1131 – Document security-related best practice for running large ThinLinc clusters.

Bug 1131 - Document security-related best practice for running large ThinLinc clusters.

Summary: Document security-related best practice for running large ThinLinc clusters.

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Documentation (show other bugs)
Version:	trunk
Hardware:	PC Linux

Importance:	P2 Enhancement
Target Milestone:	4.8.0
Assignee:	Pierre Ossman

URL:
Keywords:	prosaic, samuel_tester

Duplicates (1):	5604 (view as bug list)
Depends on:
Blocks:

Reported:	2005-02-18 14:16 CET by Erik Forsberg
Modified:	2017-03-20 16:54 CET (History)
CC List:	3 users (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Erik Forsberg cendio

2005-02-18 14:16:08 CET

Most of the ThinLinc administrators we've seen until now have been unexperienced
with Linux systems, which means that they don't know too much about security in
a Linux environment.

It is definitely not our role to tell them how to do everything, and we must
trust our dear partnertechnicians (heh..), but we could still give some hints.

This bug is for collecting ideas.

The first recommendation is to recommend having different root passwords on all
servers.

Another one is to use ssh-keys to connect to the other servers, but with
ssh-agent, not passwordless keys.

Running some kind of software that checks for root kits is also a good idea.

And so on, and so on..

Comment 1 Erik Forsberg cendio

2005-02-18 14:17:57 CET

Oh, and of course, always keep your distribution updated.

Comment 2 Pierre Ossman cendio

2016-11-29 11:07:32 CET

The previous examples may be a bit too general Linux administration stuff. A better example could be how you can prevent "normal" SSH access, whilst still letting ThinLinc run.

Comment 3 Pierre Ossman cendio

2017-01-30 10:20:46 CET

*** Bug 5604 has been marked as a duplicate of this bug. ***

Comment 5 Henrik Andersson cendio

2017-02-20 12:55:14 CET

I think it would be nice to document the use of an ThinLinc access group eg. "allow users in group to run thinlinc-login". with such a configuration a ssh system can be locked down in fully with two rules: "Only allow users in admins to get shell" and "Only allow users in thinlinc group to run thinlinc-login"

Comment 6 Henrik Andersson cendio

2017-02-20 12:58:48 CET

Due to the fact we piggyback on SSH lock down, we might want to provide information that SSH have a match system that could be used in combination with the info we provide.

Such as having a "trusted group that is allowed to use local drives" eg. portforwardning and a "non trusted group for disabling localdrives", on the same system.

Comment 7 Henrik Andersson cendio

2017-02-20 13:00:34 CET

I suggest that content for "Disabling local port forwarding" is moved as a note to "Disabling remote port forwardning"

Comment 9 Pierre Ossman cendio

2017-02-21 12:14:28 CET

We're happy with this now.

Comment 10 Samuel Mannehed cendio

2017-03-02 09:27:25 CET

I have followed the instructions and they all work as advertised. Good!

Note You need to log in before you can comment on or make changes to this bug.