[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: consent to monitoring banner for ssh



Well, you *could* do the "acceptance by logging in" thing... or you can force them to type [yes|no]. Here's how I accomplish that.


#Set the /etc/issue file to the login banner.  This one has no linefeeds,
#so it will wrap accordingly.
cat <<EOF >/etc/issue
YOUR WELCOME BANNER.
EOF

#This part creates the same login banner once your username and password has
#been entered.  This has linefeeds in it.
cat <<EOF >/etc/X11/gdm/PreSession/Default
#!/bin/sh
#
# Note that any setup should come before the sessreg command as
# that must be 'exec'ed for the pid to be correct (sessreg uses the parent
# pid)
#
# Note that output goes into the .xsession-errors file for easy debugging
#
PATH="/usr/bin/X11:/usr/X11R6/bin:/opt/X11R6/bin:$PATH:/bin:/usr/bin"

/usr/bin/gdialog --yesno "YOUR WELCOME BANNER"
if ( test 1 -eq \$? ); then
   gdialog --infobox "Logging out in 10 Seconds" 1 20 &
   sleep 10
   exit 1
fi

gdmwhich () {
   COMMAND="$1"
   OUTPUT=
   IFS=:
   for dir in $PATH
   do
       if test -x "$dir/$COMMAND" ; then
           if test "x$OUTPUT" = "x" ; then
               OUTPUT="$dir/$COMMAND"
           fi
       fi
   done
   unset IFS
   echo "$OUTPUT"
}

XSETROOT=\`gdmwhich xsetroot\`
if [ "x$XSETROOT" != "x" ] ; then
   # Try to snarf the BackgroundColor from the config file
BACKCOLOR=`grep '^BackgroundColor' /etc/X11/gdm/gdm.conf | sed 's/^.*=\(.*\)$/\1/'`
   if [ "x$BACKCOLOR" = "x" ]; then
       BACKCOLOR="#76848F"
   fi
   "$XSETROOT" -cursor_name left_ptr -solid "$BACKCOLOR"
fi

SESSREG=\`gdmwhich sessreg\`
if [ "x$SESSREG" != "x" ] ; then
   # some output for easy debugging
   echo "$0: Registering your session with wtmp and utmp"
echo "$0: running: $SESSREG -a -w /var/log/wtmp -u /var/run/utmp -x \"$X_SERVERS\" -h \"$REMOTE_HOST\" -l \"$DISPLAY\" \"$USER\""

exec "$SESSREG" -a -w /var/log/wtmp -u /var/run/utmp -x "$X_SERVERS" -h "$REMOTE_HOST" -l "$DISPLAY" "$USER"
   # this is not reached
fi
#Some output for easy debugging.
echo "$0: could not find the sessreg utility, cannot update wtmp and utmp"
exit 0
EOF

#/etc/ssh/sshd_config banner settings.
perl -npe 's/^#Banner \/some\/path/Banner \/etc\/issue/g' -i /etc/ssh/sshd_config


--
Shawn D. Wells
Solutions Architect, Federal Team
swells redhat com
C: 443-534-0130





mups.cp wrote:
You're right, this give users an out. I forgot the ~/.ssh/rc check.
Your approach to set the users' shell to a script seem better


On Dec 4, 2007 8:17 PM, Carl G. Riches <cgr u washington edu> wrote:
On Tue, 4 Dec 2007, mups.cp wrote:

Carl,

You don't need set the everyone's login shell, you could use
/etc/ssh/sshrc and put your code or your a call to it in it.
Is /etc/ssh/sshrc run in the case where a user has a private ~/.ssh/rc
file?  The information here:

  http://www.oreilly.com/catalog/sshtdg/chapter/ch08.html

states that it is not.  Also, the sshd(8) man page says:

  If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists,
  runs it; otherwise runs xauth.  The "rc" files are given the
  X11 authentication protocol and cookie in standard input.

This gives the user an out.

Carl


On Dec 4, 2007 7:41 PM, Carl G. Riches <cgr u washington edu> wrote:
On Tue, 4 Dec 2007, Bill Tangren wrote:

A new policy has been implemented here at work. The old policy stated
that, when someone logs in to a system via ssh, I had to display a consent
to monitor banner, which is easy to implement.

The new policy, however, requires that the user has to somehow signify
that they have read and will abide by the policy. In essence, I have to
get a yes or no input from the user, possibly just after they log on, and
if they say no, log them off. If they say yes, they get to proceed.

My question: what is the best way to implement this? I have to make sure
the user cannot remove this functionality for future logins, so I can't
put it in any of their login scripts. This is easy to implement for GUI
logins, but I don't know the best way to proceed for ssh. Any ideas?

We did a somewhat-similar task at a place where I used to work.  We set
everyone's login shell to a locally-written perl script.  That perl script
did things such as ensure that the user had permission to log in to the
system, check the user's quota, print out a blurb, then exec( )'d tcsh.
It needed some interupt handling, though, to fit what you want to do.  I
don't have the code anymore, but this might give you an idea of what
direction to go.  (Would you need to record user's answers to your
question in a database for future reference?  This might give you that
ability.)

HTH,
Carl

--
Carl G. Riches
Software Engineer
Department of Biostatistics
Box 357232                      voice:     206-616-2725
University of Washington        fax:       206-543-3286
Seattle, WA  98195-7232         internet:  cgr u washington edu


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--

redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]