6:04 a.m.
I'd like to work [0] on adding a remote access URL to /etc/issue for
Fedora Server 21 and Atomic. This puts useful information on the VT,
especially for virtual machines, and also servers with monitors attached.
It would look something like:
Fedora Release 21 (xxx)
Kernel 3.14.8-200.fc20.x86_64 on an x86_64 (tty1)
Remote access:
https://192.168.11.10:4444
SHA1: 80:81:46:45:0E:FF:75:AD:C5:40:7A:C2:38:74:57:46:BF:B1:DD:1C
localhost login:
Some notes or questions.
* Including the certificate fingerprint makes it possible for more
users to securely connect even when using self-signed certificate.
* Should we include the appropriate ssh command?
* Implementing the http URL is easy given agetty's support for \4 [1]
* When Cockpit generates a self-signed certificate, it could either
put the fingerprint directly in /etc/issue or alternatively we
could work on a solution revolving around \S{VARIABLE} and
/etc/os-release
There's also the case of headless servers. I would like some way to have
users be able to see the above info too. Perhaps via /etc/motd, or
perhaps some other way.
Cheers,
Stef
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1110763
[1] man 8 agetty
6:11 a.m.
Am 01.07.2014 13:04, schrieb Stef Walter:
I'd like to work [0] on adding a remote access URL to /etc/issue
for
Fedora Server 21 and Atomic. This puts useful information on the VT,
especially for virtual machines, and also servers with monitors attached.
It would look something like:
Fedora Release 21 (xxx)
Kernel 3.14.8-200.fc20.x86_64 on an x86_64 (tty1)
Remote access:
https://192.168.11.10:4444
SHA1: 80:81:46:45:0E:FF:75:AD:C5:40:7A:C2:38:74:57:46:BF:B1:DD:1C
localhost login:
from security point of view this is questionable
whoever setup a server should not need that
Lynis (http://cisofy.com/lynis/) discourages even the kernel
version and exact OS release for very good reasons
___________________________
if you want make auditors happy:
[harry@srv-rhsoft:~]$ cat /etc/issue
Unauthorized access to this machine is prohibited.
Use of this system is limited to authorized individuals only.
All activity is monitored.
6:51 a.m.
Hello,
----- Original Message -----
Am 01.07.2014 13:04, schrieb Stef Walter:
> It would look something like:
> Fedora Release 21 (xxx)
> Kernel 3.14.8-200.fc20.x86_64 on an x86_64 (tty1)
>
> Remote access:
> https://192.168.11.10:4444
> SHA1: 80:81:46:45:0E:FF:75:AD:C5:40:7A:C2:38:74:57:46:BF:B1:DD:1C
>
> localhost login:
from security point of view this is questionable
whoever setup a server should not need that
People new to server administration would probably find this much more helpful than
“unauthorized access to your own computer is prohibited“ :)
The URL is not all that useful before login when accessing the system remotely (because
the user has obviously managed without it), though it might be helpful after ssh login to
inform the user about other options. The fingerprint is positively useless (I’d even call
it harmful) when connecting over the network with an unauthenticated connection (though,
true, sshd has no way to know whether the connecting user knows as has verified the ssh
fingerprint).
Could we show the URL and fingerprint before login only on local consoles? (And perhaps
after login on already-authenticated network connections, because at that point damage, if
any, is done.) This should be equally useful and not add to the concerns about
fingerprinting or teaching users to trust unverified fingerprints.
(And if there was nothing else to do, the fingerprint could use some kind of documentation
link rather than a strict “SHA1”; but it’s not obvious how to do that well. Perhaps an
URL shortener link, but that would require an ongoing maintenance commitment.)
Mirek
5:21 a.m.
On 01.07.2014 13:51, Miloslav Trmač wrote:
Hello, ----- Original Message -----
> Am 01.07.2014 13:04, schrieb Stef Walter:
>> It would look something like: Fedora Release 21 (xxx) Kernel
>> 3.14.8-200.fc20.x86_64 on an x86_64 (tty1)
>>
>> Remote access: https://192.168.11.10:4444 SHA1:
>> 80:81:46:45:0E:FF:75:AD:C5:40:7A:C2:38:74:57:46:BF:B1:DD:1C
>>
>> localhost login:
>
> from security point of view this is questionable whoever setup a
> server should not need that
People new to server administration would probably find this much
more helpful than “unauthorized access to your own computer is
prohibited“ :)
The URL is not all that useful before login when accessing the system
remotely (because the user has obviously managed without it), though
it might be helpful after ssh login to inform the user about other
options. The fingerprint is positively useless (I’d even call it
harmful) when connecting over the network with an unauthenticated
connection (though, true, sshd has no way to know whether the
connecting user knows as has verified the ssh fingerprint).
Could we show the URL and fingerprint before login only on local
consoles? (And perhaps after login on already-authenticated network
connections, because at that point damage, if any, is done.) This
should be equally useful and not add to the concerns about
fingerprinting or teaching users to trust unverified fingerprints.
Yes, I was talking mainly about displaying it on the VT, so you can see
it for a VM or headful (heh) server.
But yes, another way to see this info once logged in on a terminal is
also interesting.
I was talking about the fingerprint for the Cockpit certificate, but the
SSH fingerprint might be useful too in other cases. Too bad they'll
always be different.
I'm playing with the implementation here. Will keep you all posted.
Stef
3583
days inactive
3585
days old
server@lists.fedoraproject.org
3 comments
3 participants
participants (3)
-
Miloslav Trmač -
Reindl Harald -
Stef Walter