[Server-devel] [support-gang] Value of remote access to School Servers.

David Farning dfarning at activitycentral.com
Wed Jul 3 09:07:43 EDT 2013


James,
As you can see we don't pretend to have all the details worked out  :)

We hope that this incentive help encourages a public feedback loop between
ideas and implementations like this thread.


On Wed, Jul 3, 2013 at 4:38 AM, George Hunt <georgejhunt at gmail.com> wrote:

> The central openvpn server would be configured to pass out local
> (unroutable in the wider internet) addresses in the 10.0.0.0/8 subnet to
> each client.
>
> There would be one public/private key pair distributed with the XSCE
> software distribution, for testing. The server would be configured to
> accept multiple conections from the same key pair. Effectively this would
> create a "party line', where everyone who had access to the key pair, would
> have access to the "party line".  Then they would be able to ping all the
> other XSCE servers, on the local 10.0.0.0/8 virtual private network
> (which is worldwide) -- assuming that the firewalls were set to enable ping
> responses. And they could log into any servers on that party line, for
> which they had ssh authentication credentials.
>
> Then, most likely with passwords turned off, deployments could use
> public/private key pairs they generate themselves to access their own
> servers.
>
> For an additional level of security, deployments could contact
> activitycentral to get their own public/private key pairs, one for each
> machine, and a config file which connects to different ports, openvpn
> instances, virtual box instances, or whole physical machines.
>
> At the extreme, a deployment could have it's own virtual private network,
> protected by key pairs known only to itself, on it's own machine, running
> under lock and key, in its own back room, and then ssh (password or key
> pair) connection to each of its machines.
>
> George
> George
>
>
> On Wed, Jul 3, 2013 at 4:36 AM, Anish Mangal <anish at activitycentral.com>wrote:
>
>>
>>
>> On Wed, Jul 3, 2013 at 1:54 PM, James Cameron <quozl at laptop.org> wrote:
>>
>>> On Wed, Jul 03, 2013 at 12:45:35PM +0530, Anish Mangal wrote:
>>> > James wrote:
>>> > > Would the person accessing their XSCE remotely then establish
>>> > > another tunnel to your OpenVPN server, or would your server do
>>> > > inbound connection forwarding?
>>> >
>>> > Hmm. I'm not so clear on that. I can give the example of a setup in
>>> > Bhagmalpur (a pilot we recently did).
>>> >
>>> > 1. There is an openVPN server hosted by Sameer.
>>> > 2. The XSCE when connected to the internet dials into this open vpn
>>> >    server.
>>>
>>> Thanks, I understand the first two steps, and they sound good.
>>>
>>> > 3. I can login to the XSCE through the openVPN connection through
>>> >    ssh and administer remotely.
>>>
>>> How is this last step achieved?  There's much flexibility, so I'm
>>> curious.  I imagine one of three methods:
>>>
>>> a.  does the user first SSH into an account on the OpenVPN server and
>>> then SSH again to the XSCE, or;
>>>
>>> b.  does the user SSH to a particular port on the OpenVPN server that
>>> is automatically forwarded to the XSCE, or;
>>>
>>> c.  does the XSCE have a routable IP address, courtesy of the OpenVPN
>>> server, to which SSH is directed?
>>>
>>>
>> I'm not sure... let me explain (perhaps Sameer or Santi can chime in)...
>>
>> I have a set of openVPN keys on may laptop through which I connect to the
>> openVPN server automatically (and a network called tun0 is created)
>>
>> I know the IP address of the XSCE in Bpur
>>
>> So, from my laptop, I just do ssh root@<ip address of XSCE on the
>> openVPN network>
>>
>> Does it make things any clearer?
>>
>>
>>> --
>>> James Cameron
>>> http://quozl.linux.org.au/
>>>
>>
>>
>> _______________________________________________
>> support-gang mailing list
>> support-gang at lists.laptop.org
>> http://lists.laptop.org/listinfo/support-gang
>>
>>
>


-- 
David Farning
Activity Central: http://www.activitycentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/server-devel/attachments/20130703/88e2fa80/attachment.html>


More information about the Server-devel mailing list