Attachment #733 for bug #5141

View | Details | Raw Unified | Return to bug 5141
Collapse All | Expand All




        against Windows domains and LDAP databases.
      </para>

      <para>
        An user connecting to ThinLinc needs executable access to the ThinLinc
        login shell <emphasis>thinlinc-login</emphasis> and if you don't have
        any intentions to allow a regular shell access to the server you should
        set default login shell for the users to
        <filename>/usr/bin/thinlinc-login</filename>.
      </para>

      <sect2 id="authentication_pam-files">

        <title>





    </sect1>

    <sect1 id="configuration_noshell">

      <title>
        Restricting Shell Access
      </title>

      <para>
        Like other login methods, ThinLinc requires a functional shell for the
        user trying to log in. Setting a non-functional shell such as
        <command>/bin/false</command> will prevent ThinLinc from
        working.However, ThinLinc also includes a special shell that still
        allows users to log in using ThinLinc, but prevents all other shell
        access. User's that should be restricted should be configured to have
        <command>/opt/thinlinc/bin/noshell</command> as their shell. See the
        documentation for your user database for information on how to
        configure a user's shell.
      </para>

      <para>
        It is also possible to restrict the shell when accessed via SSH, but
        still permit shell usage locally or inside ThinLinc sessions. Configure
        <filename>/etc/ssh/sshd_config</filename> with the following for the
        users that should be restricted:
      </para>

<screen>
ForceCommand /opt/thinlinc/bin/noshell
</screen>

    </sect1>

  </chapter>

<!-- Tail start -->




#!/bin/bash
# -*- mode: shell-script; coding: utf-8 -*-
#
# Copyright 2016 Cendio AB.
# For more information, see http://www.cendio.com

#
# Dummy shell that prevents login to anything but ThinLinc
#

end()
{
    echo "Shell access has been prohibited" >&2
    exit 1
}

# Invoked via ForceCommand
if [ $# -eq 0 -a -n "$SSH_ORIGINAL_COMMAND" ]; then
    set -- -c "$SSH_ORIGINAL_COMMAND"
    unset SSH_ORIGINAL_COMMAND
fi

# FIXME: Check that we are a login shell.
#        argv[0] is not preserved with shebang.
#        May have to rewrite in C.

# There must be a command, and no voodoo
[ $# -eq 2 ] || end
[ "$1" == "-c" ] || end

# If we are both the user's shell, and ForceCommand, then we
# will get a request to execute ourselves
# ($0 cannot be used since we are a login shell)
if [ "$2" == "${BASH_SOURCE[0]}" ]; then
    exec "${BASH_SOURCE[0]}"
fi

# thinlinc-login is invoked from sshd, and may have arguments
case "$2" in
    thinlinc-login|thinlinc-login\ *)
        set -- $2
        shift
        exec thinlinc-login "$@"
        ;;
esac

end

Lines 81-86 Link Here

(-)vsm/thinlinc-vsm.spec.in (+1 lines)
81	%dir /opt/thinlinc/etc/conf.d	81	%dir /opt/thinlinc/etc/conf.d
82	%dir /opt/thinlinc/etc/sessionstartup.d	82	%dir /opt/thinlinc/etc/sessionstartup.d
83	%dir /opt/thinlinc/etc/sessionreconnect.d	83	%dir /opt/thinlinc/etc/sessionreconnect.d
		84	/opt/thinlinc/bin/noshell
84	/opt/thinlinc/bin/tl-config	85	/opt/thinlinc/bin/tl-config
85	/etc/profile.d/thinlinc.sh	86	/etc/profile.d/thinlinc.sh
86	/etc/profile.d/thinlinc.csh	87	/etc/profile.d/thinlinc.csh




	echo "ThinLinc $(VERSION)" > $(PREFIX)/etc/thinlinc-release
	$(INSTALL) -m 644 thinlinc.hconf $(PREFIX)/etc/
	$(INSTALL) -m 644 vsm.hconf $(PREFIX)/etc/conf.d/
	$(INSTALL) noshell $(PREFIX)/bin/
	$(INSTALL) tl-config $(PREFIX)/bin/
	$(INSTALL) install_service $(PREFIX)/libexec/
	$(INSTALL) remove_service $(PREFIX)/libexec/
	$(INSTALL) service $(PREFIX)/libexec/
	$(OINSTALL) thinlinc-login $(PREFIX)/libexec/
	$(OINSTALL) -m 644 modules/thinlinc/vsm/__init__.py $(PREFIX)/modules/thinlinc/vsm/
	$(OINSTALL) -m 644 modules/thinlinc/crypt.py $(PREFIX)/modules/thinlinc/
	$(OINSTALL) -m 644 modules/thinlinc/crypto.py $(PREFIX)/modules/thinlinc/

