X2Go - everywhere@home

User Tools

Site Tools

Trace:
wiki:security:rbash

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
wiki:security:rbash [2014/10/31 20:46]
woglinde [secure ssh access] 		wiki:security:rbash [2014/11/01 09:21]
woglinde [Fix session clean up]
Line 28: Line 28:
  
 ====== secure ssh access ====== ====== secure ssh access ======
-To make sure the users can only access rbash, setup ssh to use **ForceCommand**+To make sure the users can only access rbash, setup ssh to use **ForceCommand**, otherwise the users can run any other shells or commands over 
 +ssh.
  
-Therefore edit /etc/ssh/sshd_config and put the the following lines at the end. ForceCommand only works for a sshd matching section. +Therefore edit /etc/ssh/sshd_config and put the the following lines at the end.  
- +<code bash>
-<note>+
     Match group rbrowser     Match group rbrowser
         ForceCommand sshcommand         ForceCommand sshcommand
-</note>+</code> 
 +ForceCommand only works for a sshd matching section. So you can dedicate the rbash to a certain group. 
 + 
 +**sshcommand** is a small shell script to wrap the rbash usage, 
 + 
 +<code bash> 
 +#!/bin/sh 
 +PATH=/opt/rbash/bin 
 +if test -n "$SSH_ORIGINAL_COMMAND"; then 
 +    /bin/rbash -c "$SSH_ORIGINAL_COMMAND" 
 +else 
 +    /bin/rbash 
 +fi 
 +</code> 
 + 
 +We set the **PATH** to a new directory, so the users can only access the commands from this dir. 
 + 
 +====== Link the needed programs to setup a session ====== 
 +The following programs are needed to link to the new created directory. 
 + 
 +<code bash> 
 +/usr/bin/setsid 
 +/usr/bin/whoami 
 +/usr/bin/x2goagent 
 +/usr/bin/x2golistsessions 
 +/usr/bin/x2gopath 
 +/usr/bin/x2goruncommand 
 +/usr/bin/x2gostartagent 
 +/usr/bin/x2goterminate-session 
 + 
 +mkdir /opt/rbash/bin 
 +cd /opt/rbash/bin && ln -s /usr/bin/{setsid,whoami,x2goagent,x2golistsessions,x2gopath,
 +x2goruncommand,x2gostartagent,x2goterminate-session} . 
 +</code> 
 + 
 +Because some programs are written in perl and need fragments from the x2go-lib dir and it is searched relative, the lib-directory needs to be linked too. 
 +<code bash> 
 +mkdir /opt/rbash/lib 
 +cd /opt/rbash/lib && ln -s /usr/lib/x2go . 
 +</code> 
 + 
 +====== Bring the path back to some scripts ====== 
 +Because we set the PATH to /opt/rbash/bin some scripts needs to set it back to be functional again. 
 + 
 +<code bash> 
 +x2gopath 
 +x2goruncommand 
 +x2gostartagent 
 +x2goterminate-session 
 +</code> 
 + 
 +After the license header add the following to all files mentioned above 
 +<code bash> 
 +export PATH=/bin:/usr/bin:/sbin:/usr/sbin 
 +</code> 
 + 
 +====== rbash as default shell (optional)====== 
 + 
 +If rbash is also set as the default shell via /etc/passwd or some other mechanism, the sessioncleanup skripts needs 
 +to be fixed too. 
 + 
wiki/security/rbash.txt · Last modified: 2014/11/03 13:07 by woglinde

Page Tools

Imprint & Legal Disclaimer - Data Protection & Privacy Statement
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki