Remote Access Solution

NEW: See the Follow Up.

I’m in a bit of a pickle.

Traditionally, we’ve always allowed wide-open SSH access from anywhere to our main terminal server for remote access. Since we use NX (neatx, FreeNX, NXclient, etc.), all we ever needed open was SSH to make it all work nicely. Sure, SSH is a big bruteforce target but with DenyHosts and low thresholds things are pretty well under control. I realize huge distributed bruteforce attacks are still possible against a DenyHosts protected SSH daemon but we have to factor in ease of use when thinking about security and the low risk of massively distributed bruteforce attacks.

Read More


Woot! LTSP 5 + LDM over SSH (LDM_DIRECTX=False in lts.conf) + Open source radeon driver with AIGLX is working!

Nothing like running compiz smoothly on a dual monitor thin client :D

The problem I was having was that despite the X server on the thin client being fully configured and tested to use hardware acceleration locally, when connected to the terminal server over the secure LDM tunnel I was getting direct rendering with the software renderer which results in a big fail for compiz.

The key to avoiding the software renderer from being used for DRI was setting LIBGL_ALWAYS_INDIRECT=1 as an environment variable. I don’t know why with everything configured correctly that the system defaults to using the software renderer instead of indirect rendering + hardware renderer but at least forcing this environment variable in a global profile script allows for sexy hardware accelerated compiz goodness from securely connected thin clients.

Without the environment variable to force indirect rendering, glxinfo output with the LIBGL_DEBUG=verbose env variable set was complaining that the “drm device” didn’t exist. I suspect this is because glxinfo was expecting to somehow find the /dev/dri/card0 device on the terminal server itself instead of on the thin client and of course it doesn’t exist on the server… the OpenGL card is installed on the thin client!

There must be a way to get this working without the LIBGL_ALWAYS_INDIRECT environment variable but I couldn’t figure it out… this really smells of a hack but since it’s very easy to apply globally and it works just how I expect things to work, I’ll have to leave it in place until the time I can figure out another non-hacky way of getting the results I want with this configuration.

Amber Lamps!

Amber lights actually, to be a bit more accurate.

We’ve got these two IBM p505 servers that actually work pretty well. They were purchased on some kind of clear out two-for-one deal that my predecessor jumped on and while I probably wouldn’t be the guy to buy these machines in the first place, I’ve come to strangely like them. These server run our DNS, DHCP and soon-to-be LDAP stuff. It’s all distributed, replicated and zone-transfered goodness.

However, as of this writing they are both sportin’ a solid amber light on the LightPath diagnostics and the procedure to clear the amber light is… well… rather unclear. I think it’s unclear because we don’t have an HMC (Hardware Management Console) so we don’t get a lot of the spiffy external management features that these systems offer. Add to the fact that we run Linux on these hosts as opposed to AIX, which apparently has OS-level tools for querying the event log and flipping the light switches. I can’t find anything equivalent on Linux for p-Series systems… yet.

Read More