Ticket URL: http://code.x2go.org/horde4/whups/ticket/?id=41 ------------------------------------------------------------------------------ Ticket | 41 Created By | dick.kniep@lindix.nl Summary | Security setup Queue | pyhoca-gui Version | HEAD Type | Enhancement State | New Priority | 2. Medium Owners | ------------------------------------------------------------------------------ dick.kniep@lindix.nl (2011-02-22 17:25) wrote: Hi Mike, Included is a description about the way the server can be configured in such a way that the security is OK. In your config it was still possible for a competent user to add a command to the ssh command. With the included config that possibility is also closed. I would suggest that this lindix -> x2go -> (preliminary) report Felix C. Stegerman <flx@obfusk.net> 2011-01-18 16:36 -- === TODO === # {{{1 * wrapper * analysis * users, files/dirs, keys, ... * ... meta !!! * bash/perl code quality * bugs * ... # }}}1 -- === Situation (Example) === # {{{1 Provider: lindix Apps: cvix, appX, appY Services: x2goserver [ -> ssh ] === Clients, Users & Apps === # {{{2 Client Users Apps ------ ----- ---- foo alice, bob cvix bar chris, dan cvix baz emma, fred, greg appX User Apps ---- ---- dan appX fred appY # }}}2 === Posix Groups & Users === # {{{2 Group Users ----- ----- x2gotunnel foo, bar, baz x2gousers alice, bob, chris, dan, emma, fred, greg ( x2gosftp alice-sftp, bob-sftp, ... ) ( alice-sftp alice-sftp, alice ) ( bob-sftp bob-sfsp, bob ) ( ... ... ) # }}}2 # }}}1 === CAVEATS === # {{{1 * All configuration examples should be double-checked and tested before being used in a production environment. * It is not clear to me how the various ports/protocols/services are secured. It seems to me that: * Other users (on the client) can access forwarded (server) ports. * Users with server access (e.g. via SSH port forwarding) can access ports used by others. * Unless: port/protocol/service access is authenticated/restricted/controlled. * Unknown: is the X/nx port/service secured (e.g. with xauth)? * Unknown: are the sound/fs/printer/... ports/services secured? * A firewall (e.g. shorewall) may be needed to prevent users from accessing ports used by others. * The rules in /etc/security/access.conf apply to all PAM configurations using pam_access (with the default configuration file), not just SHH. It may therefore be necessary to use separate configuration files. The relevant examples assume that pam_access is used only for SSH (or that the configuration is compatible with all uses of pam_access). See pam_access(8). * ... # }}}1 === Server (Changes) === # {{{1 === SSH (+ PAM) === # {{{2 === Notes === # {{{3 * With a little effort, it is possible to run two instances of sshd: one for normal ssh (administrative) access, and one for x2go. <<See Notes>> # TODO # }}}3 ,----[ /etc/ssh/sshd_config ] # {{{3
->| Port 2222 | Protocol 2 ->| # ListenAddress ... | | HostKey /etc/ssh/ssh_host_rsa_key | HostKey /etc/ssh/ssh_host_dsa_key | | UsePrivilegeSeparation yes | | KeyRegenerationInterval 3600 | ServerKeyBits 768 | | SyslogFacility AUTH | LogLevel INFO | | LoginGraceTime 120 | PermitRootLogin no | StrictModes yes | | RSAAuthentication no | PubkeyAuthentication yes | ->| # AuthorizedKeysFile %h/.ssh/authorized_keys ..| AuthorizedKeysFile /etc/ssh-keys/%u/authorized_keys | | IgnoreRhosts yes | RhostsRSAAuthentication no | HostbasedAuthentication no | IgnoreUserKnownHosts yes | | PermitEmptyPasswords no | ChallengeResponseAuthentication no ->| PasswordAuthentication no | ->| AllowGroups wheel x2gotunnel x2gousers x2gosftp | ->| X11Forwarding no | X11DisplayOffset 10 | PrintMotd no | PrintLastLog yes | TCPKeepAlive yes | | AcceptEnv LANG LC_* | ->| # Subsystem sftp /usr/lib/openssh/sftp-server ..| Subsystem sftp internal-sftp | ->| UsePAM yes | ->| Match Group x2gotunnel ..| AllowTcpForwarding no ..| ForceCommand /bin/false ..| PasswordAuthentication no ..| PermitOpen localhost:2222 ..| X11Forwarding no | ->| Match Group x2gousers ..| # AllowTcpForwarding no ..| ForceCommand /usr/local/bin/x2go-ssh-wrapper ..| PasswordAuthentication yes ..| # PermitOpen localhost:30001 localhost:30002 ... ..| X11Forwarding no | ->| Match Group x2gosftp ..| AllowTcpForwarding no ..| ChrootDirectory /home/__sftp__/%u ..| ForceCommand internal-sftp ..| PasswordAuthentication yes ..| X11Forwarding no `---- # }}}3
