[FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions.
Gregory Carter
gcarter at aesgi.com
Wed Feb 6 17:47:36 UTC 2013
This whole conversation is really about policy, or the lack there of on
LINUX desktops/servers.
I am having a discussion about that right now with RedHat's Benjamin Adler.
Nothing so far to report other than the fact there is lack of control.
Although that is not really a bad thing per se, you could write a shell
to do what you are asking.
But, to the point:
Allow policy group control over a workstations
1) Applications and Desktop/Preferably KDE.
2) Authentication of groups based on two factor authentication
(Biometric or RSA key).
3) Enforced policy control of network access per workstation such as
VPN, ports and EGRES/INGRES the group has access to.
4) Enforced policy control of storage access per workstation the group
has access to.
So policy based on what a login session can and cannot do isn't
technically a problem if you can write your own shell, it is a problem
if you can't because a login shell does is at the heart of the policy
questions here I think, with perhaps a dash of network policy as well.
So even the big guys don't have a real answer to a Linux desktop
management system that approaches anything like SCCM for example on the
Microsoft side.
Just in case you are wondering.
-gc
On 02/06/2013 08:02 AM, chris at ccburton.com wrote:
> freenx-knx-bounces at kde.org wrote on 06/02/2013 06:49:35:
>
>> Hello,
>>
>> I have searched something to do that and i find !!
>>
>> I use lshell to prevent all actions over ssh and in a shell, but allow
>> NX sessions.
> Hmmmm
>
> Sounds like a lot of work . . .
> and
> in the end not very well pinned down because lshell is
> rather basic and not so difficult to get round
> unless
> you very heavily restrict what the users can launch . . .
>
>
>
>> If you want more informations, you're welcome.
>
> Well . . . I'm interested anyway !!
>
>
> What did you have to permit (in /etc/lshell.conf)
> to get it all to run??
>
> . . . how did you get it to run:-
>
> /usr/bin/nxnode
>
> as a user . . . cos lshell doesn't much like paths-to-executables . . .
>
>
> You can just permit startkde/gnome and they run fine
> but
> when kde etc are running, how can you then stop
> users launching /bin/bash ftp email etc (from within kde)
>
> Lots of configuring there . . .
>
>
>
> lshell is a bit basic in operation.
>
> It only filters on "command name"
> not the command's binary signature
> like apparmor and SElinux . . .
> eg,
> Have you tried copying
>
> cp /bin/bash ~/bin/ls
>
> then running ls from lshell ???
>
>
> So without extra configuration
> You have to
> permenantly stop the users from
> doing just about everything, including copying.
>
>
> (NOTE
> actually I don't allow any users write access
> to any filesystem mounted with exec, so /home and
> /var ( /tmp -> /var/tmp ) are noexec here, which
> stops a lot of that sort of thing . . . )
>
>
>
>
>
>
> It is better not to run the combination:-
>
> sshd with
> passwordauthentication yes
> port 22 (or any other port too preferably)
> ListenAddress "on a globally acessible IP"
> 127.0.0.1 only would be good
>
>
> unless
> you restrict incoming ssh on originating IP
> you don't bother logging attempted connections
> else you don't mind huge log files full
> of password brute force attacks,
> one every 15 mins typical here
> you don't mind weak passwords being guessed.
>
>
> So IMNSHO you really ought to fix that as a matter of
> course,
> by having only rsa/dsa visible from outside
>
>
>
>
>
> Then looking at the OP's requrements
>
> to stop people getting stuff off the server you have to
> stop all outgoing sessions, regardless of how well you
> think your restricted shell is doing, and even that doesn't
> stop client screen prints.
>
>
>
>
> And, as a point of policy
>
> it is much better to properly configure the software you
> are already running so it is as secure as you can
> reasonably make it
> i.e. no passwordauthentication
>
> and
> no email, ftp etc out in this case
> than
> install more software, particularly
> e.g. lshell which doesn't quite do it all
>
>
>
>
> I'd be interested to see what you have done tho'
> not being a restricted shell expert . . .
>
>> Sincerely,
>>
>> Jean
>>
>> Jean Milot - jmilot at dotriver.eu - www.dotriver.eu<
> http://www.dotriver.eu/>
>> 5 passage de l'avenir, F-69200 Vénissieux
>> Fixe: +33 (0)4 27 46 39 80 Hotline: # 89 Fax: # 81
>>
>> Renouvellement du label LVED pour DotRiver ( http://bit.ly/Rwv5F9 )
>> Le BYOD est mort ! vive le KYED ( http://bit.ly/Qelwtz )
>> DotRiver, membre du consortium "nuage-France" ( http://bit.ly/LNIfMr )
>>
>> Pas à pas, agissons au quotidien pour préserver notre environnement.
>> N'imprimez que si nécessaire, réduisez les déchets informatiques et
>> économisez l'énergie en utilisant les solutions DotRiver.
>>
>>
>
>
> ________________________________________________________________
> Were you helped on this list with your FreeNX problem?
> Then please write up the solution in the FreeNX Wiki/FAQ:
>
> http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
>
> Don't forget to check the NX Knowledge Base:
> http://www.nomachine.com/kb/
>
> ________________________________________________________________
> FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
> https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
More information about the FreeNX-kNX
mailing list