[X2Go-Commits] [[X2Go Wiki]] page changed: doc:howto:tce
wiki-admin at x2go.org
wiki-admin at x2go.org
Mon Nov 20 12:10:09 CET 2017
A page in your DokuWiki was added or changed. Here are the details:
Date : 2017/11/20 11:10
Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0
IP-Address : 134.3.37.90
Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de
Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511142608
New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce
Edit Summary: Updated to reflect latest changes to build script and available boot params
User : stefanbaur
@@ -38,11 +38,11 @@
==== Configuring the Build ====
<code>
# Select ONE of the following git reposities
# this one loosely corresponds to "stable"
- export LBX2GO_CONFIG='git://code.x2go.org/live-build-x2go.git::feature/openbox'
+ export LBX2GO_CONFIG='git://code.x2go.org/live-build-x2go.git::feature/openbox-with-magic-pixel-workaround'
# this one loosely corresponds to "heuler"
- #export
LBX2GO_CONFIG='https://github.com/LinuxHaus/live-build-x2go::feature/openbox'
+ #export LBX2GO_CONFIG='https://github.com/LinuxHaus/live-build-x2go::feature/openbox-with-magic-pixel-workaround'
# Select ONE of the following LBX2GO_ARCH lines and comment out the others
# (feel free to use long or short options)
# for 64-Bit builds, use:
@@ -66,10 +66,12 @@
export LBX2GO_DEFAULTS='--backports true
--firmware-chroot true
--initsystem sysvinit
--security true
- --updates true'
-
+ --updates true
+ --distribution jessie'
+ # you can create stretch builds by appending ''-stretch'' (no leading blank) to LBX2GO_CONFIG and changing jessie to stretch here.
+
export LBX2GO_ARCHIVE_AREAS="main contrib non-free"
# This is to optimize squashfs size, based on a suggestion by intrigeri from the TAILS team
# note that this will permanently change /usr/lib/live/build/binary_rootfs
@@ -746,17 +748,19 @@
=== These are entirely optional ===
* ''bg=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-bg.svg'' - use this to specify an SVG file to "brand" your X2Go-TCE with. It will replace theblue background theme of the login screen. See below for how to add this file to your HTTP, HTTPS, or FTP server. Note that whoever manages to spoof the server name can inject rogue images into your ThinClients. To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.
* ''blank=n|n:n:n'' - Will disable (''blank=0'') or set screensaver timeout. Use ''blank=n:n:n'' to set DPMS Standby/Suspend/Off values. Standby value equals screensaver timeout value. All values are given in seconds.
* ''branding=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-branding.svg'' - use this to specify an SVG file to
"brand" your X2Go-TCE with. It will replace the seal icon in the lower left of the login screen. See below for how to add this file to your HTTP, HTTPS, or FTP server. Note that whoever manages to spoof the server name can inject rogue images into your ThinClients. To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.
+ * ''copysecring'' - this will scan for USB media and fixed disk media (with USB media taking precedence) at boot for one or more of the following directories: ''config/ssh'', 'ssh', ''.ssh''. Any SSH Secret Keys found there will be copied into /home/user/.ssh (in the ramdisk), with proper permissions and ownerships for the default user account. This may come in handy when you are using SSH Secret Keys on USB media, but need to log in and out of sessions often, and don't want to leave the USB media plugged in all the time/don't want to have to re-insert it before each session startup. **Note:** This poses
a security risk when other people are using your thin client afterwards (as they will have access to your keys), so be sure to power-cycle the thinclient once you are done.
* ''ldap=ldap.example.com:389:cn=cngoeshere,dc=example,dc=com'' - this allows you to specify an LDAP server to connect to - note that this is not needed for LDAP-based authentication, only when you intend to store entire session profiles in LDAP. You should really consider using the X2Go Session Broker instead.
* ''ldap1=ldap-backupserver-1.example.com:389'' - this allows you to specify the first of up to two LDAP backup servers when using LDAP authentication
* ''ldap2=ldap-backupserver-2.example.com:389'' - this allows you to specify the second of up to two LDAP backup servers when using LDAP authentication
* ''nodpms'' - Will not touch DPMS settings at all (by default, ''blank=0'' does both ''xset s off'' and ''xset -dpms''). Use this along with ''blank=n'' if you do want to blank the screen,
but your screen is confused by DPMS settings.
+ * ''nomagicpixel=1'' or ''nomagicpixel=2' - you should set ''nomagicpixel=1'' while the "magic pixel" (clicking in the upper right corner of the screen will minimize a fullscreen session) is still active in thinclient mode (this feature is expected to be disabled at some point in the future). ''nomagicpixel=1'' will disable the window manager when exactly 3 windows are detected (that's the usual situation when a fullscreen session is active). It will re-enable openbox whenever more or less than 3 windows are detected. If this fails for you, you can try ''nomagicpixel=2'', which will try to trigger on the window-minimize command and restore it to fullscreen. Note that ''nomagicpixel=2'' is known to cause problems when trying to run the actual X2Go-TCE client as a virtual machine guest (the //X2GoServer// you connect to may be a VM guest, no problems there). To live with the magic pixel bug, simply do not add this option at all.
