bike/Yellow-Bike-Database-Mirror
1
0
Fork 0
mirror of https://github.com/fspc/Yellow-Bike-Database.git synced 2025-10-31 17:05:36 -04:00
Code Issues Projects Releases Wiki Activity

Documentation updates for secure terminals!

Browse Source
This commit is contained in:
Jonathan Rosenbaum 2018-01-03 23:48:27 +00:00
parent f384c3b7ed
commit e67302b991
1 changed files with 48 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
examples/secure-terminals.txt
View File

@ -15,7 +15,6 @@ D. <Directory /var/www/html>
AuthUserFile /var/htpasswd AuthUserFile /var/htpasswd
</Directory> </Directory>
SSL (do not settle for anything less) SSL (do not settle for anything less)
Under Debian: Under Debian:
@ -24,9 +23,12 @@ B. cp ssl-cert-snakeoil.key /etc/ssl/private/
cp ssl-cert-snakeoil.pem /etc/ssl/certs/ cp ssl-cert-snakeoil.pem /etc/ssl/certs/
C. a2enmod ssl; C. a2enmod ssl;
a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above) a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above)
a2dissite 000-default.conf; a2dissite 000-default.conf;
An alternative would be to use letsencrypt. If you are using a reverse proxy, usually nginx-proxy,
make certain that HTTP_X_FORWARDED_FOR is used for identifying the originating IP address,
because YBDB shops keep track of their unique ip.
TERMINAL AUTOMATION AND SECURITY TERMINAL AUTOMATION AND SECURITY
Firefox (IceWeasel): Firefox (IceWeasel):
@ -53,34 +55,56 @@ Firefox (IceWeasel):
You may need to make adjustments for plugins. You may need to make adjustments for plugins.
Chrome: Chrome:
1. Download KeePass zip - http://keepass.info/download.html 1. Install keepass2: sudo apt-get install keepass2
2. Unzip in ~/KeePass 2. cd /usr/lib/keepass2; \
3. sudo chown root:root ~/KeePass; sudo chmod 0755 ~/KeePass; sudo mv KeePass.config.xml KeePass.config.enforced.xml
4. run .. mono KeePass.exe, create database and a key file in ~/KeePass
5. mv KeePass.config.xml KeePass.config.enforced.xml edit file and add between <Configuration></Configuration>
6. sudo chown root:root KeePass.config.enforced.xml (and database/key file)
7. sudo chmod 0444 KeePass.config.enforced.xml <Security>
8. Most importantly in KeePass.config.enforced.xml between <Security> change true to <Policy><UnhidePasswords>false</UnhidePasswords></Policy>
<Policy><UnhidePasswords>false</UnhidePasswords></Policy> so that passwords cannot be seen. </Security>
9. When setting up password database for KeePass use only a key file.
10. Add the url along with username and password in the database.
11. In Debian/Ubuntu: apt-get install mono-runtime mono-devel
12. Install extension chromeIPass
13. Install keepasshttp as explained at https://github.com/pfn/keepasshttp/ (put KeePassHttp.plgx in ~/KeePass)
14. Follow the directions chromeIPass gives you, creating an identifier
15. Good idea to restart chrome.
16. In Chrome Settings "On Startup Continue where you left off"
17. Afterwards, you can sudo chown -R root:root ~/KeePass/*
You may need to make adjustments for plugins.
sudo chmod 0400 KeePass.config.enforced.xml
[doc: https://keepass.info/help/base/configuration.htm]
3. Install libsecret-tools: sudo apt-get install libsecret-tools
secret-tool store --label="PositiveSpin" keepass pos (remember password)
4. run keepass2;
create new password database in ~/keepass
assign password created with secret-tool to Master password
create key file in ~/keepass
In the password datatase, add the url for YBDB, username and password (created with htpasswd)
close keepass2
sudo chown -R root:root ~/keepass
sudo chmod -R 0400 ~/keepass (change to 0600 if you want to change password, then back to 0400 when done)
5. Install chrome extension chromeIPass
6. Install keepasshttp from https://github.com/pfn/keepasshttp/ by putting KeePassHttp.plgx in /usr/lib/keepass2;
sudo chmod 0644 /usr/lib/keepass2/KeePassHttp.plgx
sudo apt-get install libmono-system-xml-linq4.0-cil libmono-system-data-datasetextensions4.0-cil \
libmono-system-runtime-serialization4.0-cil mono-mcs
7. Follow the directions chromeIPass gives you, creating an identifier
https://github.com/pfn/passifox/blob/master/documentation/chromeIPass.md goes into more detail
8. sudo su; visudo
after: %sudo ALL=(ALL:ALL) ALL
add: pos ALL=(ALL) NOPASSWD: /usr/bin/keepass2 (note pos is an example user account being used for X11)
9. In Chrome Settings "On Startup Continue where you left off" or
"Open a specific page or set of pages" and add the YBDB POS url as one of those specific pages
DESKTOP STARTUP DESKTOP STARTUP
1. LXDE - put a file with this format in ~/.config/auto with name of *desktop, e.g. keepass.desktop: 1. LXDE - put a file with this format in ~/.config/autostart with name of *desktop, e.g. keepass.desktop:
[Desktop Entry] [Desktop Entry]
Type=Application Type=Application
Exec=/usr/bin/mono /home/ps/KeePass/KeePass.exe Exec=bash -c "secret-tool lookup keepass pos | sudo keepass2 /home/pos/keepass/PositiveSpin.kdbx -pw-stdin -keyfile:/home/pos/keepass/PositiveSpin.key
2. Gnome based Window manager, e.g. Mate - open gnome-session-properties from commandline, 2. Gnome based Window manager, e.g. Mate - open gnome-session-properties from commandline,
and add startup application. and add startup application.
@ -101,9 +125,3 @@ the Point of Sale will be at the proper location which is usually the front of t
walk-in/walk-out. walk-in/walk-out.
Word of wisdom: It is always good practice to occasionally change the password. Word of wisdom: It is always good practice to occasionally change the password.