consent to monitoring banner for ssh

Shawn Wells swells at redhat.com
Wed Dec 5 00:22:36 UTC 2007 

Well, you *could* do the "acceptance by logging in" thing... or you can 
force them to type [yes|no].  Here's how I accomplish that.


#Set the /etc/issue file to the login banner.  This one has no linefeeds,
#so it will wrap accordingly.
cat <<EOF >/etc/issue
YOUR WELCOME BANNER.
EOF

#This part creates the same login banner once your username and password 
has
#been entered.  This has linefeeds in it.
cat <<EOF >/etc/X11/gdm/PreSession/Default
#!/bin/sh
#
# Note that any setup should come before the sessreg command as
# that must be 'exec'ed for the pid to be correct (sessreg uses the parent
# pid)
#
# Note that output goes into the .xsession-errors file for easy debugging
#
PATH="/usr/bin/X11:/usr/X11R6/bin:/opt/X11R6/bin:$PATH:/bin:/usr/bin"

/usr/bin/gdialog --yesno "YOUR WELCOME BANNER"
if ( test 1 -eq \$? ); then
    gdialog --infobox "Logging out in 10 Seconds" 1 20 &
    sleep 10
    exit 1
fi

gdmwhich () {
    COMMAND="$1"
    OUTPUT=
    IFS=:
    for dir in $PATH
    do
        if test -x "$dir/$COMMAND" ; then
            if test "x$OUTPUT" = "x" ; then
                OUTPUT="$dir/$COMMAND"
            fi
        fi
    done
    unset IFS
    echo "$OUTPUT"
}

XSETROOT=\`gdmwhich xsetroot\`
if [ "x$XSETROOT" != "x" ] ; then
    # Try to snarf the BackgroundColor from the config file
    BACKCOLOR=`grep '^BackgroundColor' /etc/X11/gdm/gdm.conf | sed 
's/^.*=\(.*\)$/\1/'`
    if [ "x$BACKCOLOR" = "x" ]; then
        BACKCOLOR="#76848F"
    fi
    "$XSETROOT" -cursor_name left_ptr -solid "$BACKCOLOR"
fi

SESSREG=\`gdmwhich sessreg\`
if [ "x$SESSREG" != "x" ] ; then
    # some output for easy debugging
    echo "$0: Registering your session with wtmp and utmp"
    echo "$0: running: $SESSREG -a -w /var/log/wtmp -u /var/run/utmp -x 
\"$X_SERVERS\" -h \"$REMOTE_HOST\" -l \"$DISPLAY\" \"$USER\""

    exec "$SESSREG" -a -w /var/log/wtmp -u /var/run/utmp -x "$X_SERVERS" 
-h "$REMOTE_HOST" -l "$DISPLAY" "$USER"
    # this is not reached
fi
#Some output for easy debugging.
echo "$0: could not find the sessreg utility, cannot update wtmp and utmp"
exit 0
EOF

#/etc/ssh/sshd_config banner settings.
perl -npe 's/^#Banner \/some\/path/Banner \/etc\/issue/g' -i 
/etc/ssh/sshd_config


-- 
Shawn D. Wells
Solutions Architect, Federal Team
swells at redhat.com
C: 443-534-0130





mups.cp wrote:
> You're right, this give users an out. I forgot the ~/.ssh/rc check.
> Your approach to set the users' shell to a script seem better
>
>
> On Dec 4, 2007 8:17 PM, Carl G. Riches <cgr at u.washington.edu> wrote:
>   
>> On Tue, 4 Dec 2007, mups.cp wrote:
>>
>>     
>>> Carl,
>>>
>>> You don't need set the everyone's login shell, you could use
>>> /etc/ssh/sshrc and put your code or your a call to it in it.
>>>       
>> Is /etc/ssh/sshrc run in the case where a user has a private ~/.ssh/rc
>> file?  The information here:
>>
>>   http://www.oreilly.com/catalog/sshtdg/chapter/ch08.html
>>
>> states that it is not.  Also, the sshd(8) man page says:
>>
>>   If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists,
>>   runs it; otherwise runs xauth.  The "rc" files are given the
>>   X11 authentication protocol and cookie in standard input.
>>
>> This gives the user an out.
>>
>> Carl
>>
>>
>>     
>>> On Dec 4, 2007 7:41 PM, Carl G. Riches <cgr at u.washington.edu> wrote:
>>>       
>>>> On Tue, 4 Dec 2007, Bill Tangren wrote:
>>>>
>>>>         
>>>>> A new policy has been implemented here at work. The old policy stated
>>>>> that, when someone logs in to a system via ssh, I had to display a consent
>>>>> to monitor banner, which is easy to implement.
>>>>>
>>>>> The new policy, however, requires that the user has to somehow signify
>>>>> that they have read and will abide by the policy. In essence, I have to
>>>>> get a yes or no input from the user, possibly just after they log on, and
>>>>> if they say no, log them off. If they say yes, they get to proceed.
>>>>>
>>>>> My question: what is the best way to implement this? I have to make sure
>>>>> the user cannot remove this functionality for future logins, so I can't
>>>>> put it in any of their login scripts. This is easy to implement for GUI
>>>>> logins, but I don't know the best way to proceed for ssh. Any ideas?
>>>>>
>>>>>           
>>>> We did a somewhat-similar task at a place where I used to work.  We set
>>>> everyone's login shell to a locally-written perl script.  That perl script
>>>> did things such as ensure that the user had permission to log in to the
>>>> system, check the user's quota, print out a blurb, then exec( )'d tcsh.
>>>> It needed some interupt handling, though, to fit what you want to do.  I
>>>> don't have the code anymore, but this might give you an idea of what
>>>> direction to go.  (Would you need to record user's answers to your
>>>> question in a database for future reference?  This might give you that
>>>> ability.)
>>>>
>>>> HTH,
>>>> Carl
>>>>
>>>> --
>>>> Carl G. Riches
>>>> Software Engineer
>>>> Department of Biostatistics
>>>> Box 357232                      voice:     206-616-2725
>>>> University of Washington        fax:       206-543-3286
>>>> Seattle, WA  98195-7232         internet:  cgr at u.washington.edu
>>>>
>>>>
>>>> --
>>>> redhat-list mailing list
>>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>
>>>>         
>> --
>>
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
>>     
>
>

More information about the redhat-list mailing list