"Big-brother" thin client solution wanted
|
| Author | Content |
|---|---|
| Sander_Marechal Dec 09, 2007 1:58 PM EDT |
For a friend of mine I am looking into a thin client solution to provide computers for his house-hold. From a control and cost point of view, it will most likely need to be a thin-client solution with some heavy handed big-brother style administration. A little background: My friend has two children from a previous marriage. They are about 11-12 years old and both have problems. Serious problems. It's so bad that they have been permanently expelled from all institutions that's specifically aimed at taking care of children with similar problems. The only thing left is youth prison. They need a lot of moderation. Long story short, I'm in need of a system with draconian big-brother style parental controls similar to a prison and full logging on everything from websites to IM conversations, remote viewing capabilities, etcetera. At the moment they have two windows computers but, as usual, the kids vastly outsmart the parents in computer knowledge so any parental lockdown they try at the moment is useless and quickly circumvented (e.g. logging MSN conversations). AFACT most Linux-based thin client solutions give a lot of power to the user. Like on any Linux machine, they are able to do anything that doesn't require a root password. E.g, they can turn on/off IM logging themselves. And administrators cannot simply view what's on a user's screen without the user knowing. The user will be warned and has to approve someone else viewing along. Are there any applications/distributions that provide the kind of control I am looking for? ltsp.org perhaps? I'm hoping that LTSP being designed for schools, give a lot of power and lock-down options to the teacher. And what hardware would be required? They recently bought a Vista machine but they hate it. It's a Core Duo with 2 GB RAM. Would it be possible to convert that into a server powerfull enough for 3-4 thin clients (when at least two of them watch full-screen video)? What kind of thin clients would be needed? Any advice? Thanks in advance! |
| NoDough Dec 09, 2007 2:22 PM EDT |
Don't know if this is what you are looking for, but one of the free firewalls (either IPCOP or Smoothwall, can't remember which) will proxy and log IM conversations. Also proxies and logs web browsing. This, of course, requires another system [edit: that system being the firewall machine] between the kids and the Net. |
| Sander_Marechal Dec 09, 2007 3:06 PM EDT |
It's a start. But they'd like more though. Like the ability to view what they're viewing or the ability to set times for usage. E.g disallow the machine from (network) booting after 9 PM. And of course, the kids should be unable to install anything. I've been searching for a Linux distro aimed at prisons, but the few that have deployed Linux all state that they can release their stuff due to "security issues". |
| hkwint Dec 09, 2007 3:26 PM EDT |
I'd say google for Linux kiosk mode or so; [url=http://www.google.nl/search?q=linux kiosk mode]http://www.google.nl/search?q=linux kiosk mode[/url] Or find an inet-cafe and ask how they do it over there. |
| gus3 Dec 09, 2007 8:20 PM EDT |
Quoting:Or find an inet-cafe and ask how they do it over there.I'd think that's the last place to ask for advice. They're in it for the money, and if cutting corners (including not actually studying what they're deploying) boosts the profit margin, then 9 out of 10 times they're all for it. |
| Bob_Robertson Dec 10, 2007 7:24 AM EDT |
Sounds like a couple of kids in serious need of books, not 'Net connections no matter how well monitored. |
| Sander_Marechal Dec 10, 2007 7:40 AM EDT |
They do read books. Heaps of books. And pretty serious stuff too, considering their age. The 11 year old is now reading Stephen King's "The Dark Tower" serie. Anyway, the kids can't help how they are. It's not that they're bad kids or were raised wrong or something. |
| Bob_Robertson Dec 10, 2007 7:50 AM EDT |
Umm, I kind of meant things like Bastiat, Rothbard, Plato, even Machiavelli. Horror fiction doesn't seem something that would aid in their exploring why they're behaving in self-destructive ways. "Anyway, the kids can't help how they are." Right back to politics again, I see. Edit: Put a really big smiley on the end of that, please. |
| jdixon Dec 10, 2007 8:17 AM EDT |
