Explains how to secure the password.
There are other things that can be done within the terminal to prevent tampering, e.g., read-only environment,
but the above protects the password from hacking, eavesdropping, and from regular users
in the shop, basically, only the sysadmin and bookkeeper should have remote access via the password.
So, YBDB, although on the internet will be confined to the terminal(s) you allow it to be on, and
the Point of Sale will be at the proper location .. at the front of the Community Bike Shop where people
walk-in/walk-out.
10 years ago
|
|
|
How to protect the password for YBDB in a public environment.
|
|
|
|
|
|
|
|
PROTECTING A DIRECTORY UNDER A WEBSERVER (apache 2.4)
|
|
|
|
|
|
|
|
A. The htpasswd command is found in the apache2-utils package.
|
|
|
|
|
|
|
|
B. htpasswd -Bc -C 10 htpasswd test (note that bcrypt is used)
|
|
|
|
|
|
|
|
C. chown www-data:www-data /var/htpasswd; chmod 0400 /var/htpasswd; \
|
|
|
|
|
|
|
|
D. <Directory /var/www/html>
|
|
|
|
Authtype Basic
|
|
|
|
Authname "Amazing Community Bike Shop Login"
|
|
|
|
Require user someuser
|
|
|
|
AuthUserFile /var/htpasswd
|
|
|
|
</Directory>
|
|
|
|
|
|
|
|
SSL (do not settle for anything less)
|
|
|
|
|
|
|
|
Under Debian:
|
|
|
|
A. openssl req -new -x509 -nodes -out ssl-cert-snakeoil.pem -days 36500 -keyout ssl-cert-snakeoil.key (100 year certificate)
|
|
|
|
B. cp ssl-cert-snakeoil.key /etc/ssl/private/
|
|
|
|
cp ssl-cert-snakeoil.pem /etc/ssl/certs/
|
|
|
|
C. a2enmod ssl;
|
|
|
|
a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above)
|
|
|
|
a2dissite 000-default.conf;
|
|
|
|
|
|
|
|
An alternative would be to use letsencrypt. If you are using a reverse proxy, usually nginx-proxy,
|
|
|
|
make certain that HTTP_X_FORWARDED_FOR is used for identifying the originating IP address,
|
|
|
|
because YBDB shops keep track of their unique ip.
|
Explains how to secure the password.
There are other things that can be done within the terminal to prevent tampering, e.g., read-only environment,
but the above protects the password from hacking, eavesdropping, and from regular users
in the shop, basically, only the sysadmin and bookkeeper should have remote access via the password.
So, YBDB, although on the internet will be confined to the terminal(s) you allow it to be on, and
the Point of Sale will be at the proper location .. at the front of the Community Bike Shop where people
walk-in/walk-out.
10 years ago
|
|
|
|
|
|
|
TERMINAL AUTOMATION AND SECURITY
|
|
|
|
|
|
|
|
Firefox (IceWeasel):
|
|
|
|
1. Download KeePass v2 zip - http://keepass.info/download.html
|
|
|
|
2. Unzip in ~/KeePass
|
|
|
|
3. sudo chown root:root ~/KeePass; sudo chmod 0755 ~/KeePass;
|
|
|
|
4. cd ~/KeePass; mkdir plugins
|
|
|
|
5. run .. mono KeePass.exe, create database and a key file in ~/KeePass
|
|
|
|
6. mv KeePass.config.xml KeePass.config.enforced.xml
|
|
|
|
7. sudo chown root:root KeePass.config.enforced.xml (and database/key file)
|
|
|
|
8. sudo chmod 0444 KeePass.config.enforced.xml
|
|
|
|
9. Most importantly in KeePass.config.enforced.xml between <Security> change true to
|
|
|
|
<Policy><UnhidePasswords>false</UnhidePasswords></Policy> so that passwords cannot be seen.
|
|
|
|
10. In Debian/Ubuntu: apt-get install mono-runtime mono-devel
|
|
|
|
11. Install KeeFox extension from https://addons.mozilla.org/en-us/firefox/addon/keefox/
|
|
|
|
12. KeeFox will tell you where to copy KeePassRPC.plgx from into the plugins directory
|
Explains how to secure the password.