,----[ /etc/pam.d/sshd ] # {{{3 | ... | | # account required pam_access.so ++| account required pam_access.so | | ... `---- # }}}3 ,----[ /etc/security/access.conf ] # {{{3 | ... |
++| + : x2gotunnel : ALL ++| + : x2gousers x2gosftp : localhost | ++| - : ALL EXCEPT wheel : ALL `---- # }}}3 # }}}2
=== x2go SSH Wrapper === # {{{2 See <../bin/x2go-ssh-wrapper>. # }}}2 # }}}1 === Analyses === # {{{1 === python-x2go === # {{{2 ... # }}}2 === x2goserver === # {{{2 ,----[ (relevant) files ] # {{{3 | INSTALL ?| debian/README.Debian ?| debian/changelog ?| debian/compat ?| debian/control ?| debian/copyright ?| debian/dirs ?| debian/docs ?| debian/init.d | debian/preinst ?| debian/rules ?| sql | x2gocleansessions | x2gocmdexitmessage | x2gocreatebase.sh | x2gogetservers | x2golistsessions | x2golistsessions_root | x2golistsessions_sql | x2gomountdirs | x2gopgwrapper | x2gopgwrapper_local | x2gopgwrapper_net | x2gopgwrapper_sqlite | x2goresume-session | x2goruncommand ?| x2goserver.conf | x2gosessionlimit | x2goshowblocks | x2gosqlite.sh | x2gostartagent | x2gosuspend-agent | x2gosuspend-session | x2goterminate | x2goterminate-session | x2goumount | x2goumount_session `---- # }}}3 ... # }}}2 # }}}1 === Packages === # {{{1 === Notes === # {{{2 * Dependencies considered extraneous to this report have been omitted. # }}}2 === Server === # {{{2 x2goserver [x2go] -> x2goagent [x2go] -> nxcompext [x2go] -> nxcomp [x2go] -> nxcompshad [x2go] -> sudo, openssh-server, openssh-client [!?], sshfs [!?] # }}}2 === Client === # {{{2 pyhoca-gui [gabriel] -> python-x2go [gabriel] -> nxproxy [x2go] -> nxcomp [x2go] -> python (>= 2.6), python-gevent, python-paramiko, python-cups -> python-argparse, python-notify, python-setproctitle, python-wxtools # }}}2 # }}}1 === Remarks === # {{{1 This report is based on: * Information provided by Dick Kniep. * Searching the Internet. * The sshd_config man page (and others). * My (preliminary) analysis of: Package Version Status ------- ------- ------ python-x2go 0.0.31(-0~nwt1) TODO x2goclient 3.01(-5) Done/Sufficient x2goserver 3.0.1(-5) TODO/Unfinished # }}}1 -- vim: set ft= tw=70 sw=2 sts=2 et fdm=marker:
Ticket URL: https://code.x2go.org/horde4/whups/ticket/?id=41 ------------------------------------------------------------------------------ Ticket | 41 Updated By | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Summary | Security setup -Queue | pyhoca-gui +Queue | x2goserver -Version | HEAD +Version | HEAD Type | Enhancement State | New -Priority | 2. Medium +Priority | 1. Low Owners | ------------------------------------------------------------------------------
Ticket URL: https://code.x2go.org/horde4/whups/ticket/?id=41 ------------------------------------------------------------------------------ Ticket | 41 Updated By | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Summary | Security setup Queue | x2goserver Version | HEAD Type | Enhancement -State | New +State | Stalled Priority | 1. Low Owners | ------------------------------------------------------------------------------
Ticket URL: https://code.x2go.org/horde4/whups/ticket/?id=41 ------------------------------------------------------------------------------ Ticket | 41 Updated By | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Summary | Security setup Queue | x2goserver Version | HEAD Type | Enhancement State | Stalled Priority | 1. Low -Owners | +Owners | Mike Gabriel ------------------------------------------------------------------------------
-
bugs@x2go.org