From 5b490e18e7823ccc0c3e569d666255fc1780350a Mon Sep 17 00:00:00 2001 From: Jonathan Rosenbaum Date: Sat, 6 Jan 2018 07:36:49 +0000 Subject: [PATCH] Adds more detail about fine tuning access, and improves apache setup instructions. --- examples/secure-terminals.txt | 46 +++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 5 deletions(-) diff --git a/examples/secure-terminals.txt b/examples/secure-terminals.txt index 15f7c83..ebadb45 100644 --- a/examples/secure-terminals.txt +++ b/examples/secure-terminals.txt @@ -78,8 +78,12 @@ II. cp device.key /etc/ssl/private/ssl-cert-snakeoil.key cp mysite.com.csr /etc/ssl/certs/ssl-cert-snakeoil.pem III. a2enmod ssl; - a2ensite default-ssl.conf; (standard on debian-based distributions .. add stanza above) + a2ensite default-ssl.conf; (standard on debian-based distributions) + add certs to the SSLCertificateFile and SSLCertificateKeyFile directives in default-ssl.conf + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key a2dissite 000-default.conf; + service apache2 restart In the Chromium broswer: chrome://settings/certificates Choose IMPORT in AUTHORITIES @@ -102,7 +106,7 @@ Firefox (IceWeasel); note that Chrome below, provides the most recent instructio 6. mv KeePass.config.xml KeePass.config.enforced.xml 7. sudo chown root:root KeePass.config.enforced.xml (and database/key file) 8. sudo chmod 0400 KeePass.config.enforced.xml -9. See Chrome for KeePass.config.enforced.xml policy changes. +9. See Chrome for KeePass.config.enforced.xml policy changes. 10. In Debian/Ubuntu: apt-get install mono-runtime mono-devel 11. Install KeeFox extension from https://addons.mozilla.org/en-us/firefox/addon/keefox/ 12. KeeFox will tell you where to copy KeePassRPC.plgx from into the plugins directory @@ -229,6 +233,38 @@ SPECIAL NOTES contact_add_edit.php, and another computer for volunteer staff allowing access to almost everything, including transaction_log.php, perhaps with the exclusion of certain reports that should only be available to the volunteer coordinator. + + https://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements provides good details how this is done: + + E.g., we want paid_members.php to be accessible via a completely different password under Apache for our paid members team: + + + SSLOptions +StdEnvVars + + + Order allow,deny + Allow from all + Satisfy any + + + Order allow,deny + Allow from all + Satisfy any + + + Authtype Basic + Authname "Amazing Community Bike Shop Login" + Require user someuser + AuthUserFile /var/htpasswd + + + Authtype Basic + Authname "Paid Members Login" + Require user paid_members_team + AuthUserFile /var/htpasswd + + +How to get that working with keepass2 should be obvious. SUSPENDING COMPUTER @@ -244,7 +280,7 @@ it is not always straight-forward, e.g., resetting the CMOS. GRUB2 PASSWORD PROTECT (mandatory) -You don't want individuals casually booting into single mode or a shell, therefore, +In order to prevent individuals from casually booting into single mode or a shell, password protecting GRUB with an encrypted password is mandatory. https://help.ubuntu.com/community/Grub2/Passwords gives good instructions @@ -256,7 +292,7 @@ https://help.ubuntu.com/community/Grub2/Passwords gives good instructions to CLASS="--class gnu-linux --class gnu --class os --unrestricted" - + 2. Create an encrypted password with grub-mkpasswd-pbkdf2, producing something like grub.pbkdf2.sha512.10000.80E702585F80C8D70D4BC75 @@ -270,7 +306,7 @@ https://help.ubuntu.com/community/Grub2/Passwords gives good instructions 5. update-grub2 -SSD or HD Encryption (optional) +SSD or HD ENCRYPTION (optional) If a sign-in computers unencrypted drive goes missing (or is stolen), it should (in most cases) be pretty obvious, and you would want to change YBDB's htpasswd and root password. However, if you