[FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions.

chris at ccburton.com chris at ccburton.com
Sat Feb 2 09:16:52 UTC 2013


freenx-knx-bounces at kde.org wrote on 01/02/2013 17:41:20:

> I was wondering if it is possible to configure sshd_config, possibly
> using the ForceCommand keyword, to prevent arbitrary command 
> execution/data transfers on the same host which is providing the NX 
> sessions.  For example I can configure sshd_config with:
> 
> ForceCommand /bin/bash
> 
> ..which subsequently prevents, scp, rsync over ssh, and even 


That might stop ssh xfer but doesn't stop

 cat  secretfile|mail -s "Innocent stuff" tome at mydomain 

ftp myhost

etc


> something like "ssh remoteHost 'cat /etc/passwd'", but still allows 
> interactive ssh sessions with a bash shell.



You can still cat /etc/passwd or secretfile from within an nx session.

OK, if secretfile is large then you need ftp myhost etc






I'm not quite sure what you are geting at with this question,
        but I can see two things I think you might mean.






If you are asking about the "nx" username then :- 

( do you know how it all works ?? )

because your FreeNX ssh session consists of :- 

first a remote dsa key-file based ssh connection as user nx
then within that "tunnel"
a localhost ssh password authenticated connection as your user
then
kde gome etc is launched as the user . . 

So
the remote ssh connection is always dsa-key as username "nx" 

User nx :-

1/      has its shell set (in /etc/passwd) to
                 /usr/bin/nxserver
        which is        a restricted shell
                (i.e. not listed in /etc/shells)
so
        your  ForceCommand idea won't work
         cos it uses the user shell to run the command

but also NOTE
                su -s /bin/bash nx
        from a server command line also won't work
                 due to the restricted shell


User nx :-
2/      doesn't have a password set in /etc/shadow

so also 
        su nx won't work (unless you have root access
                already)


User nx :-
3/      has its authorized_keys entry set with:-
                no-port-forwarding,no-X11-forwarding,
                no-agent-forwarding,command="/usr/bin/nxserver"
so
        whatever "command" you run with ssh will be ignored
                i.e  it will always run nxserver anyway even if you run
                ssh   nx at freenx-server /bin/bash
                ssh   nx at freenx-server -s /bin/bash



Also ( did you actually mean this ?? )
Even if you did manage to use
         ForceCommand /bin/bash
 as
         username "nx"
and
got a shell on the FreeNX server, you could almost certainly
transfer anything file which user nx can open by tftp, ftp,
email etc back to your workstation




BUT on the other hand





if you DON'T mean within the "nx" username

i.e.
Your users "user1" etc are  ssh-ing the freenx server using
         password authentication and transfering data
then

to prevent users ssh-ing as themselves you need two sshd
daemons running simultanaously:-


ssh daemon 1
 - allows incoming connections for admins and username "nx"
configured in /etc/ssh/sshd_config_external


                Port 22
                ListenAddress 0.0.0.0
                AllowUsers nx the-administrator
                RSAAuthentication yes
                PubkeyAuthentication yes
                PasswordAuthentication no
                # Well probably no password tho' allowusers
                         may be enough for you . . 


ssh daemon 2
 - allow localhost ssh for the password authenticated login as the user
configured in /etc/ssh/sshd_config_internal


                Port 900
                ListenAddress 127.0.0.1
                AllowGroups freenx-users
                PasswordAuthentication yes

** AND **

set
                SSHD_PORT=900
in
                 /etc/nxserver/node.conf


OR you could leave the
         PasswordAuthentication daemon 1 as Port 22
and
        have the dsa key daemon 2 on Port 900
                 for external connections
        provided  you update the nxclients and
                 any Firewalls along the way

 
> Does anyone have any ideas on how I can provide NX sessions to a 
> remoteHost, yet prevent any data transfers to/from that sameHost 
> over ssh?

If the issue is that your users are sshing in as themselves
the the two ssh daemon config as above will stop that . . .


NOTE
You can't easily prevent users xfering data unless you switch off
all outgoing connections (including email) too

Username nx is fairly safe even tho the users
 "in the know" can copy the client.id_dsa.key
from within the nxclient and connect with ssh


User nx shouldn't have been given access to any data at
all tho'
particularly if you have kept the default key which is
the same on every machine.



>  Using the example above can I ForceCommand the NX 
> tunneling bits, and if so what are they?


Not with username nx

>  Or can NX be configured not to use ssh?

No

> 
> Thank you for your time.
> 
> Mark Christian
 


So what actually did you mean ?????




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20130202/cc14863f/attachment.html>


More information about the FreeNX-kNX mailing list