Compaq T1500 manual Secure Shell

Page 46

32Chapter 4

where terminal is the terminal name and user is the user name from the terminal (root is automatically used if security is disabled; guest is automatically used if security is enabled and auto login as guest is selected).

In addition, the terminal optionally supports both Kerberos authentication and DES data encryption for RSH commands, although the X protocol packets for an X application will not go through the DES data encryption layer.

Secure Shell

This is an additional method for using the X Manager with RSH. The distribution includes the shell rshsecure, which is designed to perform a more secure method for managing RSH requests. rshsecure also provides the ability for users to run shell scripts, such as those invoked from an XDM session on an X terminal. The remainder of this section describes how to configure your server for use with the rshsecure shell.

Start by creating a new account. For security reasons, make sure this account is not the superuser account.

As root, create a .rhosts file for this user, and make sure the ownership of the

.rhosts file gets changed (chown) to this user. In the .rhosts file, add one entry for every terminal/user pair you want to go through rshsecure. For example, if you are using your terminals as “security disabled” and you are using DHCP, you can put every DHCP IP address in the .rhosts file with the user name being root. After saving the .rhosts file and using chown to assign ownership, make sure it is writable only by the user and not by anyone else (chmod 644 .rhosts).

Change the login shell for the account to be the rshsecure program (based upon where you installed it, since you need a full path name).

Note

On Linux, the included rshsecure binary uses libc5.

Determine the set of commands you will be allowing your users to run and create the file rshsecure.cfg in the login directory for this user. Again, make sure that it is not writable by anyone except the owner. Lines starting with the pound sign (#) are treated as comments. The first non-comment line is the shell to be used when invoking commands. The second non-comment line is the xterm program (or equivalent). The third non-comment line is the su program. All three of these programs should be fully qualified with path names to eliminate possible security concerns. All remaining lines are the authorized commands. The rshsecure program does a literal comparison of the entries in this file to the command passed via RSH (with arguments removed), so, for example, comparing /bin/ls to / bin/ls will succeed and comparing ls to /bin/ls will fail.

Image 46
Contents T1500 WINDOWS-BASED Terminal Network Installation Guide Page December Compaq T1500 Windows-based Terminal Reference Guide Cables Iii Federal Communications Commission NoticeModifications Canadian NoticeEuropean Union Notice Japanese NoticeLicense Agreement Disclaimer of WarrantyGrant Export Restrictions Limit of liabilityGovernment Restricted Rights Contents Viii Configuring Optional Terminal Start-Up ResourcesConfiguring Server Application Resources Selecting Browser LocationT1500 Windows-Based Terminal Quick-StartInstructions Installing CD Software onto the ServersInstallation Planning Worksheets List of FiguresPage Introduction How to Use This GuideOverview ReferencesTime Server XiiOther RFCs Installation Overview and Planning HP/UXOverview of Installation Procedure Configure Terminal Start-Up Resources Planning Your InstallationComplete Worksheets Install CD Software onto the Servers Configure Optional Terminal Start-Up ResourcesConfigure Server Application Resources Select Location of BrowserConfiguring Terminal Start-Up Resources BootpPage Bootptab File Example Dhcp Page Dhcp Options Option Number Option DescriptionPage Netsvc T1500-Specific Option Definitions Option 43 Vendor-Specific IDNoswap Mfcfg Packet Size Option OverloadOption Option 18 vs. Option 43 vs. Options 128+Labels and Data for Text Format Option Number Labels and Data for Text Format Option Option Number LabelOptions 128+ Tftp NFSNwt/root norootsquash DNS Time ServerConfiguring Optional Terminal Start-Up Resources Network ServicesNFS Snmp Select Security Permissions Add Show UsersHttp Help Serial Internet ConnectionsHttp Upgrades FTPChapter Configuring Server Application Resources HttpICA POP3/IMAP4RSH X Manager Terminalspaceuser Secure Shell Page Chapter Selecting Browser Location Browser LocationNetscape Communicator Constraints Network Boot ConsequencesChapter Running the Installation Program CD ContentsOnto the Servers Platform Drive Dev/c1t2d0Platform Command Mount /mnt/cdrom /cdromPage Text-Mode Installation GUI-Mode Installation Installing on Non-Supported Servers Mkdir /cdcopy cd /cdrom tar cvf . cd /cdcopy tar xpvf T1500 Windows-Based Terminal Quick-Start Instructions Quick-Start Procedure Page Key Reset Procedure Installation Planning Worksheets Page Terminal Start-Up Resources Worksheet Time ServerAdmin Tool Optional Terminal Start-up Resources WorksheetServer Application Resources Worksheet Browser Launch Location Resources Worksheet Other Images Location Worksheet Software Images from the Cdrom Worksheet Installation Planning Worksheets T1500 Windows-Based Terminal Network Installation Guide