[FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions.

Gregory Carter gcarter at aesgi.com
Fri Feb 1 19:44:37 UTC 2013 

This is an interesting problem, so I thought I might reply.

I do not think, you can differentiate between ssh and nx on a session 
level like that.

Even your cited example with the bash shell still allows ftp and http.

?

I think though, that is a different question. You can secure ssh 
sessions with path restrictions, even NX'ing into a sand box or a 
virtual machine with custom designed with only the binaries the user or 
process needs to get the work done.

In order to do that, you could write your own shell code and use a 
different shell environment for the nx session. There are lots of 
substitute shells out there besides bash which are much more ACL orientated.

http://alternativeto.net/software/bash/

-gc

On 02/01/2013 11:41 AM, Mark Christian wrote:
> I was wondering if it is possible to configure sshd_config, possibly using the ForceCommand keyword, to prevent arbitrary command execution/data transfers on the same host which is providing the NX sessions.  For example I can configure sshd_config with:
>
> ForceCommand /bin/bash
>
> ..which subsequently prevents, scp, rsync over ssh, and even something like "ssh remoteHost 'cat /etc/passwd'", but still allows interactive ssh sessions with a bash shell.
>
> Does anyone have any ideas on how I can provide NX sessions to a remoteHost, yet prevent any data transfers to/from that sameHost over ssh?  Using the example above can I ForceCommand the NX tunneling bits, and if so what are they?  Or can NX be configured not to use ssh?
>
> Thank you for your time.
>
> Mark Christian
>
> Confidentiality Notice.
> This message may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution,  or copying  of this message, or any attachments, is strictly prohibited.  If you have received this message in error, please advise the sender by reply e-mail, and delete the message and any attachments.  Thank you.
>
> ________________________________________________________________
>       Were you helped on this list with your FreeNX problem?
>      Then please write up the solution in the FreeNX Wiki/FAQ:
>
> http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
>
>           Don't forget to check the NX Knowledge Base:
>                   http://www.nomachine.com/kb/
>
> ________________________________________________________________
>         FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
>        https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
>
>

More information about the FreeNX-kNX mailing list