> It's a Core Duo with 2 GB RAM. Would it be possible to convert that into a server powerfull enough for 3-4 thin clients (when at least two of them watch full-screen video)? Yes. That should be enough for 3-4 clients. Worst case you may need to upgrade to 4 GB to handle the video needs. Your main concern will probably be disk usage, and that can probably be resolved by an external USB hard drive (though see the recent article about the limitations of the Western Digital hard drives before buying one of them). You'll probably want to use Dan'sGuardian for your filtering. See http://dansguardian.org/ for the details. I found two articles you might fine informative: http://flakey.info/hesfes05/ http://www.linux.com/articles/26889 These discuss some details of the setup and usage. There are lots of articles on setting up LTSP with various distros. A quick Google search should give you all the information you need for your distribution of choice. |
| Sander_Marechal Dec 10, 2007 11:58 AM EDT |
Thanks for those links. DansGuardian looks pretty useful. Never heard of it before. |
| jdixon Dec 10, 2007 12:09 PM EDT |
Sander: I was hoping someone with more experience than yours truly would step forward, but since no one was forthcoming, I did the best I could to find info for you. I've looked into LTSP before, but never had the need to use it. There was a much better writeup around somewhere with more details specs for the server, but I haven't been able to find it. Here's the closest equivalent I could find: http://www.ltsp.org/twiki/bin/view/Ltsp/ServerSizing |
| theboomboomcars Dec 10, 2007 12:57 PM EDT |
You could check this thread out to see if there is anything useful in it. http://lxer.com/module/forums/t/24893/ |
| Sander_Marechal Dec 10, 2007 1:14 PM EDT |
Thanks for that. One thing I've always wondered about though: What's the difference between LTSP and forwarding X11/GDM over XDMPC or SSH? |
| jdixon Dec 10, 2007 1:39 PM EDT |
> What's the difference between LTSP and forwarding X11/GDM over XDMPC or SSH? As I understand it, LTSP let's you run a no-disk client machine. With the proper network cards, It downloads the kernel and enough of X to get you up and connected to the server. At that point, you're effectively forwarding X. Forwarding X normally requires that the OS and X already be running on the client machine. You can also choose to do this and (run fat clients) and even run the apps on the client if you want, but that removes a lot of the big-brother capability you're looking for. |
| Sander_Marechal Dec 10, 2007 2:05 PM EDT |
Okay, that's what I wanted to know. So there's no difference between locking down a regular user on a regular system and a thin client on an LTSP system (with regards to application settings, directory access and the like). |
| jdixon Dec 10, 2007 2:18 PM EDT |
> So there's no difference between locking down a regular user on a regular system and a thin client on an LTSP system... Well, except for the fact that you can control physical access to the server without impacting their clients. It's harder to completely lock down a machine the kids have access to. Given the kids involved, that may be an important detail. |
| pogson Dec 10, 2007 4:12 PM EDT |
Check out K12LTSP or EdUbuntu. They make installing a GNU/Linux terminal server easy. Alternatively, you can set up a fairly powerful newer machine as the server and two old boxes as clients. To make the boxes really kid-proof, you can lock down the BIOS and remove all drives. You could leave a live CD in a drive and lock it inside the box. The usual way schools do it is set the BIOS to boot PXE from the server so users do not have access to drives and stuff. Dansguardian is way cool. If you like you can ban EVERYTHING and permit only a few chosen sites. That is the best. Negotiate with them to choose the permitted sites. Lxer might be OK... To ban everything, you would not use Dansguadian but iptables. Right before the DROPs, put in ACCEPTS only for the approved sites. I have never done this but it would give you ultimate power. Dansguardian could still filter stuff for content, but you can restrict them to pre-approved sites. |
| techiem2 Dec 11, 2007 11:24 AM EDT |
I believe Dansguardian also has the ability to do time based access control so you could set available times. I haven't (yet) looked very deeply into myself yet though (but I need to). |
You cannot post until you login.