[X2go-bugs] [Tickets #41] Security setup
bugs at x2go.org
bugs at x2go.org
Tue Feb 22 17:25:39 CET 2011
Ticket URL: http://code.x2go.org/horde4/whups/ticket/?id=41
------------------------------------------------------------------------------
Ticket | 41
Created By | dick.kniep at lindix.nl
Summary | Security setup
Queue | pyhoca-gui
Version | HEAD
Type | Enhancement
State | New
Priority | 2. Medium
Owners |
------------------------------------------------------------------------------
dick.kniep at lindix.nl (2011-02-22 17:25) wrote:
Hi Mike,
Included is a description about the way the server can be configured
in such a way that the security is OK. In your config it was still
possible for a competent user to add a command to the ssh command.
With the included config that possibility is also closed. I would
suggest that this
lindix -> x2go -> (preliminary) report
Felix C. Stegerman <flx at obfusk.net>
2011-01-18 16:36
--
=== TODO === # {{{1
* wrapper
* analysis
* users, files/dirs, keys, ...
* ... meta !!!
* bash/perl code quality
* bugs
* ...
# }}}1
--
=== Situation (Example) === # {{{1
Provider: lindix
Apps: cvix, appX, appY
Services: x2goserver [ -> ssh ]
=== Clients, Users & Apps === # {{{2
Client Users Apps
------ ----- ----
foo alice, bob cvix
bar chris, dan cvix
baz emma, fred, greg appX
User Apps
---- ----
dan appX
fred appY
# }}}2
=== Posix Groups & Users === # {{{2
Group Users
----- -----
x2gotunnel foo, bar, baz
x2gousers alice, bob, chris, dan, emma, fred, greg
( x2gosftp alice-sftp, bob-sftp, ... )
( alice-sftp alice-sftp, alice )
( bob-sftp bob-sfsp, bob )
( ... ... )
# }}}2
# }}}1
=== CAVEATS === # {{{1
* All configuration examples should be double-checked and tested
before being used in a production environment.
* It is not clear to me how the various ports/protocols/services are
secured. It seems to me that:
* Other users (on the client) can access forwarded (server)
ports.
* Users with server access (e.g. via SSH port forwarding)
can access ports used by others.
* Unless: port/protocol/service access is
authenticated/restricted/controlled.
* Unknown: is the X/nx port/service secured (e.g. with xauth)?
* Unknown: are the sound/fs/printer/... ports/services secured?
* A firewall (e.g. shorewall) may be needed to prevent users
from accessing ports used by others.
* The rules in /etc/security/access.conf apply to all PAM
configurations using pam_access (with the default configuration
file), not just SHH. It may therefore be necessary to use
separate configuration files. The relevant examples assume that
pam_access is used only for SSH (or that the configuration is
compatible with all uses of pam_access). See pam_access(8).
* ...
# }}}1
=== Server (Changes) === # {{{1
=== SSH (+ PAM) === # {{{2
=== Notes === # {{{3
* With a little effort, it is possible to run two instances of
sshd: one for normal ssh (administrative) access, and one for
x2go. <<See Notes>> # TODO
# }}}3
,----[ /etc/ssh/sshd_config ] # {{{3
>> ->| Port 2222
| Protocol 2
->| # ListenAddress ...
|
| HostKey /etc/ssh/ssh_host_rsa_key
| HostKey /etc/ssh/ssh_host_dsa_key
|
| UsePrivilegeSeparation yes
|
| KeyRegenerationInterval 3600
| ServerKeyBits 768
|
| SyslogFacility AUTH
| LogLevel INFO
|
| LoginGraceTime 120
| PermitRootLogin no
| StrictModes yes
|
| RSAAuthentication no
| PubkeyAuthentication yes
|
->| # AuthorizedKeysFile %h/.ssh/authorized_keys
>> ..| AuthorizedKeysFile /etc/ssh-keys/%u/authorized_keys
|
| IgnoreRhosts yes
| RhostsRSAAuthentication no
| HostbasedAuthentication no
| IgnoreUserKnownHosts yes
|
| PermitEmptyPasswords no
| ChallengeResponseAuthentication no
->| PasswordAuthentication no
|
>> ->| AllowGroups wheel x2gotunnel x2gousers x2gosftp
|
->| X11Forwarding no
| X11DisplayOffset 10
| PrintMotd no
| PrintLastLog yes
| TCPKeepAlive yes
|
| AcceptEnv LANG LC_*
|
->| # Subsystem sftp /usr/lib/openssh/sftp-server
>> ..| Subsystem sftp internal-sftp
|
->| UsePAM yes
|
->| Match Group x2gotunnel
..| AllowTcpForwarding no
..| ForceCommand /bin/false
..| PasswordAuthentication no
>> ..| PermitOpen localhost:2222
..| X11Forwarding no
|
->| Match Group x2gousers
>> ..| # AllowTcpForwarding no
>> ..| ForceCommand /usr/local/bin/x2go-ssh-wrapper
..| PasswordAuthentication yes
>> ..| # PermitOpen localhost:30001 localhost:30002 ...
