Secure Shell - Compaq t1000 - Terminal Thin Client PC Network Installation Manual

32
Chapter 4
where terminal is the terminal name and user is the user name from the
terminal (root is automatically used if security is disabled; guest is automatically
used if security is enabled and auto login as guest is selected).
In addition, the terminal optionally supports both Kerberos authentication and DES
data encryption for RSH commands, although the X protocol packets for an X
application will not go through the DES data encryption layer.

Secure Shell

This is an additional method for using the X Manager with RSH. The distribution
includes the shell rshsecure, which is designed to perform a more secure method
for managing RSH requests. rshsecure also provides the ability for users to run
shell scripts, such as those invoked from an XDM session on an X terminal. The
remainder of this section describes how to configure your server for use with the
rshsecure shell.
Start by creating a new account. For security reasons, make sure this account is
not the superuser account.
As root, create a .rhosts file for this user, and make sure the ownership of the
.rhosts file gets changed (chown) to this user. In the .rhosts file, add one entry
for every terminal/user pair you want to go through rshsecure. For example, if
you are using your terminals as "security disabled" and you are using DHCP, you
can put every DHCP IP address in the .rhosts file with the user name being root.
After saving the .rhosts file and using chown to assign ownership, make sure it is
writable only by the user and not by anyone else (chmod 644 .rhosts).
Change the login shell for the account to be the rshsecure program (based upon
where you installed it, since you need a full path name).
Determine the set of commands you will be allowing your users to run and create
the file rshsecure.cfg in the login directory for this user. Again, make sure that it
is not writable by anyone except the owner. Lines starting with the pound sign (#)
are treated as comments. The first non-comment line is the shell to be used when
invoking commands. The second non-comment line is the xterm program (or
equivalent). The third non-comment line is the su program. All three of these
programs should be fully qualified with path names to eliminate possible security
concerns. All remaining lines are the authorized commands. The rshsecure
program does a literal comparison of the entries in this file to the command passed
via RSH (with arguments removed), so, for example, comparing /bin/ls to /
bin/ls will succeed and comparing ls to /bin/ls will fail.
Note
On Linux, the included rshsecure binary uses
libc5.