Basic Setup
Server-side Changes
Client-side Changes
Adding New Clients

Additional Features
Locking FireFox
PDF Support
Background Image
Printing

Advanced Issues
Securing Connection
Client Firewall
Detect Kiosk Idle
Booting Clients Remotely

Tailored Tools

Man-in-a-middle Issue

The standard LTSP setup uses two insecure protocols:

• TFTP is used to deliver kernel binary and initial filesystem (initrd) to clients
• NFS is used to deliver the run-time filesystem to clients

Although your web kiosks hardly contain any confidential information (as long as you secure the possible LDAP connections) the protocols are open to man-in-a-middle attacks. Here, the attacker would set up a LTSP server of his/her own. Instead of connecting to official kiosk server the attacker would distribute a changed kiosk environment of his/her choice. Such a system could log all traffic, e.g. authentication and interesting web content to be used later on for illegal and despicable purposes.

Replacing these protocols with SSL-secured equivalents solves both problems:

• Certificate verification prevents attacker for setting up hostile servers as long as he/she can not get server certificate used in the kiosks.
• The traffic between kiosk server and clients is secured.

To achieve this, following arrangements can be made:

• Replacing TFTP with TLSboot
• Using NFS-over-SSL