LinuxQuestions.org - Linux Desktop with Citrix Client

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - Linux Desktop with Citrix Client (https://www.linuxquestions.org/questions/linux-software-2/linux-desktop-with-citrix-client-767905/)

Linux Desktop with Citrix Client

Hi All,

We are planning to deploy linux on all the desktops in our organization with Citrix client.

We are able to install the citrix client and connect to the remote server too.

But my queries are as below,

If we deploy linux desktop what is best distribution I should look for. It should be free( I have done the testing on the Fedora Core 11 and it runs smooth)

How much customization I should do? Ideally the users must only use Firefox nothing else. They connect to citrix servers and work there.

If anyone has done a large deployment of linux desktops please help me.

I Understand this question is generic, but I will take motivation from your replies.

Regards,

Athreya

It doesn't really matter that much as long as you use a current distro.. in regards to locking down the desktop you could go with KDE in kiosk mode, there's an admin gui available here as well:

http://extragear.kde.org/apps/kiosktool/

cheers

Hi,

Thanks for the reply.

I have completed the Citrix 9.0 client with Fedora Client. It works well.

Also, I have openoffice which I am using as a substitute, basically if there is a need to work from the local machine may be sometimes.

I have also tested the working of the Ekiga , it is connecting to Asterik server and talking to Xlite extensions on the windows machines

Overall seems a nice setup.

The boot time with fedora 11 observed is 50 seconds.

Are the OS, openoffice, ekiga all are free for me ?

I am using fedora 11.

And what are the security considerations I may need to take ? As per now, I have disabled the telnet, SSH

Regards,

Athreya

They are all open source... lockdown may take a little practice/trial and error, I suggest you build a test host specifically for this. Let me know once you have a test machine and I'll provide some of the hardening from kickstart scripts that I use. You will need to test very thoroughly after locking down to ensure that everything works as expected

cheers

Hi,

Thanks for the reply.

The locking happens with Fedora 11 by default. I am using GNOME. And as we are connecting to citrix servers (Windows servers we will access from the citrix) , i feel no need lock the local machine.

Local machine is not in any domain, instead it will receive only IPs and we connect to the citrix servers. So, if a local machine is unlocked also nothing much is lost as far as the data is concerned and security.

What I am now concerned is reducing the boottime and Hardening the system. I have not really gone to the internal of the system yet,

But please help me with the hardening

Thanks again for your support, it gives me lot of motivation go further.

Regards,

Athreya

I'd like to point out that Fedora is Redhat's R&D distro, with a new version every 13 mths and only the current and prev versions supported. It's a bit bleeding edge.
For long term support/stability (especially for a business env) try Centos (free version of RHEL).

Quote:

The seven year life cycle for a major release of Red Hat Enterprise Linux is divided into three phases.

http://www.redhat.com/security/updates/errata/

Admin manual: http://www.linuxtopia.org/online_boo...ion/index.html

Hardening stuff:

Code:

# openssh:

cat << EOF >> /etc/ssh/sshd_config

Protocol 2

ClientAliveInterval 600

ClientAliveCountMax 0

IgnoreRhosts yes

HostBasedAuthentication no

PermitRootLogin no

PermitEmptyPasswords no

X11Forwarding no

Banner /etc/issue.net

EOF



# Set SELinux mode

perl -pi -e 's/^SELINUX=.*$/SELINUX=permissive/' /etc/selinux/config



# Configure mlocate to act like slocate - users will not be able to locate files

# they dont have permissions to see

perl -pi -e 's?^/usr/bin/updatedb.*?/usr/bin/updatedb -l 1 -f "\$nodevs"?' /etc/cron.daily/mlocate.cron



#Configure tcp wrappers host access to a mostly closed access policy.

cat <<EOF >> /etc/hosts.allow

ALL:localhost

sshd:ALL

EOF

cat <<EOF >> /etc/hosts.deny

ALL: ALL: spawn echo \$\(date\) denied %d

EOF



# Setup password policy.

perl -pi -e "s/PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/" /etc/login.defs

perl -pi -e "s/PASS_MIN_DAYS.*$/PASS_MIN_DAYS 7/" /etc/login.defs

perl -pi -e "s/PASS_WARN_AGE.*$/PASS_WARN_AGE 28/" /etc/login.defs

perl -pi -e "s/PASS_MIN_LEN.*$/PASS_MIN_LEN 6/" /etc/login.defs



# Disable core dumps and increase open files

cat << EOF >> /etc/security/limits.conf

* - core 0

* - nofile 8192

EOF



# Set daemon umask

cat << EOF >> /etc/sysconfig/init

umask 027

EOF



# Disable interactive boot

perl -pi -e 's/^PROMPT=yes/PROMPT=no/' /etc/sysconfig/init



cat << EOF >> /etc/sysctl.conf

fs.suid_dumpable = 0

kernel.exec-shield = 1

kernel.randomize_va_space = 1

EOF



# Restrict root login to console

cat << EOF > /etc/securetty

console

tty1

tty2

tty3

tty4

tty5

tty6

EOF



# Limit su to root access to members of wheel

sed -i 's/^#\(auth.*req.*wheel.*$\)/\1/' /etc/pam.d/su



cat << EOF >> /etc/sudoers

%wheel  ALL=(ALL)      ALL

EOF



# Block shell and login access for non-root system accts

for NAME in $(cut -d: -f1 /etc/passwd)

do

  if [ "$(id -u $NAME)" -lt 500 -a "$NAME" != 'root' ]

  then

    usermod -L $NAME

    usermod -s /sbin/nologin $NAME

  fi

done



# Lock accts with empty passwords

for NAME in $(awk -F: '($2 == "") {print $1}' /etc/shadow)

do

    usermod -L $NAME

done



# Set users umask

cat << EOF >> /etc/profile

umask 077

EOF



perl -pi -e 'if ($. == 9) {s/^umask.*/umask 077/}' /etc/bashrc

perl -pi -e 'if ($. == 7) {s/^umask.*/umask 077/}' /etc/csh.cshrc



perl -pi -e 's/^UMASK.*/UMASK  077/g' /etc/login.defs



# Set roots umask

for FILE in /root/.bashrc /root/.bash_profile /root/.cshrc /root/.tcshrc

do

    echo "umask 077" >> $FILE

done



# Require password for single user

cat << EOF >> /etc/inittab



# Require password for single user

~~:S:wait:/sbin/sulogin

EOF



#-------------------------------------------------------------------------------

# Network hardening:: Non-firewall/gateway system

#-------------------------------------------------------------------------------

cat << EOF >> /etc/sysctl.conf



# Additional hardening as per NSA RHEL5 guide

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_ignore_bogus_error_messages = 1

net.ipv4.conf.all.rp_filter = 1

EOF



# Harden permissions on cron dirs

chmod -R go-rwx /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly



cat << EOF > /etc/cron.allow

root

EOF



echo root > /etc/at.allow

chmod 400 /etc/{cron,at}.allow

chmod 400 /etc/crontab



rm -f /etc/cron.deny /etc/at/deny



cat << EOF > /etc/sysconfig/iptables

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [1059:101844]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

COMMIT

EOF

enjoy,

kbp

athreyavc
Our company is going down the same path as you. Any chance that we can compare notes. One of the problems that I'm having is with Citrix understanding the many different usb drives that might be put in the host machine.

thanks