[vox-tech] Providing access to SSH on Kiosk?

Bill Kendrick vox-tech@lists.lugod.org
Mon, 12 Jan 2004 23:04:07 -0800


On Mon, Jan 12, 2004 at 10:56:15PM -0800, ME wrote:
> 
> What about LILO/grub? can the user pass args to the kernel to be booted?
> You know, the old "init=/bin/bash" arg/trick for local root on boot
> without restrictions...

hehe - come now, Michael!

Yes, I have LILO restricted to ONLY let "Linux" image boot, with no
arguments, unless a password is supplied.

e.g., no "linux single" at the "boot:" prompt, unless you've got the cred's ;)


Unless I misunderstood you, in which case I now look like a buffoon. :^)


> > Might make sense to look into a lock for the case, though...
> 
> They help. Of course there is the MIT guide to lock picking.... Though,
> how many people actually learn how to pick locks? ]:>

Stay AWAY from my computer, Mike. :^)


<snip>
> These require one of two things:
> 1 access to build their own ssh clients with modified source code and
> force the user to call their ssh client instead of the one you installed.
> (Usually this means root access.)

Okay, this is covered (in a perfect world) by Unix permissions and the
fact that users shouldn't be able to get to a shell to even INVOKE a
compiler, let alone install the binary. :^)


<snip>
> A presentation on the useful features of ssh would also be good.
> (Tunneling, proxy, redirection, etc.)

Okay Mike, I'll jot you down for two presentations later this year.
Pick the dates. ;^)


<snip>
> Consider the other post where I discuss use of the browser to call a
> specified application and make that application a shell (with proper
> flags/args, an interactive shell.)

The beauty of KDE's Kiosk framework. :^)  (Again, in a perfect world.
I found one irritation with the kiosk framework: people who want to check
their AOL.com email can't use AOL's web interface.  Hellish Javascript invoked
by AOL, combined with a small bug in the kiosk framework.  They already fixed
it and put the patch in CVS, I think :) )


> OT:
> However, with Linux things are not as bad as windows. Consider Windows NT
> 4 (pre SP3 I think-- very old btw) if the user could change screen saver,
> they could make the screensaver call command.com or a batch script and the
> screensaver run as SYSTEM. :-o

HOLY SH... err... wow :)


> We'll have to see what happens.I'll have a better idea in April. If the UC
> Davis CS dept  wants to have me in their grad program on cs security,
> maybe I'll move to Davis in 2005 and attend LUGOD a little more often than
> I do now. :-D

Cool! :^)  In the meantime, we should get Peter going to NBLUG meetings,
or something!  He needs it! ;)


> OK. Consider another drive to image the system and rebuild every morning.
> A local disk with rsync would be pretty fast.

Hrm... neato.  This is all fascinating, but at the same time scary.

Kinda like back in the day when I didn't write very 'robust' CGI scripts.
Fortunately, I wasn't quite as 'prolific' as that Matt's Scripts guy that's
still causing people pain...  I'm glad I've got such a good network of folks
to talk to about this stuff today. :^)  You and Ken have been priceless!


<snip>
> No problem. Hey Bill. Have I ever told you that the work you do is very
> cool, and most excellent? Ok. The work you do is cool and most excellent.
> :-)

Heh - Thanks.  Just trying to serve my community.  (But at the same time be
careful of hackers abusing them :) )

-bill!