configuration suggestions and browser lockdowns

Gavin McCullagh gmccullagh at gmail.com
Fri Oct 19 10:01:22 BST 2007 

Hi,

On Wed, 17 Oct 2007, Bill Moseley wrote:

> Our small elementary school received a donation of reasonably new
> machines, all fast P4s with 1GB and large disks.  One common use is
> educational games via flash over the Internet.  Although much of the
> documentation discusses using LTSP, my thinking is that there will be
> quite a bit of screen bandwidth needed.  Since the machines are
> powerful I'm thinking it makes more sense to not use LTSP.

Animated stuff will use more bandwidth alright.  That said, it might not be
as bad as you think.  Make sure the server has a GigE network card to its
switch and that there's a GigE link between each switch.  If you have
problems with X consuming lots of bandwidth, you might find that dropping
all thin clients (or those that will) to 16-bit colour might help.

> This does make management a bit more difficult, though, especially
> if the school decides to give out logins for each student using the
> machines (instead of, say, a "guest" login).

Yes and no.  If you go with this, you should be using some sort of
centralised authentication scheme, be it LDAP, NIS, or Active Directory.
This will make accounts appear on all machines and your NFS share of /home
will mean all machines will magically have the user's profile and files.

> Can anyone offer suggestions how to best setup this configuration.
> Seems like NFS mounting /home, but I'm wondering what else can be
> shared to ease management.

You could consider using the machines as diskless kiosks running local
applications.  We do this with the feisty LTSP kiosk mode, though that only
provides a web browser at the moment.  In Gutsy (I hear) there is supposed
to be support for more extensive local applications.  That way, you might
install all applications to the central image and all of your machines will
automatically get them.

> Another question is how to lock down the machines.  I've looked at the
> Lockdown Editor Pessulus and Sabayon.  What about blocking URLs?  Mac
> OSX/Safari has a reasonably easy parenteral control where the browser
> won't go to any domain that isn't defined.  And when it's attempted
> the admin can enter their password to provide access.  Any pointers
> how to implement this?

The only way I know to (reliably) block content is using a proxy server
like squid with something like "dan's guardian" or squidguard.  Thankfully,
the Irish dept. of education has contracted HEAnet to be ISP and look after
filtering en mass for every school in the country so this headache is
lifted from us.

Gavin

More information about the edubuntu-users mailing list