From e67302b991942759458df3efdcd1f7891a5117c5 Mon Sep 17 00:00:00 2001
From: Jonathan Rosenbaum <gnuser@gmail.com>
Date: Wed, 3 Jan 2018 23:48:27 +0000
Subject: [PATCH] Documentation updates for secure terminals!

---
 examples/secure-terminals.txt | 80 +++++++++++++++++++++--------------
 1 file changed, 49 insertions(+), 31 deletions(-)

diff --git a/examples/secure-terminals.txt b/examples/secure-terminals.txt
index ed29675..918c1d5 100644
--- a/examples/secure-terminals.txt
+++ b/examples/secure-terminals.txt
@@ -15,7 +15,6 @@ D.   <Directory /var/www/html>
             AuthUserFile    /var/htpasswd
      </Directory>
 
-
 SSL (do not settle for anything less)
 
 Under Debian:
@@ -24,9 +23,12 @@ B.  cp ssl-cert-snakeoil.key /etc/ssl/private/
     cp ssl-cert-snakeoil.pem /etc/ssl/certs/
 C.  a2enmod ssl;
     a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above)
-    a2dissite 000-default.conf; 
+    a2dissite 000-default.conf;
+    
+ An alternative would be to use letsencrypt.  If you are using a reverse proxy, usually nginx-proxy,
+ make certain that HTTP_X_FORWARDED_FOR is used for identifying the originating IP address, 
+ because YBDB shops keep track of their unique ip.
    
-
 TERMINAL AUTOMATION AND SECURITY
 
 Firefox (IceWeasel):
@@ -53,34 +55,56 @@ Firefox (IceWeasel):
 	 You may need to make adjustments for plugins.
 
 Chrome:
-1. Download KeePass zip - http://keepass.info/download.html
-2. Unzip in ~/KeePass
-3. sudo chown root:root ~/KeePass; sudo chmod 0755 ~/KeePass;
-4. run .. mono KeePass.exe, create database and a key file in ~/KeePass
-5. mv KeePass.config.xml KeePass.config.enforced.xml
-6. sudo chown root:root KeePass.config.enforced.xml (and database/key file)
-7. sudo chmod 0444 KeePass.config.enforced.xml
-8.	Most importantly in KeePass.config.enforced.xml between <Security> change true to 
-	<Policy><UnhidePasswords>false</UnhidePasswords></Policy> so that passwords cannot be seen.
-9. When setting up password database for KeePass use only a key file.
-10. Add the url along with username and password in the database.
-11. In Debian/Ubuntu:  apt-get install mono-runtime mono-devel
-12. Install extension chromeIPass
-13. Install keepasshttp as explained at https://github.com/pfn/keepasshttp/ (put KeePassHttp.plgx in ~/KeePass)
-14. Follow the directions chromeIPass gives you, creating an identifier
-15. Good idea to restart chrome.
-16. In Chrome Settings "On Startup Continue where you left off"
-17. Afterwards, you can sudo chown -R root:root ~/KeePass/*
-	 You may need to make adjustments for plugins.
-
+1. Install keepass2: sudo apt-get install keepass2
+2. cd /usr/lib/keepass2; \ 
+   sudo mv KeePass.config.xml KeePass.config.enforced.xml
+   
+	edit file and add between <Configuration></Configuration>
+   
+   	<Security>
+			<Policy><UnhidePasswords>false</UnhidePasswords></Policy>
+		</Security>   
+
+	sudo chmod 0400 KeePass.config.enforced.xml
+	
+	[doc: https://keepass.info/help/base/configuration.htm]
+
+3. Install libsecret-tools:  sudo apt-get install libsecret-tools
+	secret-tool store --label="PositiveSpin" keepass pos (remember password) 	
+
+4. run keepass2;
+	create new password database in ~/keepass 
+	assign password created with secret-tool to Master password
+	create key file in ~/keepass
+	In the password datatase, add the url for YBDB, username and password (created with htpasswd) 
+	close keepass2
+	sudo chown -R root:root ~/keepass
+	sudo chmod -R 0400 ~/keepass (change to 0600 if you want to change password, then back to 0400 when done)
+
+5. Install chrome extension chromeIPass
+
+6. Install keepasshttp from https://github.com/pfn/keepasshttp/ by putting KeePassHttp.plgx in /usr/lib/keepass2;
+	sudo chmod 0644 /usr/lib/keepass2/KeePassHttp.plgx
+   sudo apt-get install libmono-system-xml-linq4.0-cil libmono-system-data-datasetextensions4.0-cil \
+   							libmono-system-runtime-serialization4.0-cil mono-mcs
+
+7. Follow the directions chromeIPass gives you, creating an identifier
+	 https://github.com/pfn/passifox/blob/master/documentation/chromeIPass.md goes into more detail 	
+ 	
+8. sudo su; visudo
+	after:	%sudo   ALL=(ALL:ALL) ALL
+   add: 		pos	ALL=(ALL) NOPASSWD: /usr/bin/keepass2 (note pos is an example user account being used for X11)
+
+9. In Chrome Settings "On Startup Continue where you left off" or 
+	"Open a specific page or set of pages" and add the YBDB POS url as one of those specific pages
 
 DESKTOP STARTUP
 
-1.  LXDE - put a file with this format in ~/.config/auto with name of *desktop, e.g. keepass.desktop:
+1.	LXDE - put a file with this format in ~/.config/autostart with name of *desktop, e.g. keepass.desktop:
 
 [Desktop Entry]
 Type=Application
-Exec=/usr/bin/mono /home/ps/KeePass/KeePass.exe
+Exec=bash -c "secret-tool lookup keepass pos | sudo keepass2 /home/pos/keepass/PositiveSpin.kdbx -pw-stdin -keyfile:/home/pos/keepass/PositiveSpin.key
 
 2.  Gnome based Window manager, e.g. Mate - open gnome-session-properties from commandline, 
 	 and add startup application.
@@ -101,9 +125,3 @@ the Point of Sale will be at the proper location which is usually the front of t
 walk-in/walk-out.
 
 Word of wisdom:  It is always good practice to occasionally change the password. 
-
-
-
-
-
-