[vox-tech] Providing access to SSH on Kiosk?
Bill Kendrick
vox-tech@lists.lugod.org
Mon, 12 Jan 2004 23:04:07 -0800
On Mon, Jan 12, 2004 at 10:56:15PM -0800, ME wrote:
>
> What about LILO/grub? can the user pass args to the kernel to be booted?
> You know, the old "init=/bin/bash" arg/trick for local root on boot
> without restrictions...
hehe - come now, Michael!
Yes, I have LILO restricted to ONLY let "Linux" image boot, with no
arguments, unless a password is supplied.
e.g., no "linux single" at the "boot:" prompt, unless you've got the cred's ;)
Unless I misunderstood you, in which case I now look like a buffoon. :^)
> > Might make sense to look into a lock for the case, though...
>
> They help. Of course there is the MIT guide to lock picking.... Though,
> how many people actually learn how to pick locks? ]:>
Stay AWAY from my computer, Mike. :^)
<snip>
> These require one of two things:
> 1 access to build their own ssh clients with modified source code and
> force the user to call their ssh client instead of the one you installed.
> (Usually this means root access.)
Okay, this is covered (in a perfect world) by Unix permissions and the
fact that users shouldn't be able to get to a shell to even INVOKE a
compiler, let alone install the binary. :^)
<snip>
> A presentation on the useful features of ssh would also be good.
> (Tunneling, proxy, redirection, etc.)
Okay Mike, I'll jot you down for two presentations later this year.
Pick the dates. ;^)
<snip>
> Consider the other post where I discuss use of the browser to call a
> specified application and make that application a shell (with proper
> flags/args, an interactive shell.)
The beauty of KDE's Kiosk framework. :^) (Again, in a perfect world.
I found one irritation with the kiosk framework: people who want to check
their AOL.com email can't use AOL's web interface. Hellish Javascript invoked
by AOL, combined with a small bug in the kiosk framework. They already fixed
it and put the patch in CVS, I think :) )
> OT:
> However, with Linux things are not as bad as windows. Consider Windows NT
> 4 (pre SP3 I think-- very old btw) if the user could change screen saver,
> they could make the screensaver call command.com or a batch script and the
> screensaver run as SYSTEM. :-o
HOLY SH... err... wow :)
> We'll have to see what happens.I'll have a better idea in April. If the UC
> Davis CS dept wants to have me in their grad program on cs security,
> maybe I'll move to Davis in 2005 and attend LUGOD a little more often than
> I do now. :-D
Cool! :^) In the meantime, we should get Peter going to NBLUG meetings,
or something! He needs it! ;)
> OK. Consider another drive to image the system and rebuild every morning.
> A local disk with rsync would be pretty fast.
Hrm... neato. This is all fascinating, but at the same time scary.
Kinda like back in the day when I didn't write very 'robust' CGI scripts.
Fortunately, I wasn't quite as 'prolific' as that Matt's Scripts guy that's
still causing people pain... I'm glad I've got such a good network of folks
to talk to about this stuff today. :^) You and Ken have been priceless!
<snip>
> No problem. Hey Bill. Have I ever told you that the work you do is very
> cool, and most excellent? Ok. The work you do is cool and most excellent.
> :-)
Heh - Thanks. Just trying to serve my community. (But at the same time be
careful of hackers abusing them :) )
-bill!