Skip to content
MAccadia edited this page May 17, 2021 · 13 revisions


This page centralizes how-to guides and discussions related to security for LTSP.


Access to the bootloader shell

LTSP default configuration gives access to the iPXE shell to your user in the same way you can get a grub shell in Ubuntu or other distributions. Access to the bootloader shell can be exploited to get root access on the LTSP client (using systemd debug shell for example). See Disable the iPXE shell to disable access to the bootloader shell.


By default, LTSP uses SSHFS for the users'homes. Be aware that all LTSP users have a ssh access to the LTSP server. This is not a security vulnerability per se. However, a malevolent user could abuse the server resources and / or attempt to get a root access via privilege escalation.


LTSP uses dnsmasq as TFTP server. Although it's possible to use another TFTP server, dnsmasq has the advantage of protecting against TFTP uploads as it only provides read-only access (see man dnsmasq). For example, tftpd-hpa allows overriding a file on the TFTP server if it is world writable (-rw-rw-rw). If you don't need the DNS and (proxy)DHCP capabilities of dnsmasq, see man ltsp dnsmasq.


Disable the iPXE shell

If you use the default LTSP iPXE menu, you can disable the iPXE shell by adding these lines in the server section of ltsp.conf.

POST_IPXE_HIDE_CONFIG="sed '/--key c/d' -i /srv/tftp/ltsp/ltsp.ipxe"
POST_IPXE_HIDE_SHELL="sed '/--key s/d' -i /srv/tftp/ltsp/ltsp.ipxe"

Then run sudo ltsp ipxe to apply the changes.

Restrict SSH access

See Restrict ssh usage.

Configure a firewall for a LTSP server

You may want to run a software firewall on your LTSP server to enhance security and use apps such as fail2ban which require a local software firewall to be enabled. The exact set of ports required varies depending upon the distro you are using, the services required (you may also need samba and CUPS etc) as well as the version of LTSP you are using but opening the following ports should at least allow clients to PXE boot from your LTSP server:

22/tcp           # SSH and SSHFS to share home dirs
53/udp           # DNS
67/udp           # DHCP - needed even if you're using an external DHCP server
69/udp           # TFTP
111/tcp          # NFS - needed to share the system files under newer LTSP versions
111/udp          # NFS 
2049/tcp         # NFS 
2049/udp         # NFS
4011/udp         # Proxy DHCP. Needs to be open even if using external DHCP server
9571/tcp         # inetd - only for Ubuntu 16.04, not needed under Ubuntu 20.04
10809/tcp        # NBD - Network Block Device, shares the system files under older LTSP5
32768:60999/tcp  # The ephemeral port range needs to be opened