Google Search

Google

Friday, April 13, 2007

Security vs tech support...

Each system architect knows that there lies a fine line between genius and an madness the same gos for security and technical support. To protect the end users you need to trap the system down to a bare minimum and limit the users access to system resources and communication. this includes firewalls, limited package count, reduced functionality. So how do make the service desk. Around 70% of problems the technician can solve by simply login into the PC with ssh. what about the rest of the 30%? Well to not to compromise the security you cant put up a vnc server to a public net (easily spyable/fakeable passwords and user names go in plain text etc.. etc... etc...). In KDE its simple - Krfb works like a charm and can do basic digest authentication and can be configured to bind to specific interface (preferably localhost[127.0.0.1]). So to see what the user sees the user generates an support request and sends it to the technician and once the technician is finished the session is finished. This will lower the risk from technician on spying on the end user. Simple huh? Well not really - when using gnome it isn't - the gnome is so eccentric to simplicity that it lacks the configuration option, but it provides the server in essence (its called vino btw). To get it to bind to only localhost you need to hack the code, but is doable. the alternative would be to install Krfb with all of its requirements (half of the KDE environment) so it is not practical and can cause conflicts in package relations. To use the vnc you need a vncviewer package and the command to initiate the session is "vncviewr -via <the host name of the PC> localhost" - this will push the vnc data through the SSH tunnel and encrypt it on transport. Security is elemental :)


Have fun experimenting :)


technorati tags:, , , , , ,

Blogged with Flock

No comments: