[FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions.
Mark Christian
MCHRISTI at altera.com
Fri Feb 1 22:28:17 UTC 2013
> -----Original Message-----
> From: freenx-knx-bounces at kde.org [mailto:freenx-knx-bounces at kde.org] On
> Behalf Of Gregory Carter
> Sent: Friday, February 01, 2013 11:45 AM
> To: freenx-knx at kde.org
> Subject: Re: [FreeNX-kNX] preventing data transfers over SSH, yet still
> allow NX sessions.
>
> This is an interesting problem, so I thought I might reply.
>
> I do not think, you can differentiate between ssh and nx on a session
> level like that.
>
> Even your cited example with the bash shell still allows ftp and http.
Once an NX session had been established, firewall rules could prevent any new outgoing data transfer I would think.
>
> ?
>
> I think though, that is a different question. You can secure ssh
> sessions with path restrictions, even NX'ing into a sand box or a
> virtual machine with custom designed with only the binaries the user or
> process needs to get the work done.
I want to use NX as a secure remote linux display to a firewalled multi-user work environment, a work environment with limited to no access back "outside". I am most concerned about a transfer of data from this "firewalled network" initiated from the "outside" using ssh. If there were a means to only allow NX ssh X forwarding and not allow any other ssh traffic that would be suitable. Screen captures are ok, I just don't want data to leak out of the secure network.
>
> In order to do that, you could write your own shell code and use a
> different shell environment for the nx session. There are lots of
> substitute shells out there besides bash which are much more ACL
> orientated.
>
> http://alternativeto.net/software/bash/
>
> -gc
>
> On 02/01/2013 11:41 AM, Mark Christian wrote:
> > I was wondering if it is possible to configure sshd_config, possibly
> using the ForceCommand keyword, to prevent arbitrary command
> execution/data transfers on the same host which is providing the NX
> sessions. For example I can configure sshd_config with:
> >
> > ForceCommand /bin/bash
> >
> > ..which subsequently prevents, scp, rsync over ssh, and even something
> like "ssh remoteHost 'cat /etc/passwd'", but still allows interactive ssh
> sessions with a bash shell.
> >
> > Does anyone have any ideas on how I can provide NX sessions to a
> remoteHost, yet prevent any data transfers to/from that sameHost over ssh?
> Using the example above can I ForceCommand the NX tunneling bits, and if
> so what are they? Or can NX be configured not to use ssh?
> >
> > Thank you for your time.
> >
> > Mark Christian
> >
> > Confidentiality Notice.
> > This message may contain information that is confidential or otherwise
> protected from disclosure. If you are not the intended recipient, you are
> hereby notified that any use, disclosure, dissemination, distribution, or
> copying of this message, or any attachments, is strictly prohibited. If
> you have received this message in error, please advise the sender by reply
> e-mail, and delete the message and any attachments. Thank you.
> >
> > ________________________________________________________________
> > Were you helped on this list with your FreeNX problem?
> > Then please write up the solution in the FreeNX Wiki/FAQ:
> >
> > http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-
> _FAQ
> >
> > Don't forget to check the NX Knowledge Base:
> > http://www.nomachine.com/kb/
> >
> > ________________________________________________________________
> > FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
> > https://mail.kde.org/mailman/listinfo/freenx-knx
> > ________________________________________________________________
> >
> >
>
> ________________________________________________________________
> Were you helped on this list with your FreeNX problem?
> Then please write up the solution in the FreeNX Wiki/FAQ:
>
> http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
>
> Don't forget to check the NX Knowledge Base:
> http://www.nomachine.com/kb/
>
> ________________________________________________________________
> FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
> https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
Confidentiality Notice.
This message may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution, or copying of this message, or any attachments, is strictly prohibited. If you have received this message in error, please advise the sender by reply e-mail, and delete the message and any attachments. Thank you.
More information about the FreeNX-kNX
mailing list