	$(INSTALL) -s lsh-pam-checkpw $(PREFIX)/sbin/
	mkdir -p $(PREFIX)/libexec
	$(INSTALL) -s xprop/xprop $(PREFIX)/libexec/
	$(OINSTALL) thinlinc-login $(PREFIX)/libexec/
	mkdir -p $(ROOTDIR)/etc/pam.d/
	$(INSTALL) -d $(ROOTDIR)/var/lib/vsm
	$(OINSTALL) -m 644 modules/thinlinc/vsm/vsmxmlrpccall.py $(VSMMOD)/

	encrypt-vnc-pw.c\
	Makefile\
	Makefile.defines\
	noshell\
	thinlinc.hconf\
	vsm.hconf\
	vsmagent.hconf\




#!/usr/bin/env python-thinlinc
# -*-mode: python; coding: utf-8 -*-
#
# Copyright 2002-2016 Cendio AB.
# For more information, see http://www.cendio.com

import sys

import hiveconf
import xmlrpclib
from thinlinc import ctccommon
from thinlinc import prefix

#
# Various notes:

    if len(sys.argv) == 2:
        return sys.argv[1]

    # The following cases are with thinlinc-login as the shell
    if len(sys.argv) == 3:
        if sys.argv[1] != '-c':
            print >>sys.stderr, PROG + ": ERROR: Invalid syntax"
            sys.exit(1)

        # FIXME: Support full shell syntax?
        command = sys.argv[2].split()

        if (len(command) < 1) or not command[0].endswith("thinlinc-login"):
            print >>sys.stderr, PROG + ": ERROR: Invalid syntax"
            sys.exit(1)

        # Case 3: Old client with thinlinc-login as the shell
        if len(command) == 1:
            return "master"

        # Case 4: New client with thinlinc-login as the shell
        if len(command) == 2:
            return command[1]

    print >>sys.stderr, PROG + ": ERROR: Invalid syntax"
    sys.exit(1)

def main():
    # Backwards compatibility for when we recommended people to use
    # thinlinc-login as a locked down shell
    if len(sys.argv) == 3 and sys.argv[1] == '-c':
        # Redirect to noshell
        noshell = os.path.join(prefix.get_tl_prefix(), "bin", "noshell")
        os.execv(noshell, sys.argv)

    # Read configuration. FIXME: Use relative paths. 
    hive = hiveconf.open_hive("/opt/thinlinc/etc/thinlinc.hconf")
    

Return to bug 5141

Lines 2539-2544 Link Here

(-)doc/external/configuration.xml (+31 lines)
2539		2539
2540	</sect1>	2540	</sect1>
2541		2541
		2542	<sect1 id="configuration_noshell">
		2543
		2544	<title>
		2545	Restricting Shell Access
		2546	</title>
		2547
		2548	<para>
		2549	Like other login methods, ThinLinc requires a functional shell for the
		2550	user trying to log in. Setting a non-functional shell such as
		2551	<command>/bin/false</command> will prevent ThinLinc from
		2552	working.However, ThinLinc also includes a special shell that still
		2553	allows users to log in using ThinLinc, but prevents all other shell
		2554	access. User's that should be restricted should be configured to have
		2555	<command>/opt/thinlinc/bin/noshell</command> as their shell. See the
		2556	documentation for your user database for information on how to
		2557	configure a user's shell.
		2558	</para>
		2559
		2560	<para>
		2561	It is also possible to restrict the shell when accessed via SSH, but
		2562	still permit shell usage locally or inside ThinLinc sessions. Configure
		2563	<filename>/etc/ssh/sshd_config</filename> with the following for the
		2564	users that should be restricted:
		2565	</para>
		2566
		2567	<screen>
		2568	ForceCommand /opt/thinlinc/bin/noshell
		2569	</screen>
		2570
		2571	</sect1>
		2572
2542	</chapter>	2573	</chapter>
2543		2574
2544	<!-- Tail start -->	2575	<!-- Tail start -->

