bike
/
Yellow-Bike-Database-Mirror
mirror of https://github.com/fspc/Yellow-Bike-Database.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Yellow Bike Project Hours and Transaction Database for Community Bike Shops
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
162 Commits
2 Branches
4 Tags
9.5 MiB
 
 
 
 
 
 
Tree: 6754c9a324
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6754c9a324'
${ noResults }
Yellow-Bike-Database-Mirror/examples/secure-terminals.txt

99 lines
4.2 KiB
Raw Blame History

How to protect the password for YBDB in a public environment.
PROTECTING A DIRECTORY UNDER A WEBSERVER (apache 2.4)
A. The htpasswd command is found in the apache2-utils package.
B. htpasswd -Bc -C 10 htpasswd test (note that bcrypt is used)
C. chown www-data:www-data /var/htpasswd; chmod 0400 /var/htpasswd; \
D. <Directory /var/www/html>
Authtype Basic
Authname "Amazing Community Bike Shop Login"
Require user someuser
AuthUserFile /var/htpasswd
</Directory>
SSL (do not settle for anything less)
Under Debian:
A. openssl req -new -x509 -nodes -out ssl-cert-snakeoil.pem -days 36500 -keyout ssl-cert-snakeoil.key (100 year certificate)
B. cp ssl-cert-snakeoil.key /etc/ssl/private/
cp ssl-cert-snakeoil.pem /etc/ssl/certs/
C. a2enmod ssl;
a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above)
a2dissite 000-default.conf;
TERMINAL AUTOMATION AND SECURITY
Firefox (IceWeasel):
1. Download KeePass v2 zip - http://keepass.info/download.html
2. Unzip in ~/KeePass
3. sudo chown root:root ~/KeePass; sudo chmod 0755 ~/KeePass;
4. cd ~/KeePass; mkdir plugins
5. mv KeePass.config.xml KeePass.config.enforced.xml
6. sudo chown root:root KeePass.config.enforced.xml
7. sudo chmod 0444 KeePass.config.enforced.xml
8. Most importantly in KeePass.config.enforced.xml change true to
<UnhidePasswords>false</UnhidePasswords> so that passwords cannot be seen.
9. In Debian/Ubuntu: apt-get install mono-runtime mono-devel
10. Install KeeFox extension from https://addons.mozilla.org/en-us/firefox/addon/keefox/
11. KeeFox will tell you where to copy KeePassRPC.plgx from into the plugins directory
Usually somewhere under ~/.mozilla/firefox/*default/extensions/keefox*
12. When setting up password database for KeePass use only a key file.
13. Add the url along with username and password in the database.
14. Once the login is working properly for the htpasswd setup for apache,
the whole process can be completely automated in KeeFox options.
15. In Firefox (IceWeasel) Preferences -> General use "When IceWeasel starts: Show my windows and tabs from the last time"
Chrome:
1. Download KeePass zip - http://keepass.info/download.html
2. Unzip in ~/KeePass
3. sudo chown root:root ~/KeePass; sudo chmod 0755 ~/KeePass;
4. mv KeePass.config.xml KeePass.config.enforced.xml
5. sudo chown root:root KeePass.config.enforced.xml
6. sudo chmod 0444 KeePass.config.enforced.xml
7. Most importantly in KeePass.config.enforced.xml change true to
<UnhidePasswords>false</UnhidePasswords> so that passwords cannot be seen.
8. When setting up password database for KeePass use only a key file.
9. Add the url along with username and password in the database.
10. In Debian/Ubuntu: apt-get install mono-runtime mono-devel
11. Install extension chromeIPass
12. Install keepasshttp as explained at https://github.com/pfn/keepasshttp/ (put KeePassHttp.plgx in ~/KeePass)
13. Follow the directions chromeIPass gives you, creating an identifier
14. Good idea to restart chrome.
15. In Chrome Settings "On Startup Continue where you left off"
DESKTOP STARTUP
1. LXDE - put a file with this format in ~/.config/auto with name of *desktop, e.g. keepass.desktop:
[Desktop Entry]
Type=Application
Exec=/usr/bin/mono /home/ps/KeePass/KeePass.exe
2. Gnome based Window manager, e.g. Mate - open gnome-session-properties from commandline,
and add startup application.
SUSPENDING COMPUTER
Example commands that bring up the gui setting tool:
1. xfce4-power-manager-settings (eg., used by wattos for LXDE)
2. mate-power-manager-settings or mate-power-preferences
There are other things that can be done within the terminal to prevent tampering, e.g., read-only environment,
but what is above protects the password from hacking, eavesdropping, and from regular users
in the shop, basically, only the sysadmin and bookkeeper should have remote access via the password.
So while YBDB is on the internet, it will only be available to the terminal(s) you allow it to be on, and
the Point of Sale will be at the proper location which is usually the front of the Community Bike Shop where people
walk-in/walk-out.