Bug 1131 - Document security-related best practice for running large ThinLinc clusters.
Summary: Document security-related best practice for running large ThinLinc clusters.
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Documentation (show other bugs)
Version: trunk
Hardware: PC Linux
: P2 Enhancement
Target Milestone: 4.8.0
Assignee: Pierre Ossman
URL:
Keywords: prosaic, samuel_tester
: 5604 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-02-18 14:16 CET by Erik Forsberg
Modified: 2017-03-20 16:54 CET (History)
3 users (show)

See Also:
Acceptance Criteria:


Attachments

Description Erik Forsberg cendio 2005-02-18 14:16:08 CET
Most of the ThinLinc administrators we've seen until now have been unexperienced
with Linux systems, which means that they don't know too much about security in
a Linux environment.

It is definitely not our role to tell them how to do everything, and we must
trust our dear partnertechnicians (heh..), but we could still give some hints.

This bug is for collecting ideas.

The first recommendation is to recommend having different root passwords on all
servers.

Another one is to use ssh-keys to connect to the other servers, but with
ssh-agent, not passwordless keys.

Running some kind of software that checks for root kits is also a good idea.

And so on, and so on..
Comment 1 Erik Forsberg cendio 2005-02-18 14:17:57 CET
Oh, and of course, always keep your distribution updated.
Comment 2 Pierre Ossman cendio 2016-11-29 11:07:32 CET
The previous examples may be a bit too general Linux administration stuff. A better example could be how you can prevent "normal" SSH access, whilst still letting ThinLinc run.
Comment 3 Pierre Ossman cendio 2017-01-30 10:20:46 CET
*** Bug 5604 has been marked as a duplicate of this bug. ***
Comment 5 Henrik Andersson cendio 2017-02-20 12:55:14 CET
I think it would be nice to document the use of an ThinLinc access group eg. "allow users in group to run thinlinc-login". with such a configuration a ssh system can be locked down in fully with two rules: "Only allow users in admins to get shell" and "Only allow users in thinlinc group to run thinlinc-login"
Comment 6 Henrik Andersson cendio 2017-02-20 12:58:48 CET
Due to the fact we piggyback on SSH lock down, we might want to provide information that SSH have a match system that could be used in combination with the info we provide.

Such as having a "trusted group that is allowed to use local drives" eg. portforwardning and a "non trusted group for disabling localdrives", on the same system.
Comment 7 Henrik Andersson cendio 2017-02-20 13:00:34 CET
I suggest that content for "Disabling local port forwarding" is moved as a note to "Disabling remote port forwardning"
Comment 9 Pierre Ossman cendio 2017-02-21 12:14:28 CET
We're happy with this now.
Comment 10 Samuel Mannehed cendio 2017-03-02 09:27:25 CET
I have followed the instructions and they all work as advertised. Good!

Note You need to log in before you can comment on or make changes to this bug.