*
''pubkey=tftp|http|https|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce.authorized_keys'' - Allows you to add an ssh public key file to the ThinClient, so your administrators can log in remotely using SSH. Note that this file needs to be chmodded 644, not 600, on the web server. **Attention: Whoever manages to spoof this server name will have root access to your ThinClients. Using HTTPS will mitigate this - an attacker would not only have to spoof the server name, but also the matching certificate.**
- * ''session=sessionname'' - use this to specify a session by name that should be pre-selected on startup. The name must be listed in the sessions file and may only contain characters from the following charset: //a-zA-Z0-9.:/ _-// (We suggest naming the default session ''default'' and using ''session=default''.) When using a session name with blanks, please enclose the sessionname in either single or double quotes, like so: ''session="session name"'' / ''session='session
name''' As of 2017-10-26, this feature is only available in builds created from the https://github.com/LinuxHaus/live-build-x2go::feature/openbox repository/branch. The official repository will follow soon (or so we hope ;-)).
+ * ''session=sessionname'' - use this to specify a session by name that should be pre-selected on startup. The name must be listed in the sessions file and may only contain characters from the following charset: //a-zA-Z0-9.:/ _-// (We suggest naming the default session ''default'' and using ''session=default''.) When using a session name with blanks, please enclose the sessionname in either single or double quotes, like so: ''session="session name"'' / ''session='session name'''
* ''tcpprint'' - Will allow you to use local LPT/USB printers like "dumb" network printers (listening to port 9100 and above). Requires MAC->IP mapping in DHCP server (and optionally, DNS->IP mapping), or static IPs - else your print jobs will end up on random devices. This
setup is preferred over the X2GoClient's built-in printing for locally attached printers if X2GoServer and ThinClients are on the same network. It is not recommended when your X2Go connection goes across the internet or when the ThinClient is actually a laptop roaming between different networks. **Attention:** When used without ''tcpprintonlyfrom'' (see below), this means anyone that can reach your thin client via e.g. ping can also send print jobs to it!
* ''tcpprintonlyfrom=x.x.x.x'' - Will allow you to specify which IP address may connect to Port 9100 and above for printing to a locally attached LPT/USB printer. This should be the IP of your CUPS server or whatever print server system you use. Understands the same syntax as xinetd's ''only_from''.
- * ''throttle=n|n:n:n:n:n'' - Will throttle down- and upload speed (''throttle=n'') or set throttling limits as follows: download:upload:smoothingtime:smoothinglength:latency. Defaults for up- and download are 10
(KiloBytes/s), 3.0 (seconds, using decimals is permitted) smoothingtime, 20 (KiloBytes), 0 (ms). for a detailed description of these parameters, see "man trickle". You can use the first 1, 2, 3, 4 or all 5 parameters. To set down- and/or upload speed to unlimited, use the letter "u" instead of a numeric value. As of 2017-10-31, this feature is only available in builds created from the https://github.com/LinuxHaus/live-build-x2go::feature/openbox repository/branch. The official repository will follow soon (or so we hope ;-)).
+ * ''throttle=n|n:n:n:n:n'' - Will throttle down- and upload speed (''throttle=n'') or set throttling limits as follows: download:upload:smoothingtime:smoothinglength:latency. Defaults for up- and download are 10 (KiloBytes/s), 3.0 (seconds, using decimals is permitted) smoothingtime, 20 (KiloBytes), 0 (ms). for a detailed description of these parameters, see "man trickle". You can use the first 1, 2, 3, 4 or all 5 parameters. To set down- and/or upload speed
to unlimited, use the letter "u" instead of a numeric value.
* ''xinerama=left-of|right-of|above|below|same-as'' - Allows you to specify how multiple screens are handled (same-as clones the primary screen to all secondary screens, the other commands will cascade and thus expand the screen). Note that the current implementation will enforce "same-as" if it detects a touch screen driver (wacom) and no other pointing device. This is so you won't get stuck being unable to log off, for example, due to your touch device being limited to one screen.
* ''xorg-resolution=HRESxVRES'' - will force the horizontal resolution to HRES and the vertical resolution to VRES, e.g. ''xorg-resolution=1280x1024'', useful if autodetection for the correct screen size fails, but you do get as far as seeing the X2Go GUI
* ''xorgconfurl=tftp|http|https|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce.xorg.conf'' - when a client outright refuses to boot into the graphical X2Go login screen,
but gets stuck at the console or a black screen instead, yet you can get the GUI to work using a regular Linux on the same hardware, you can disable the X Server's autodetection and force it to use the xorg.conf specified here. Note that you should use a more descriptive name for the file, as described below. Also note that whoever manages to spoof the server name can inject rogue xorg config files into your ThinClients. To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.
@@ -1047,4 +1051,6 @@
FIXME Even though we set the hostname to localhost using the corresponding boot parameter, as recommended by Debian, changing the name via DHCP does not work for all image flavours. One way to fix this might be http://blog.schlomo.schapiro.org/2013/11/setting-hostname-from-dhcp-in-debian.html
FIXME At least when building a stretch TCE on a jessie system, you need to add kernel parameters ''net.ifnames=0
biosdevname=0'' to the image's kernel parameters, else you will receive error messages about the hostname script being unable to find eth0. This might not be necessary when building a stretch TCE on stretch. For a jessie TCE on jessie, it is not required.
+
+ FIXME Document config/sshdkeys in detail.
--
This mail was generated by DokuWiki at
https://wiki.x2go.org/
More information about the x2go-commits
mailing list