Lines 1-7 Link Here

(-)vsm/thinlinc-login (-22 / +9 lines)
1	#!/usr/bin/env python-thinlinc	1	#!/usr/bin/env python-thinlinc
2	# --mode: python; coding: utf-8 --	2	# --mode: python; coding: utf-8 --
3	#	3	#
4	# Copyright 2002-2014 Cendio AB.	4	# Copyright 2002-2016 Cendio AB.
5	# For more information, see http://www.cendio.com	5	# For more information, see http://www.cendio.com
6		6
7	import sys	7	import sys
Lines 13-18 Link Here
13	import hiveconf	13	import hiveconf
14	import xmlrpclib	14	import xmlrpclib
15	from thinlinc import ctccommon	15	from thinlinc import ctccommon
		16	from thinlinc import prefix
16		17
17	#	18	#
18	# Various notes:	19	# Various notes:
Lines 110-140 Link Here
110	if len(sys.argv) == 2:	111	if len(sys.argv) == 2:
111	return sys.argv[1]	112	return sys.argv[1]
112		113
113	# The following cases are with thinlinc-login as the shell
114	if len(sys.argv) == 3:
115	if sys.argv[1] != '-c':
116	print >>sys.stderr, PROG + ": ERROR: Invalid syntax"
117	sys.exit(1)
118
119	# FIXME: Support full shell syntax?
120	command = sys.argv[2].split()
121
122	if (len(command) < 1) or not command[0].endswith("thinlinc-login"):
123	print >>sys.stderr, PROG + ": ERROR: Invalid syntax"
124	sys.exit(1)
125
126	# Case 3: Old client with thinlinc-login as the shell
127	if len(command) == 1:
128	return "master"
129
130	# Case 4: New client with thinlinc-login as the shell
131	if len(command) == 2:
132	return command[1]
133
134	print >>sys.stderr, PROG + ": ERROR: Invalid syntax"	114	print >>sys.stderr, PROG + ": ERROR: Invalid syntax"
135	sys.exit(1)	115	sys.exit(1)
136		116
137	def main():	117	def main():
		118	# Backwards compatibility for when we recommended people to use
		119	# thinlinc-login as a locked down shell
		120	if len(sys.argv) == 3 and sys.argv[1] == '-c':
		121	# Redirect to noshell
		122	noshell = os.path.join(prefix.get_tl_prefix(), "bin", "noshell")
		123	os.execv(noshell, sys.argv)
		124
138	# Read configuration. FIXME: Use relative paths.	125	# Read configuration. FIXME: Use relative paths.
139	hive = hiveconf.open_hive("/opt/thinlinc/etc/thinlinc.hconf")	126	hive = hiveconf.open_hive("/opt/thinlinc/etc/thinlinc.hconf")
140		127

Lines 81-94 Link Here

(-)doc/external/auth.xml (-8 lines)
81	against Windows domains and LDAP databases.	81	against Windows domains and LDAP databases.
82	</para>	82	</para>
83		83
84	<para>
85	An user connecting to ThinLinc needs executable access to the ThinLinc
86	login shell <emphasis>thinlinc-login</emphasis> and if you don't have
87	any intentions to allow a regular shell access to the server you should
88	set default login shell for the users to
89	<filename>/usr/bin/thinlinc-login</filename>.
90	</para>
91
92	<sect2 id="authentication_pam-files">	84	<sect2 id="authentication_pam-files">
93		85
94	<title>	86	<title>

Line 0 Link Here

(-)vsm/noshell (+47 lines)
	1	#!/bin/bash
	2	# -- mode: shell-script; coding: utf-8 --
	3	#
	4	# Copyright 2016 Cendio AB.
	5	# For more information, see http://www.cendio.com
	6
	7	#
	8	# Dummy shell that prevents login to anything but ThinLinc
	9	#
	10
	11	end()
	12	{
	13	echo "Shell access has been prohibited" >&2
	14	exit 1
	15	}
	16
	17	# Invoked via ForceCommand
	18	if [ $# -eq 0 -a -n "$SSH_ORIGINAL_COMMAND" ]; then
	19	set -- -c "$SSH_ORIGINAL_COMMAND"
	20	unset SSH_ORIGINAL_COMMAND
	21	fi
	22
	23	# FIXME: Check that we are a login shell.
	24	# argv[0] is not preserved with shebang.
	25	# May have to rewrite in C.
	26
	27	# There must be a command, and no voodoo
	28	[ $# -eq 2 ] \|\| end
	29	[ "$1" == "-c" ] \|\| end
	30
	31	# If we are both the user's shell, and ForceCommand, then we
	32	# will get a request to execute ourselves
	33	# ($0 cannot be used since we are a login shell)
	34	if [ "$2" == "${BASH_SOURCE[0]}" ]; then
	35	exec "${BASH_SOURCE[0]}"
	36	fi
	37
	38	# thinlinc-login is invoked from sshd, and may have arguments
	39	case "$2" in
	40	thinlinc-login\|thinlinc-login\ *)
	41	set -- $2
	42	shift
	43	exec thinlinc-login "$@"
	44	;;
	45	esac
	46
	47	end

