Browse Source

Adds more detail about fine tuning access, and improves apache setup instructions.

devel
Jonathan Rosenbaum 7 years ago
parent
commit
5b490e18e7
  1. 46
      examples/secure-terminals.txt

46
examples/secure-terminals.txt

@ -78,8 +78,12 @@ II. cp device.key /etc/ssl/private/ssl-cert-snakeoil.key
cp mysite.com.csr /etc/ssl/certs/ssl-cert-snakeoil.pem cp mysite.com.csr /etc/ssl/certs/ssl-cert-snakeoil.pem
III. a2enmod ssl; III. a2enmod ssl;
a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above) a2ensite default-ssl.conf; (standard on debian-based distributions)
add certs to the SSLCertificateFile and SSLCertificateKeyFile directives in default-ssl.conf
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
a2dissite 000-default.conf; a2dissite 000-default.conf;
service apache2 restart
In the Chromium broswer: chrome://settings/certificates In the Chromium broswer: chrome://settings/certificates
Choose IMPORT in AUTHORITIES Choose IMPORT in AUTHORITIES
@ -102,7 +106,7 @@ Firefox (IceWeasel); note that Chrome below, provides the most recent instructio
6. mv KeePass.config.xml KeePass.config.enforced.xml 6. mv KeePass.config.xml KeePass.config.enforced.xml
7. sudo chown root:root KeePass.config.enforced.xml (and database/key file) 7. sudo chown root:root KeePass.config.enforced.xml (and database/key file)
8. sudo chmod 0400 KeePass.config.enforced.xml 8. sudo chmod 0400 KeePass.config.enforced.xml
9. See Chrome for KeePass.config.enforced.xml policy changes. 9. See Chrome for KeePass.config.enforced.xml policy changes.
10. In Debian/Ubuntu: apt-get install mono-runtime mono-devel 10. In Debian/Ubuntu: apt-get install mono-runtime mono-devel
11. Install KeeFox extension from https://addons.mozilla.org/en-us/firefox/addon/keefox/ 11. Install KeeFox extension from https://addons.mozilla.org/en-us/firefox/addon/keefox/
12. KeeFox will tell you where to copy KeePassRPC.plgx from into the plugins directory 12. KeeFox will tell you where to copy KeePassRPC.plgx from into the plugins directory
@ -229,6 +233,38 @@ SPECIAL NOTES
contact_add_edit.php, and another computer for volunteer staff allowing access to almost everything, contact_add_edit.php, and another computer for volunteer staff allowing access to almost everything,
including transaction_log.php, perhaps with the exclusion of certain reports that should only be available including transaction_log.php, perhaps with the exclusion of certain reports that should only be available
to the volunteer coordinator. to the volunteer coordinator.
https://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements provides good details how this is done:
E.g., we want paid_members.php to be accessible via a completely different password under Apache for our paid members team:
<FilesMatch "\.(php|paid_members\.php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /var/www/html/js>
Order allow,deny
Allow from all
Satisfy any
</Directory>
<Directory /var/www/html/css>
Order allow,deny
Allow from all
Satisfy any
</Directory>
<Directory /var/www/html>
Authtype Basic
Authname "Amazing Community Bike Shop Login"
Require user someuser
AuthUserFile /var/htpasswd
</Directory>
<Files "paid_members.php">
Authtype Basic
Authname "Paid Members Login"
Require user paid_members_team
AuthUserFile /var/htpasswd
</Files>
How to get that working with keepass2 should be obvious.
SUSPENDING COMPUTER SUSPENDING COMPUTER
@ -244,7 +280,7 @@ it is not always straight-forward, e.g., resetting the CMOS.
GRUB2 PASSWORD PROTECT (mandatory) GRUB2 PASSWORD PROTECT (mandatory)
You don't want individuals casually booting into single mode or a shell, therefore, In order to prevent individuals from casually booting into single mode or a shell,
password protecting GRUB with an encrypted password is mandatory. password protecting GRUB with an encrypted password is mandatory.
https://help.ubuntu.com/community/Grub2/Passwords gives good instructions https://help.ubuntu.com/community/Grub2/Passwords gives good instructions
@ -256,7 +292,7 @@ https://help.ubuntu.com/community/Grub2/Passwords gives good instructions
to to
CLASS="--class gnu-linux --class gnu --class os --unrestricted" CLASS="--class gnu-linux --class gnu --class os --unrestricted"
2. Create an encrypted password with grub-mkpasswd-pbkdf2, producing something like 2. Create an encrypted password with grub-mkpasswd-pbkdf2, producing something like
grub.pbkdf2.sha512.10000.80E702585F80C8D70D4BC75 grub.pbkdf2.sha512.10000.80E702585F80C8D70D4BC75
@ -270,7 +306,7 @@ https://help.ubuntu.com/community/Grub2/Passwords gives good instructions
5. update-grub2 5. update-grub2
SSD or HD Encryption (optional) SSD or HD ENCRYPTION (optional)
If a sign-in computers unencrypted drive goes missing (or is stolen), it should (in most cases) If a sign-in computers unencrypted drive goes missing (or is stolen), it should (in most cases)
be pretty obvious, and you would want to change YBDB's htpasswd and root password. However, if you be pretty obvious, and you would want to change YBDB's htpasswd and root password. However, if you

Loading…
Cancel
Save