Restricting access to ThinLinc servers

In some cases it might be desirable or required to restrict the users’ access to the ThinLinc servers and their ability to move data in and out of the system. This chapter describes some ways this can be achieved, as well as the consequences of such restrictions.

Disabling SSH access

The system’s SSH server often includes a lot of functionality for accessing the system. Completely disabling this service is a quick way to restrict most of the external access to the system. However the native ThinLinc client requires SSH to function so users will be limited to only using the HTML based Web Access client.

Many SSH servers also support limiting access to just certain users. OpenSSH has settings such as AllowGroups and Match that can limit functionality without completely disabling the SSH server.

Disabling shell access

User sessions are normally started via the user’s configured shell, so restricting the shell is a good method to restrict what kind of sessions the user can start. Primarily this is usefull to prevent users from running custom commands via SSH.

Changing the configured shell

Commonly the user’s shell is configured to /bin/false in order to disable shell access. Unfortunately this also prevents access to ThinLinc as it needs to run the commands thinlinc-login and /opt/thinlinc/etc/xsession via the user’s shell. As an alternative it is possible to configure /usr/bin/thinlinc-login as the shell. This will allow ThinLinc to function whilst preventing any other type of session.

Note that this method prevents any terminals inside the session from functioning as well. In most cases it also does not prevent users from running custom scripts and shell commands as they can use a text editor to construct such scripts.

Using ForceCommand

OpenSSH has the ability to ignore the user’s configured shell and run a different command instead. This makes it possible to keep a normal shell for the user and only restrict access when connecting via SSH. However this prevents the native ThinLinc client from connecting as it needs to be able to run the command thinlinc-login with specific arguments. The following script can be specified as ForceCommand to allow only ThinLinc access via SSH:

#!/bin/bash
thinlinc-login -c "${SSH_ORIGINAL_COMMAND}"

It is also possible to apply this restriction only to a subset of users by using the Match setting. Please see OpenSSH’s documentation for how to configure this mechanism.

Disabling port forwarding

ThinLinc relies on SSH port forwarding in order to function. However it is possible to limit that port forwarding in order to avoid unwanted network access. ThinLinc only requires forwarding via the loopback interface, so the SSH server can always be configured to only allow this without limiting ThinLinc in any way. For OpenSSH this is configured by specifying the following in sshd_config:

GatewayPorts no
PermitOpen 127.0.0.1:*

Note that it is also necessary to disable shell access in order to completely prevent users from forwarding ports as otherwise they could run their own forwarding software over the shell channel.

Disabling remote port forwarding

It is possible to use ThinLinc with remote port forwarding completely disabled. However this will prevent local devices such as sound, drives and printers from functioning. In OpenSSH this is configured by adding the following to /etc/ssh/sshd_config:

AllowTcpForwarding local

It is also possible to apply this restriction only to a subset of users by using the Match setting. Please see OpenSSH’s documentation for how to configure this mechanism.

Note

Local port forwarding cannot be disabled as it is required for even the basic ThinLinc functionality.

Disabling clipboard

It is possible to disable clipboard transfers in either direction in order to avoid easily moving data to and from the server. The first step is adding -noclipboard to the ThinLinc setting /vsmagent/xserver_args. This prevents the user from later changing the clipboard settings. Next add -AcceptCutText=0 to disable clipboard transfers going to the server, and -SendCutText=0 to prevent transfers going from the server.

Disabling local drives

ThinLinc local drives redirection relies on being able to ask the kernel to mount a NFS share. This is a privileged operation that only root is permitted to perform, and as such this feature requires a setuid helper binary. This helper is called /opt/thinlinc/libexec/tl-mount-personal and the setuid permission can be removed by running the follow:

$ sudo chmod u-s /opt/thinlinc/libexec/tl-mount-personal

Note that this only disables the ability to use the kernel NFS client. If a user can start some other NFS client then they can still access the local drive redirection. The setuid permission is also restored each time ThinLinc is upgraded.