Lines 140-149 Link Here

(-)vsm/Makefile (-1 / +3 lines)
140	echo "ThinLinc $(VERSION)" > $(PREFIX)/etc/thinlinc-release	140	echo "ThinLinc $(VERSION)" > $(PREFIX)/etc/thinlinc-release
141	$(INSTALL) -m 644 thinlinc.hconf $(PREFIX)/etc/	141	$(INSTALL) -m 644 thinlinc.hconf $(PREFIX)/etc/
142	$(INSTALL) -m 644 vsm.hconf $(PREFIX)/etc/conf.d/	142	$(INSTALL) -m 644 vsm.hconf $(PREFIX)/etc/conf.d/
		143	$(INSTALL) noshell $(PREFIX)/bin/
143	$(INSTALL) tl-config $(PREFIX)/bin/	144	$(INSTALL) tl-config $(PREFIX)/bin/
144	$(INSTALL) install_service $(PREFIX)/libexec/	145	$(INSTALL) install_service $(PREFIX)/libexec/
145	$(INSTALL) remove_service $(PREFIX)/libexec/	146	$(INSTALL) remove_service $(PREFIX)/libexec/
146	$(INSTALL) service $(PREFIX)/libexec/	147	$(INSTALL) service $(PREFIX)/libexec/
		148	$(OINSTALL) thinlinc-login $(PREFIX)/libexec/
147	$(OINSTALL) -m 644 modules/thinlinc/vsm/__init__.py $(PREFIX)/modules/thinlinc/vsm/	149	$(OINSTALL) -m 644 modules/thinlinc/vsm/__init__.py $(PREFIX)/modules/thinlinc/vsm/
148	$(OINSTALL) -m 644 modules/thinlinc/crypt.py $(PREFIX)/modules/thinlinc/	150	$(OINSTALL) -m 644 modules/thinlinc/crypt.py $(PREFIX)/modules/thinlinc/
149	$(OINSTALL) -m 644 modules/thinlinc/crypto.py $(PREFIX)/modules/thinlinc/	151	$(OINSTALL) -m 644 modules/thinlinc/crypto.py $(PREFIX)/modules/thinlinc/
Lines 183-189 Link Here
183	$(INSTALL) -s lsh-pam-checkpw $(PREFIX)/sbin/	185	$(INSTALL) -s lsh-pam-checkpw $(PREFIX)/sbin/
184	mkdir -p $(PREFIX)/libexec	186	mkdir -p $(PREFIX)/libexec
185	$(INSTALL) -s xprop/xprop $(PREFIX)/libexec/	187	$(INSTALL) -s xprop/xprop $(PREFIX)/libexec/
186	$(OINSTALL) thinlinc-login $(PREFIX)/libexec/
187	mkdir -p $(ROOTDIR)/etc/pam.d/	188	mkdir -p $(ROOTDIR)/etc/pam.d/
188	$(INSTALL) -d $(ROOTDIR)/var/lib/vsm	189	$(INSTALL) -d $(ROOTDIR)/var/lib/vsm
189	$(OINSTALL) -m 644 modules/thinlinc/vsm/vsmxmlrpccall.py $(VSMMOD)/	190	$(OINSTALL) -m 644 modules/thinlinc/vsm/vsmxmlrpccall.py $(VSMMOD)/
Lines 283-288 Link Here
283	encrypt-vnc-pw.c\	284	encrypt-vnc-pw.c\
284	Makefile\	285	Makefile\
285	Makefile.defines\	286	Makefile.defines\
		287	noshell\
286	thinlinc.hconf\	288	thinlinc.hconf\
287	vsm.hconf\	289	vsm.hconf\
288	vsmagent.hconf\	290	vsmagent.hconf\