAULT_DISPLAY_MANAGER=/usr/sbin/lightdm or to lts.conf.
- Boot the terminal, you should get a lightdm manager.
- Log in as user, password.
- Should get your desktop (in my case, http://mate-desktop.org)
- Switch to ctl-alt-f1, log in as root. Should see the user logged in as themselves, with the ssh processes owned by them. Go back to ctl-alt-f7
- Selecting "logout" should log you out clean, with no crud processes left on server, and dump you back to the lightdm login screen.
- pressing the power button on the lightdm screen should shut the terminal down.