There are other things that can be done within the terminal to prevent tampering, e.g., read-only environment,
but the above protects the password from hacking, eavesdropping, and from regular users
in the shop, basically, only the sysadmin and bookkeeper should have remote access via the password.
So, YBDB, although on the internet will be confined to the terminal(s) you allow it to be on, and
the Point of Sale will be at the proper location .. at the front of the Community Bike Shop where people
walk-in/walk-out.
10 years ago
|
|
|
Usually somewhere under ~/.mozilla/firefox/*default/extensions/keefox*
|
|
|
|
13. When setting up password database for KeePass use only a key file.
|
|
|
|
14. Add the url along with username and password in the database.
|
|
|
|
15. Once the login is working properly for the htpasswd setup for apache,
|
Explains how to secure the password.
There are other things that can be done within the terminal to prevent tampering, e.g., read-only environment,
but the above protects the password from hacking, eavesdropping, and from regular users
in the shop, basically, only the sysadmin and bookkeeper should have remote access via the password.
So, YBDB, although on the internet will be confined to the terminal(s) you allow it to be on, and
the Point of Sale will be at the proper location .. at the front of the Community Bike Shop where people
walk-in/walk-out.
10 years ago
|
|
|
the whole process can be completely automated in KeeFox options.
|
|
|
|
16. In Firefox (IceWeasel) Preferences -> General use "When IceWeasel starts: Show my windows and tabs from the last time"
|
|
|
|
17. Afterwards, you can sudo chown -R root:root ~/KeePass/*
|
|
|
|
You may need to make adjustments for plugins.
|
Explains how to secure the password.
There are other things that can be done within the terminal to prevent tampering, e.g., read-only environment,
but the above protects the password from hacking, eavesdropping, and from regular users
in the shop, basically, only the sysadmin and bookkeeper should have remote access via the password.
So, YBDB, although on the internet will be confined to the terminal(s) you allow it to be on, and
the Point of Sale will be at the proper location .. at the front of the Community Bike Shop where people
walk-in/walk-out.
10 years ago
|
|
|
|
|
|
|
Chrome:
|
|
|
|
1. Install keepass2: sudo apt-get install keepass2
|
|
|
|
2. cd /usr/lib/keepass2; \
|
|
|
|
sudo mv KeePass.config.xml KeePass.config.enforced.xml
|
|
|
|
|
|
|
|
edit file and add between <Configuration></Configuration>
|
|
|
|
|
|
|
|
<Security>
|
|
|
|
<Policy><UnhidePasswords>false</UnhidePasswords></Policy>
|
|
|
|
</Security>
|
|
|
|
|
|
|
|
sudo chmod 0400 KeePass.config.enforced.xml
|
|
|
|
|
|
|
|
[doc: https://keepass.info/help/base/configuration.htm]
|
|
|
|
|
|
|
|
3. Install libsecret-tools: sudo apt-get install libsecret-tools
|
|
|
|
secret-tool store --label="PositiveSpin" keepass pos (remember password)
|
|
|
|
|
|
|
|
4. run keepass2;
|
|
|
|
create new password database in ~/keepass
|
|
|
|
assign password created with secret-tool to Master password
|
|
|
|
create key file in ~/keepass
|
|
|
|
In the password datatase, add the url for YBDB, username and password (created with htpasswd)
|
|
|
|
close keepass2
|
|
|
|
sudo chown -R root:root ~/keepass
|
|
|
|
sudo chmod -R 0400 ~/keepass (change to 0600 if you want to change password, then back to 0400 when done)
|
|
|
|
|
|
|
|
5. Install chrome extension chromeIPass
|
|
|
|
|
|
|
|
