<br><tt><font size=2>freenx-knx-bounces@kde.org wrote on 01/02/2013 17:41:20:<br>
<br>
> I was wondering if it is possible to configure sshd_config, possibly<br>
> using the ForceCommand keyword, to prevent arbitrary command <br>
> execution/data transfers on the same host which is providing the NX
<br>
> sessions. For example I can configure sshd_config with:<br>
> <br>
> ForceCommand /bin/bash<br>
> <br>
> ..which subsequently prevents, scp, rsync over ssh, and even <br>
</font></tt>
<br>
<br><tt><font size=2>That might stop ssh xfer but doesn't stop</font></tt>
<br>
<br><tt><font size=2> cat secretfile|mail -s "Innocent
stuff" tome@mydomain </font></tt>
<br>
<br><tt><font size=2>ftp myhost</font></tt>
<br>
<br><tt><font size=2>etc</font></tt>
<br>
<br>
<br><tt><font size=2>> something like "ssh remoteHost 'cat /etc/passwd'",
but still allows <br>
> interactive ssh sessions with a bash shell.<br>
</font></tt>
<br>
<br>
<br><tt><font size=2>You can still cat /etc/passwd or secretfile from within
an nx session.</font></tt>
<br>
<br><tt><font size=2>OK, if secretfile is large then you need ftp myhost
etc</font></tt>
<br>
<br>
<br>
<br>
<br>
<br>
<br><tt><font size=2>I'm not quite sure what you are geting at with this
question,</font></tt>
<br><tt><font size=2> but I can see
two things I think you might mean.</font></tt>
<br>
<br>
<br>
<br>
<br>
<br>
<br><tt><font size=2>If you are asking about the "nx" username
then :- </font></tt>
<br>
<br><tt><font size=2>( do you know how it all works ?? )</font></tt>
<br>
<br><tt><font size=2>because your FreeNX ssh session consists of :- </font></tt>
<br>
<br><tt><font size=2>first a remote dsa key-file based ssh connection as
user nx</font></tt>
<br><tt><font size=2>then within that "tunnel"</font></tt>
<br><tt><font size=2>a localhost ssh password authenticated connection
as your user</font></tt>
<br><tt><font size=2>then</font></tt>
<br><tt><font size=2>kde gome etc is launched as the user . . </font></tt>
<br>
<br><tt><font size=2>So</font></tt>
<br><tt><font size=2>the remote ssh connection is always dsa-key as username
"nx" </font></tt>
<br>
<br><tt><font size=2>User nx :-</font></tt>
<br>
<br><tt><font size=2>1/ has its shell
set (in /etc/passwd) to</font></tt>
<br><tt><font size=2>
/usr/bin/nxserver</font></tt>
<br><tt><font size=2> which is
a restricted shell</font></tt>
<br><tt><font size=2>
(i.e. not listed in /etc/shells)</font></tt>
<br><tt><font size=2>so</font></tt>
<br><tt><font size=2> your ForceCommand
idea won't work</font></tt>
<br><tt><font size=2> cos it uses
the user shell to run the command</font></tt>
<br>
<br><tt><font size=2>but also NOTE</font></tt>
<br><tt><font size=2>
su -s /bin/bash nx</font></tt>
<br><tt><font size=2> from a server
command line also won't work</font></tt>
<br><tt><font size=2>
due to the restricted shell</font></tt>
<br>
<br>
<br><tt><font size=2>User nx :-</font></tt>
<br><tt><font size=2>2/ doesn't
have a password set in /etc/shadow</font></tt>
<br>
<br><tt><font size=2>so also </font></tt>
<br><tt><font size=2> su nx won't work
(unless you have root access</font></tt>
<br><tt><font size=2>
already)</font></tt>
<br>
<br>
<br><tt><font size=2>User nx :-</font></tt>
<br><tt><font size=2>3/ has its authorized_keys
entry set with:-</font></tt>
<br><tt><font size=2>
no-port-forwarding,no-X11-forwarding,</font></tt>
<br><tt><font size=2>
no-agent-forwarding,command="/usr/bin/nxserver"</font></tt>
<br><tt><font size=2>so</font></tt>
<br><tt><font size=2> whatever "command"
you run with ssh will be ignored</font></tt>
<br><tt><font size=2>
i.e it will always run nxserver anyway even
if you run</font></tt>
<br><tt><font size=2>
ssh nx@freenx-server /bin/bash</font></tt>
<br><tt><font size=2>
ssh nx@freenx-server -s /bin/bash</font></tt>
<br>
<br>
<br>
<br><tt><font size=2>Also ( did you actually mean this ?? )</font></tt>
<br><tt><font size=2>Even if you did manage to use</font></tt>
<br><tt><font size=2> ForceCommand
/bin/bash</font></tt>
<br><tt><font size=2> as</font></tt>
<br><tt><font size=2> username
"nx"</font></tt>
<br><tt><font size=2>and</font></tt>
<br><tt><font size=2>got a shell on the FreeNX server, you could almost
certainly</font></tt>
<br><tt><font size=2>transfer anything file which user nx can open by tftp,
