Re: Securing Linux based public access terminals

[Brett Anderson <brett () cs jhu edu>]

True, xdm(or similar) should handle the logins so you can not do the
alt-f1, ctrl-z deal. Also, I mentioned disabling text logins via
/etc/inittab, so that you can not hit alt-f1, login, and use the shell.

On Mon, 2004-07-19 at 10:02, Jay Fougere wrote:
> You will also have to disable some keystrokes such as the alt-f1 alt-f2 
> (to access shells) otherwise all someone would have to do would be to 
> alt-f1 (switch to the terminal X is running in) and ctrl-z (to suspend 
> the active X session) and run commands as the logged in user. If that 
> user is chrooted in an environment with only X and a browser that may 
> not be a concern. I simply mention this because many don't know about 
> the ctrl-z to suspend the X session (and that will circumvent any "lock 
> the desktop" functions you may be using)
>
> Brett Anderson wrote:
>
> > You can achieve this using the ratpoison window manager
> > (http://ratpoison.sourceforge.net) and having your application start
> > when X does. ratpoison runs apps full screen with no window decorations.
> > You can easily modify the source to not allow the key combination that
> > allows users to spawn new programs.
> >
> > Then setup iptables rules to only allow the users access to the gateway
> > or web proxy.
> >
> > You may also want to lock down the virtual terminals by removing the
> > getty lines from /etc/inittab to prevent text logins.
> >
> > If you choose to use RedHat 9 you can get security updates via apt-get
> > or yum through the Fedora Legacy Project (http://www.fedoralegacy.org).
> >
> > Hope this helps.
> >
> > Brett
> >
> > On Thu, 2004-07-15 at 07:48, Andrew Shore wrote:
> >  
> >
> > > Hi 
> > >
> > > I have a project where I need to give access to the internet to groups
> > > of users who do not work for the company running the workstations.
> > > Hence, the company do not want the users to access any other part of the
> > > network. For reasons too complicated to go into here I can't hive this
> > > portion of the network off onto a DMZ or even a secure vlan.
> > >
> > > What I would like to is run a Linux workstation (RedHat probably 9 even
> > > though it's out of support) but when the user logs into the windows
> > > session all they get is the browser. No menus no right click on the desk
> > > top just a basic single application "dumb terminal". I've seen this done
> > > before but it was too well secured for me to see how it was done! Also
> > > I'd like to the workstation to log straight in as a local user with out
> > > user intervention.
> > >
> > > Any ideas how I can achieve this or perhaps secure it in another way, I
> > > remember with windows 3.x you could change the windows manager settings
> > > in win.ini and it did exactly what I want. I just really don't want to
> > > use Windows 3.1 ;)
> > >
> > > TIA
> > >
> > > Andy
> > >
> > >
> > > ---------------------------------------------------------------------------
> > > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> > > any course! All of our class sizes are guaranteed to be 10 students or less 
> > > to facilitate one-on-one interaction with one of our expert instructors. 
> > > Attend a course taught by an expert instructor with years of in-the-field 
> > > pen testing experience in our state of the art hacking lab. Master the skills 
> > > of an Ethical Hacker to better assess the security of your organization. 
> > > Visit us at: 
> > > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > > ----------------------------------------------------------------------------
> > >
> > >
> > >    
> >
> >
> > ---------------------------------------------------------------------------
> > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> > any course! All of our class sizes are guaranteed to be 10 students or less 
> > to facilitate one-on-one interaction with one of our expert instructors. 
> > Attend a course taught by an expert instructor with years of in-the-field 
> > pen testing experience in our state of the art hacking lab. Master the skills 
> > of an Ethical Hacker to better assess the security of your organization. 
> > Visit us at: 
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ----------------------------------------------------------------------------
> >
> >  
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------