|
|
|
@ -15,7 +15,6 @@ D. <Directory /var/www/html> |
|
|
|
AuthUserFile /var/htpasswd |
|
|
|
</Directory> |
|
|
|
|
|
|
|
|
|
|
|
SSL (do not settle for anything less) |
|
|
|
|
|
|
|
Under Debian: |
|
|
|
@ -24,9 +23,12 @@ B. cp ssl-cert-snakeoil.key /etc/ssl/private/ |
|
|
|
cp ssl-cert-snakeoil.pem /etc/ssl/certs/ |
|
|
|
C. a2enmod ssl; |
|
|
|
a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above) |
|
|
|
a2dissite 000-default.conf; |
|
|
|
a2dissite 000-default.conf; |
|
|
|
|
|
|
|
An alternative would be to use letsencrypt. If you are using a reverse proxy, usually nginx-proxy, |
|
|
|
make certain that HTTP_X_FORWARDED_FOR is used for identifying the originating IP address, |
|
|
|
because YBDB shops keep track of their unique ip. |
|
|
|
|
|
|
|
|
|
|
|
TERMINAL AUTOMATION AND SECURITY |
|
|
|
|
|
|
|
Firefox (IceWeasel): |
|
|
|
@ -53,34 +55,56 @@ Firefox (IceWeasel): |
|
|
|
You may need to make adjustments for plugins. |
|
|
|
|
|
|
|
Chrome: |
|
|
|
1. Download KeePass zip - http://keepass.info/download.html |
|
|
|
2. Unzip in ~/KeePass |
|
|
|
3. sudo chown root:root ~/KeePass; sudo chmod 0755 ~/KeePass; |
|
|
|
4. run .. mono KeePass.exe, create database and a key file in ~/KeePass |
|
|
|
5. mv KeePass.config.xml KeePass.config.enforced.xml |
|
|
|
6. sudo chown root:root KeePass.config.enforced.xml (and database/key file) |
|
|
|
7. sudo chmod 0444 KeePass.config.enforced.xml |
|
|
|
8. Most importantly in KeePass.config.enforced.xml between <Security> change true to |
|
|
|
<Policy><UnhidePasswords>false</UnhidePasswords></Policy> so that passwords cannot be seen. |
|
|
|
9. When setting up password database for KeePass use only a key file. |
|
|
|
10. Add the url along with username and password in the database. |
|
|
|
11. In Debian/Ubuntu: apt-get install mono-runtime mono-devel |
|
|
|
12. Install extension chromeIPass |
|
|
|
13. Install keepasshttp as explained at https://github.com/pfn/keepasshttp/ (put KeePassHttp.plgx in ~/KeePass) |
|
|
|
14. Follow the directions chromeIPass gives you, creating an identifier |
|
|
|
15. Good idea to restart chrome. |
|
|
|
16. In Chrome Settings "On Startup Continue where you left off" |
|
|
|
17. Afterwards, you can sudo chown -R root:root ~/KeePass/* |
|
|
|
You may need to make adjustments for plugins. |
|
|
|
|
|
|
|
1. Install keepass2: sudo apt-get install keepass2 |
|
|
|
2. cd /usr/lib/keepass2; \ |
|
|
|
sudo mv KeePass.config.xml KeePass.config.enforced.xml |
|
|
|
|
|
|
|
edit file and add between <Configuration></Configuration> |
|
|
|
|
|
|
|
<Security> |
|
|
|
<Policy><UnhidePasswords>false</UnhidePasswords></Policy> |
|
|
|
</Security> |
|
|
|
|
|
|
|
sudo chmod 0400 KeePass.config.enforced.xml |
|
|
|
|
|
|
|
[doc: https://keepass.info/help/base/configuration.htm] |
|
|
|
|
|
|
|
3. Install libsecret-tools: sudo apt-get install libsecret-tools |
|
|
|
secret-tool store --label="PositiveSpin" keepass pos (remember password) |
|
|
|
|
|
|
|
4. run keepass2; |
|
|
|
create new password database in ~/keepass |
|
|
|
assign password created with secret-tool to Master password |
|
|
|
create key file in ~/keepass |
|
|
|
In the password datatase, add the url for YBDB, username and password (created with htpasswd) |
|
|
|
close keepass2 |
|
|
|
sudo chown -R root:root ~/keepass |
|
|
|
sudo chmod -R 0400 ~/keepass (change to 0600 if you want to change password, then back to 0400 when done) |
|
|
|
|
|
|
|
5. Install chrome extension chromeIPass |
|
|
|
|
|
|
|
6. Install keepasshttp from https://github.com/pfn/keepasshttp/ by putting KeePassHttp.plgx in /usr/lib/keepass2; |
|
|
|
sudo chmod 0644 /usr/lib/keepass2/KeePassHttp.plgx |
|
|
|
sudo apt-get install libmono-system-xml-linq4.0-cil libmono-system-data-datasetextensions4.0-cil \ |
|
|
|
libmono-system-runtime-serialization4.0-cil mono-mcs |
|
|
|
|
|
|
|
7. Follow the directions chromeIPass gives you, creating an identifier |
|
|
|
https://github.com/pfn/passifox/blob/master/documentation/chromeIPass.md goes into more detail |
|
|
|
|
|
|
|
8. sudo su; visudo |
|
|
|
after: %sudo ALL=(ALL:ALL) ALL |
|
|
|
add: pos ALL=(ALL) NOPASSWD: /usr/bin/keepass2 (note pos is an example user account being used for X11) |
|
|
|
|
|
|
|
9. In Chrome Settings "On Startup Continue where you left off" or |
|
|
|
"Open a specific page or set of pages" and add the YBDB POS url as one of those specific pages |
|
|
|
|
|
|
|
DESKTOP STARTUP |
|
|
|
|
|
|
|
1. LXDE - put a file with this format in ~/.config/auto with name of *desktop, e.g. keepass.desktop: |
|
|
|
1. LXDE - put a file with this format in ~/.config/autostart with name of *desktop, e.g. keepass.desktop: |
|
|
|
|
|
|
|
[Desktop Entry] |
|
|
|
Type=Application |
|
|
|
Exec=/usr/bin/mono /home/ps/KeePass/KeePass.exe |
|
|
|
Exec=bash -c "secret-tool lookup keepass pos | sudo keepass2 /home/pos/keepass/PositiveSpin.kdbx -pw-stdin -keyfile:/home/pos/keepass/PositiveSpin.key |
|
|
|
|
|
|
|
2. Gnome based Window manager, e.g. Mate - open gnome-session-properties from commandline, |
|
|
|
and add startup application. |
|
|
|
@ -101,9 +125,3 @@ the Point of Sale will be at the proper location which is usually the front of t |
|
|
|
walk-in/walk-out. |
|
|
|
|
|
|
|
Word of wisdom: It is always good practice to occasionally change the password. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Jonathan Rosenbaum
6 years ago