ftp,</font></tt>
<br><tt><font size=2>email etc back to your workstation</font></tt>
<br>
<br>
<br>
<br>
<br><tt><font size=2>BUT on the other hand</font></tt>
<br>
<br>
<br>
<br>
<br>
<br><tt><font size=2>if you DON'T mean within the "nx" username</font></tt>
<br>
<br><tt><font size=2>i.e.</font></tt>
<br><tt><font size=2>Your users "user1" etc are ssh-ing
the freenx server using</font></tt>
<br><tt><font size=2> password
authentication and transfering data</font></tt>
<br><tt><font size=2>then</font></tt>
<br>
<br><tt><font size=2>to prevent users ssh-ing as themselves you need two
sshd</font></tt>
<br><tt><font size=2>daemons running simultanaously:-</font></tt>
<br>
<br>
<br><tt><font size=2>ssh daemon 1</font></tt>
<br><tt><font size=2> - allows incoming connections for admins and
username "nx"</font></tt>
<br><tt><font size=2>configured in /etc/ssh/sshd_config_external</font></tt>
<br>
<br>
<br><tt><font size=2>
Port 22</font></tt>
<br><tt><font size=2>
ListenAddress 0.0.0.0</font></tt>
<br><tt><font size=2>
AllowUsers nx the-administrator</font></tt>
<br><tt><font size=2>
RSAAuthentication yes</font></tt>
<br><tt><font size=2>
PubkeyAuthentication yes</font></tt>
<br><tt><font size=2>
PasswordAuthentication no</font></tt>
<br><tt><font size=2>
# Well probably no password tho' allowusers</font></tt>
<br><tt><font size=2>
may be
enough for you . . </font></tt>
<br>
<br>
<br><tt><font size=2>ssh daemon 2</font></tt>
<br><tt><font size=2> - allow localhost ssh for the password authenticated
login as the user</font></tt>
<br><tt><font size=2>configured in /etc/ssh/sshd_config_internal</font></tt>
<br>
<br>
<br><tt><font size=2>
Port 900</font></tt>
<br><tt><font size=2>
ListenAddress 127.0.0.1</font></tt>
<br><tt><font size=2>
AllowGroups freenx-users</font></tt>
<br><tt><font size=2>
PasswordAuthentication yes</font></tt>
<br>
<br><tt><font size=2>** AND **</font></tt>
<br>
<br><tt><font size=2>set</font></tt>
<br><tt><font size=2>
SSHD_PORT=900</font></tt>
<br><tt><font size=2>in</font></tt>
<br><tt><font size=2>
/etc/nxserver/node.conf</font></tt>
<br>
<br>
<br><tt><font size=2>OR you could leave the</font></tt>
<br><tt><font size=2> PasswordAuthentication
daemon 1 as Port 22</font></tt>
<br><tt><font size=2>and</font></tt>
<br><tt><font size=2> have the dsa key
daemon 2 on Port 900</font></tt>
<br><tt><font size=2>
for external connections</font></tt>
<br><tt><font size=2> provided you
update the nxclients and</font></tt>
<br><tt><font size=2>
any Firewalls along the way</font></tt>
<br>
<br><tt><font size=2> <br>
> Does anyone have any ideas on how I can provide NX sessions to a <br>
> remoteHost, yet prevent any data transfers to/from that sameHost <br>
> over ssh?</font></tt>
<br>
<br><tt><font size=2>If the issue is that your users are sshing in as themselves</font></tt>
<br><tt><font size=2>the the two ssh daemon config as above will stop that
. . .</font></tt>
<br>
<br>
<br><tt><font size=2>NOTE</font></tt>
<br><tt><font size=2>You can't easily prevent users xfering data unless
you switch off</font></tt>
<br><tt><font size=2>all outgoing connections (including email) too</font></tt>
<br>
<br><tt><font size=2>Username nx is fairly safe even tho the users</font></tt>
<br><tt><font size=2> "in the know" can copy the client.id_dsa.key</font></tt>
<br><tt><font size=2>from within the nxclient and connect with ssh</font></tt>
<br>
<br>
<br><tt><font size=2>User nx shouldn't have been given access to any data
at</font></tt>
<br><tt><font size=2>all tho'</font></tt>
<br><tt><font size=2>particularly if you have kept the default key which
is</font></tt>
<br><tt><font size=2>the same on every machine.</font></tt>
<br>
<br>
<br>
<br><tt><font size=2>> Using the example above can I ForceCommand
the NX <br>
> tunneling bits, and if so what are they?</font></tt>
<br>
<br>
<br><tt><font size=2>Not with username nx</font></tt>
<br>
<br><tt><font size=2>> Or can NX be configured not to use ssh?<br>
</font></tt>
<br><tt><font size=2>No</font></tt>
<br>
<br><tt><font size=2>> <br>
> Thank you for your time.<br>
> <br>
> Mark Christian<br>
<br>
</font></tt>
<br>
<br><tt><font size=2>So what actually did you mean ?????</font></tt>
<br>
<br>
<br>
<br>
<br>