..| X11Forwarding no
|
->| Match Group x2gosftp
..| AllowTcpForwarding no
>> ..| ChrootDirectory /home/__sftp__/%u
..| ForceCommand internal-sftp
..| PasswordAuthentication yes
..| X11Forwarding no
`---- # }}}3
,----[ /etc/pam.d/sshd ] # {{{3
| ...
|
| # account required pam_access.so
++| account required pam_access.so
|
| ...
`---- # }}}3
,----[ /etc/security/access.conf ] # {{{3
| ...
|
>> ++| + : x2gotunnel : ALL
++| + : x2gousers x2gosftp : localhost
|
++| - : ALL EXCEPT wheel : ALL
`---- # }}}3
# }}}2
=== x2go SSH Wrapper === # {{{2
See <../bin/x2go-ssh-wrapper>.
# }}}2
# }}}1
=== Analyses === # {{{1
=== python-x2go === # {{{2
...
# }}}2
=== x2goserver === # {{{2
,----[ (relevant) files ] # {{{3
| INSTALL
?| debian/README.Debian
?| debian/changelog
?| debian/compat
?| debian/control
?| debian/copyright
?| debian/dirs
?| debian/docs
?| debian/init.d
| debian/preinst
?| debian/rules
?| sql
| x2gocleansessions
| x2gocmdexitmessage
| x2gocreatebase.sh
| x2gogetservers
| x2golistsessions
| x2golistsessions_root
| x2golistsessions_sql
| x2gomountdirs
| x2gopgwrapper
| x2gopgwrapper_local
| x2gopgwrapper_net
| x2gopgwrapper_sqlite
| x2goresume-session
| x2goruncommand
?| x2goserver.conf
| x2gosessionlimit
| x2goshowblocks
| x2gosqlite.sh
| x2gostartagent
| x2gosuspend-agent
| x2gosuspend-session
| x2goterminate
| x2goterminate-session
| x2goumount
| x2goumount_session
`---- # }}}3
...
# }}}2
# }}}1
=== Packages === # {{{1
=== Notes === # {{{2
* Dependencies considered extraneous to this report have been
omitted.
# }}}2
=== Server === # {{{2
x2goserver [x2go]
-> x2goagent [x2go]
-> nxcompext [x2go]
-> nxcomp [x2go]
-> nxcompshad [x2go]
-> sudo, openssh-server, openssh-client [!?], sshfs [!?]
# }}}2
=== Client === # {{{2
pyhoca-gui [gabriel]
-> python-x2go [gabriel]
-> nxproxy [x2go]
-> nxcomp [x2go]
-> python (>= 2.6), python-gevent, python-paramiko,
python-cups
-> python-argparse, python-notify, python-setproctitle,
python-wxtools
# }}}2
# }}}1
=== Remarks === # {{{1
This report is based on:
* Information provided by Dick Kniep.
* Searching the Internet.
* The sshd_config man page (and others).
* My (preliminary) analysis of:
Package Version Status
------- ------- ------
python-x2go 0.0.31(-0~nwt1) TODO
x2goclient 3.01(-5) Done/Sufficient
x2goserver 3.0.1(-5) TODO/Unfinished
# }}}1
--
vim: set ft= tw=70 sw=2 sts=2 et fdm=marker:
More information about the x2go-bugs
mailing list