HP t1000 T1500/T1510 Windows-based Terminal Network Installation Guide - Page 46

Secure Shell, program based upon

Get HP t1000 - Terminal Thin Client PC PDF manuals and user guides View all HP t1000 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 46 highlights

32 Chapter 4 where terminal is the terminal name and user is the user name from the terminal (root is automatically used if security is disabled; guest is automatically used if security is enabled and auto login as guest is selected). In addition, the terminal optionally supports both Kerberos authentication and DES data encryption for RSH commands, although the X protocol packets for an X application will not go through the DES data encryption layer. Secure Shell This is an additional method for using the X Manager with RSH. The distribution includes the shell rshsecure, which is designed to perform a more secure method for managing RSH requests. rshsecure also provides the ability for users to run shell scripts, such as those invoked from an XDM session on an X terminal. The remainder of this section describes how to configure your server for use with the rshsecure shell. Start by creating a new account. For security reasons, make sure this account is not the superuser account. As root, create a .rhosts file for this user, and make sure the ownership of the .rhosts file gets changed (chown) to this user. In the .rhosts file, add one entry for every terminal/user pair you want to go through rshsecure. For example, if you are using your terminals as "security disabled" and you are using DHCP, you can put every DHCP IP address in the .rhosts file with the user name being root. After saving the .rhosts file and using chown to assign ownership, make sure it is writable only by the user and not by anyone else (chmod 644 .rhosts). Change the login shell for the account to be the rshsecure program (based upon where you installed it, since you need a full path name). Note On Linux, the included rshsecure binary uses libc5. Determine the set of commands you will be allowing your users to run and create the file rshsecure.cfg in the login directory for this user. Again, make sure that it is not writable by anyone except the owner. Lines starting with the pound sign (#) are treated as comments. The first non-comment line is the shell to be used when invoking commands. The second non-comment line is the xterm program (or equivalent). The third non-comment line is the su program. All three of these programs should be fully qualified with path names to eliminate possible security concerns. All remaining lines are the authorized commands. The rshsecure program does a literal comparison of the entries in this file to the command passed via RSH (with arguments removed), so, for example, comparing /bin/ls to / bin/ls will succeed and comparing ls to /bin/ls will fail.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
32
Chapter 4
where
terminal
is the terminal name and
user
is the user name from the
terminal (
root
is automatically used if security is disabled;
guest
is automatically
used if security is enabled
and
auto login as guest
is selected).
In addition, the terminal optionally supports both Kerberos authentication and DES
data encryption for RSH commands, although the X protocol packets for an X
application will not go through the DES data encryption layer.
Secure Shell
This is an additional method for using the X Manager with RSH. The distribution
includes the shell
rshsecure
, which is designed to perform a more secure method
for managing RSH requests.
rshsecure
also provides the ability for users to run
shell scripts, such as those invoked from an XDM session on an X terminal. The
remainder of this section describes how to configure your server for use with the
rshsecure
shell.
Start by creating a new account. For security reasons, make sure this account is
not
the superuser account.
As root, create a .
rhosts
file for this user, and make sure the ownership of the
.
rhosts
file gets changed (
chown
) to this user. In the .
rhosts
file, add one entry
for every terminal/user pair you want to go through
rshsecure
. For example, if
you are using your terminals as “security disabled” and you are using DHCP, you
can put every DHCP IP address in the .
rhosts
file with the user name being
root
.
After saving the .
rhosts
file and using
chown
to assign ownership, make sure it is
writable
only
by the user and not by anyone else (
chmod 644 .rhosts
).
Change the login shell for the account to be the
rshsecure
program (based upon
where you installed it, since you need a full path name).
Note
On Linux, the included
rshsecure
binary uses
libc5
.
Determine the set of commands you will be allowing your users to run and create
the file
rshsecure
.
cfg
in the login directory for this user. Again, make sure that it
is not writable by anyone except the owner. Lines starting with the pound sign (#)
are treated as comments. The first non-comment line is the shell to be used when
invoking commands. The second non-comment line is the
xterm
program (or
equivalent). The third non-comment line is the
su
program. All three of these
programs should be fully qualified with path names to eliminate possible security
concerns. All remaining lines are the authorized commands. The
rshsecure
program does a literal comparison of the entries in this file to the command passed
via RSH (with arguments removed), so, for example, comparing
/bin/ls
to
/
bin/ls
will succeed and comparing
ls
to
/bin/ls
will fail.