Re: consent to monitoring banner for ssh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You're right, this give users an out. I forgot the ~/.ssh/rc check.
Your approach to set the users' shell to a script seem better


On Dec 4, 2007 8:17 PM, Carl G. Riches <cgr@xxxxxxxxxxxxxxxx> wrote:
> On Tue, 4 Dec 2007, mups.cp wrote:
>
> > Carl,
> >
> > You don't need set the everyone's login shell, you could use
> > /etc/ssh/sshrc and put your code or your a call to it in it.
>
> Is /etc/ssh/sshrc run in the case where a user has a private ~/.ssh/rc
> file?  The information here:
>
>   http://www.oreilly.com/catalog/sshtdg/chapter/ch08.html
>
> states that it is not.  Also, the sshd(8) man page says:
>
>   If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists,
>   runs it; otherwise runs xauth.  The "rc" files are given the
>   X11 authentication protocol and cookie in standard input.
>
> This gives the user an out.
>
> Carl
>
>
> >
> >
> > On Dec 4, 2007 7:41 PM, Carl G. Riches <cgr@xxxxxxxxxxxxxxxx> wrote:
> >> On Tue, 4 Dec 2007, Bill Tangren wrote:
> >>
> >>> A new policy has been implemented here at work. The old policy stated
> >>> that, when someone logs in to a system via ssh, I had to display a consent
> >>> to monitor banner, which is easy to implement.
> >>>
> >>> The new policy, however, requires that the user has to somehow signify
> >>> that they have read and will abide by the policy. In essence, I have to
> >>> get a yes or no input from the user, possibly just after they log on, and
> >>> if they say no, log them off. If they say yes, they get to proceed.
> >>>
> >>> My question: what is the best way to implement this? I have to make sure
> >>> the user cannot remove this functionality for future logins, so I can't
> >>> put it in any of their login scripts. This is easy to implement for GUI
> >>> logins, but I don't know the best way to proceed for ssh. Any ideas?
> >>>
> >>
> >> We did a somewhat-similar task at a place where I used to work.  We set
> >> everyone's login shell to a locally-written perl script.  That perl script
> >> did things such as ensure that the user had permission to log in to the
> >> system, check the user's quota, print out a blurb, then exec( )'d tcsh.
> >> It needed some interupt handling, though, to fit what you want to do.  I
> >> don't have the code anymore, but this might give you an idea of what
> >> direction to go.  (Would you need to record user's answers to your
> >> question in a database for future reference?  This might give you that
> >> ability.)
> >>
> >> HTH,
> >> Carl
> >>
> >> --
> >> Carl G. Riches
> >> Software Engineer
> >> Department of Biostatistics
> >> Box 357232                      voice:     206-616-2725
> >> University of Washington        fax:       206-543-3286
> >> Seattle, WA  98195-7232         internet:  cgr@xxxxxxxxxxxxxxxx
> >>
> >>
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >>
> >
>
> --
>
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux