[FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions.
chris at ccburton.com
chris at ccburton.com
Wed Feb 6 14:02:51 UTC 2013
freenx-knx-bounces at kde.org wrote on 06/02/2013 06:49:35:
> Hello,
>
> I have searched something to do that and i find !!
>
> I use lshell to prevent all actions over ssh and in a shell, but allow
> NX sessions.
Hmmmm
Sounds like a lot of work . . .
and
in the end not very well pinned down because lshell is
rather basic and not so difficult to get round
unless
you very heavily restrict what the users can launch . . .
> If you want more informations, you're welcome.
Well . . . I'm interested anyway !!
What did you have to permit (in /etc/lshell.conf)
to get it all to run??
. . . how did you get it to run:-
/usr/bin/nxnode
as a user . . . cos lshell doesn't much like paths-to-executables . . .
You can just permit startkde/gnome and they run fine
but
when kde etc are running, how can you then stop
users launching /bin/bash ftp email etc (from within kde)
Lots of configuring there . . .
lshell is a bit basic in operation.
It only filters on "command name"
not the command's binary signature
like apparmor and SElinux . . .
eg,
Have you tried copying
cp /bin/bash ~/bin/ls
then running ls from lshell ???
So without extra configuration
You have to
permenantly stop the users from
doing just about everything, including copying.
(NOTE
actually I don't allow any users write access
to any filesystem mounted with exec, so /home and
/var ( /tmp -> /var/tmp ) are noexec here, which
stops a lot of that sort of thing . . . )
It is better not to run the combination:-
sshd with
passwordauthentication yes
port 22 (or any other port too preferably)
ListenAddress "on a globally acessible IP"
127.0.0.1 only would be good
unless
you restrict incoming ssh on originating IP
you don't bother logging attempted connections
else you don't mind huge log files full
of password brute force attacks,
one every 15 mins typical here
you don't mind weak passwords being guessed.
So IMNSHO you really ought to fix that as a matter of
course,
by having only rsa/dsa visible from outside
Then looking at the OP's requrements
to stop people getting stuff off the server you have to
stop all outgoing sessions, regardless of how well you
think your restricted shell is doing, and even that doesn't
stop client screen prints.
And, as a point of policy
it is much better to properly configure the software you
are already running so it is as secure as you can
reasonably make it
i.e. no passwordauthentication
and
no email, ftp etc out in this case
than
install more software, particularly
e.g. lshell which doesn't quite do it all
I'd be interested to see what you have done tho'
not being a restricted shell expert . . .
>
> Sincerely,
>
> Jean
>
> Jean Milot - jmilot at dotriver.eu - www.dotriver.eu<
http://www.dotriver.eu/>
> 5 passage de l'avenir, F-69200 Vénissieux
> Fixe: +33 (0)4 27 46 39 80 Hotline: # 89 Fax: # 81
>
> Renouvellement du label LVED pour DotRiver ( http://bit.ly/Rwv5F9 )
> Le BYOD est mort ! vive le KYED ( http://bit.ly/Qelwtz )
> DotRiver, membre du consortium "nuage-France" ( http://bit.ly/LNIfMr )
>
> Pas à pas, agissons au quotidien pour préserver notre environnement.
> N'imprimez que si nécessaire, réduisez les déchets informatiques et
> économisez l'énergie en utilisant les solutions DotRiver.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20130206/9e40a589/attachment.html>
More information about the FreeNX-kNX
mailing list