--- doc/external/configuration.xml (revision 31551) +++ doc/external/configuration.xml (revision 31558) @@ -2539,6 +2539,37 @@ </sect1> + <sect1 id="configuration_noshell"> + + <title> + Restricting Shell Access +

--- doc/external/auth.xml (revision 31551) +++ doc/external/auth.xml (revision 31558) @@ -81,14 +81,6 @@ against Windows domains and LDAP databases. - - An user connecting to ThinLinc needs executable access to the ThinLinc - login shell thinlinc-login and if you don't have - any intentions to allow a regular shell access to the server you should - set default login shell for the users to - /usr/bin/thinlinc-login. - - --- doc/external/configuration.xml (revision 31551) +++ doc/external/configuration.xml (revision 31558) @@ -2539,6 +2539,37 @@ </sect1> + <sect1 id="configuration_noshell"> + + <title> + Restricting Shell Access + + + + Like other login methods, ThinLinc requires a functional shell for the + user trying to log in. Setting a non-functional shell such as + /bin/false will prevent ThinLinc from + working.However, ThinLinc also includes a special shell that still + allows users to log in using ThinLinc, but prevents all other shell + access. User's that should be restricted should be configured to have + /opt/thinlinc/bin/noshell as their shell. See the + documentation for your user database for information on how to + configure a user's shell. + + + + It is also possible to restrict the shell when accessed via SSH, but + still permit shell usage locally or inside ThinLinc sessions. Configure + /etc/ssh/sshd_config with the following for the + users that should be restricted: + + + +ForceCommand /opt/thinlinc/bin/noshell + + + + --- vsm/noshell (revision 0) +++ vsm/noshell (revision 31558) @@ -0,0 +1,47 @@ +#!/bin/bash +# -*- mode: shell-script; coding: utf-8 -*- +# +# Copyright 2016 Cendio AB. +# For more information, see http://www.cendio.com + +# +# Dummy shell that prevents login to anything but ThinLinc +# + +end() +{ + echo "Shell access has been prohibited" >&2 + exit 1 +} + +# Invoked via ForceCommand +if [ $# -eq 0 -a -n "$SSH_ORIGINAL_COMMAND" ]; then + set -- -c "$SSH_ORIGINAL_COMMAND" + unset SSH_ORIGINAL_COMMAND +fi + +# FIXME: Check that we are a login shell. +# argv[0] is not preserved with shebang. +# May have to rewrite in C. + +# There must be a command, and no voodoo +[ $# -eq 2 ] || end +[ "$1" == "-c" ] || end + +# If we are both the user's shell, and ForceCommand, then we +# will get a request to execute ourselves +# ($0 cannot be used since we are a login shell) +if [ "$2" == "${BASH_SOURCE[0]}" ]; then + exec "${BASH_SOURCE[0]}" +fi + +# thinlinc-login is invoked from sshd, and may have arguments +case "$2" in + thinlinc-login|thinlinc-login\ *) + set -- $2 + shift + exec thinlinc-login "$@" + ;; +esac + +end --- vsm/thinlinc-vsm.spec.in (revision 31551) +++ vsm/thinlinc-vsm.spec.in (revision 31558) @@ -81,6 +81,7 @@ %dir /opt/thinlinc/etc/conf.d %dir /opt/thinlinc/etc/sessionstartup.d %dir /opt/thinlinc/etc/sessionreconnect.d +/opt/thinlinc/bin/noshell /opt/thinlinc/bin/tl-config /etc/profile.d/thinlinc.sh /etc/profile.d/thinlinc.csh --- vsm/Makefile (revision 31551) +++ vsm/Makefile (revision 31558) @@ -140,10 +140,12 @@ echo "ThinLinc $(VERSION)" > $(PREFIX)/etc/thinlinc-release $(INSTALL) -m 644 thinlinc.hconf $(PREFIX)/etc/ $(INSTALL) -m 644 vsm.hconf $(PREFIX)/etc/conf.d/ + $(INSTALL) noshell $(PREFIX)/bin/ $(INSTALL) tl-config $(PREFIX)/bin/ $(INSTALL) install_service $(PREFIX)/libexec/ $(INSTALL) remove_service $(PREFIX)/libexec/ $(INSTALL) service $(PREFIX)/libexec/ + $(OINSTALL) thinlinc-login $(PREFIX)/libexec/ $(OINSTALL) -m 644 modules/thinlinc/vsm/__init__.py $(PREFIX)/modules/thinlinc/vsm/ $(OINSTALL) -m 644 modules/thinlinc/crypt.py $(PREFIX)/modules/thinlinc/ $(OINSTALL) -m 644 modules/thinlinc/crypto.py $(PREFIX)/modules/thinlinc/ @@ -183,7 +185,6 @@ $(INSTALL) -s lsh-pam-checkpw $(PREFIX)/sbin/ mkdir -p $(PREFIX)/libexec $(INSTALL) -s xprop/xprop $(PREFIX)/libexec/ - $(OINSTALL) thinlinc-login $(PREFIX)/libexec/ mkdir -p $(ROOTDIR)/etc/pam.d/ $(INSTALL) -d $(ROOTDIR)/var/lib/vsm $(OINSTALL) -m 644 modules/thinlinc/vsm/vsmxmlrpccall.py $(VSMMOD)/ @@ -283,6 +284,7 @@ encrypt-vnc-pw.c\ Makefile\ Makefile.defines\ + noshell\ thinlinc.hconf\ vsm.hconf\ vsmagent.hconf\ --- vsm/thinlinc-login (revision 31551) +++ vsm/thinlinc-login (revision 31558) @@ -1,7 +1,7 @@ #!/usr/bin/env python-thinlinc # -*-mode: python; coding: utf-8 -*- # -# Copyright 2002-2014 Cendio AB. +# Copyright 2002-2016 Cendio AB. # For more information, see http://www.cendio.com import sys @@ -13,6 +13,7 @@ import hiveconf import xmlrpclib from thinlinc import ctccommon +from thinlinc import prefix # # Various notes: @@ -110,31 +111,17 @@ if len(sys.argv) == 2: return sys.argv[1] - # The following cases are with thinlinc-login as the shell - if len(sys.argv) == 3: - if sys.argv[1] != '-c': - print >>sys.stderr, PROG + ": ERROR: Invalid syntax" - sys.exit(1) - - # FIXME: Support full shell syntax? - command = sys.argv[2].split() - - if (len(command) < 1) or not command[0].endswith("thinlinc-login"): - print >>sys.stderr, PROG + ": ERROR: Invalid syntax" - sys.exit(1) - - # Case 3: Old client with thinlinc-login as the shell - if len(command) == 1: - return "master" - - # Case 4: New client with thinlinc-login as the shell - if len(command) == 2: - return command[1] - print >>sys.stderr, PROG + ": ERROR: Invalid syntax" sys.exit(1) def main(): + # Backwards compatibility for when we recommended people to use + # thinlinc-login as a locked down shell + if len(sys.argv) == 3 and sys.argv[1] == '-c': + # Redirect to noshell + noshell = os.path.join(prefix.get_tl_prefix(), "bin", "noshell") + os.execv(noshell, sys.argv) + # Read configuration. FIXME: Use relative paths. hive = hiveconf.open_hive("/opt/thinlinc/etc/thinlinc.hconf")