6. Install keepasshttp from https://github.com/pfn/keepasshttp/ by putting KeePassHttp.plgx in /usr/lib/keepass2;
|
|
|
|
sudo chmod 0644 /usr/lib/keepass2/KeePassHttp.plgx
|
|
|
|
sudo apt-get install libmono-system-xml-linq4.0-cil libmono-system-data-datasetextensions4.0-cil \
|
|
|
|
libmono-system-runtime-serialization4.0-cil mono-mcs
|
|
|
|
|
|
|
|
7. Follow the directions chromeIPass gives you, creating an identifier
|
|
|
|
https://github.com/pfn/passifox/blob/master/documentation/chromeIPass.md goes into more detail
|
|
|
|
|
|
|
|
8. sudo su; visudo
|
|
|
|
after: %sudo ALL=(ALL:ALL) ALL
|
|
|
|
add: pos ALL=(ALL) NOPASSWD: /usr/bin/keepass2 (note pos is an example user account being used for X11)
|
|
|
|
|
|
|
|
9. In Chrome Settings "On Startup Continue where you left off" or
|
|
|
|
"Open a specific page or set of pages" and add the YBDB POS url as one of those specific pages
|
|
|
|
|
|
|
|
DESKTOP STARTUP
|
|
|
|
|
|
|
|
1. LXDE - put a file with this format in ~/.config/autostart with name of *desktop, e.g. keepass.desktop:
|
|
|
|
|
|
|
|
[Desktop Entry]
|
|
|
|
Type=Application
|
|
|
|
Exec=bash -c "secret-tool lookup keepass pos | sudo keepass2 /home/pos/keepass/PositiveSpin.kdbx -pw-stdin -keyfile:/home/pos/keepass/PositiveSpin.key
|
|
|
|
|
|
|
|
2. Gnome based Window manager, e.g. Mate - open gnome-session-properties from commandline,
|
|
|
|
and add startup application.
|
|
|
|
|
|
|
|
SUSPENDING COMPUTER
|
|
|
|
|
|
|
|
Example commands that bring up the gui setting tool:
|
|
|
|
1. xfce4-power-manager-settings (eg., used by wattos for LXDE)
|
|
|
|
2. mate-power-manager-settings or mate-power-preferences
|
|
|
|
|
|
|
|
SUMMARY
|
|
|
|
|
Explains how to secure the password.
There are other things that can be done within the terminal to prevent tampering, e.g., read-only environment,
but the above protects the password from hacking, eavesdropping, and from regular users
in the shop, basically, only the sysadmin and bookkeeper should have remote access via the password.
So, YBDB, although on the internet will be confined to the terminal(s) you allow it to be on, and
the Point of Sale will be at the proper location .. at the front of the Community Bike Shop where people
walk-in/walk-out.
10 years ago
|
|
|
There are other things that can be done within the terminal to prevent tampering, e.g., read-only environment,
|
|
|
|
an expect or curl script, etc. rather than KeePass, but what is above protects the password from hacking, eavesdropping,
|
|
|
|
and from regular users in the shop, basically, only the sysadmin and bookkeeper should have remote access via the password.
|
|
|
|
So while YBDB is on the internet, it will only be available to the terminal(s) you allow it to be on, and
|
|
|
|
the Point of Sale will be at the proper location which is usually the front of the Community Bike Shop where people
|
Explains how to secure the password.
There are other things that can be done within the terminal to prevent tampering, e.g., read-only environment,
but the above protects the password from hacking, eavesdropping, and from regular users
in the shop, basically, only the sysadmin and bookkeeper should have remote access via the password.
So, YBDB, although on the internet will be confined to the terminal(s) you allow it to be on, and
the Point of Sale will be at the proper location .. at the front of the Community Bike Shop where people
walk-in/walk-out.
10 years ago
|
|
|
walk-in/walk-out.
|
|
|
|
|
|
|
|
Word of wisdom: It is always good practice to occasionally change the password.
|