Is it possible to restrict access to the HipChat Server login screen for some networks for security reason?
I need to limit only to site root.
Unfortunately, there's not feature right now to allow you to do that directly.
One way you could work around it is to write an script that updates the ngixn configuration to add IP filtering. This question proposes a method to achieve something similar to what you describe (you would need to customize the script to fit into HipChat Server's nginx configuration though):
cat /var/www-allow/client1-allow.conf
allow 192.168.1.1;
allow 10.0.0.1;
cat /etc/nginx/sites/client1.conf
...
server {
include /var/www-allow/client1-allow.conf;
deny all;
}
Try the script manually. Once it works, move the script to /home/admin/startup_scripts/ipfilter (keep the file without extension, and make it executable), so that your configuration stays after reboot and upgrade (/home/admin/startup_scripts contains a few examples of different scripts).
Related
We have a standard config (tunnel.conf) for Wireguard that we want to push to clients (via JAMF Pro).
We do not want the end user to have to open the Wireguard UI to import the config, we want to do this via scripting.
Given I can place the tunnel.conf file anywhere on the end user's system, where do I have to place it, and what command do I need to run to import it?
And conversely, how can I delete a tunnel config from Wireguard, via scripting?
So, as it turns out, Wireguard has a unique key-pair per tunnel - which means each user has their own keys.
Managing that via JAMF sounds like a nightmare, and it'll be easier to point users at their accounts in the VPN to pull down their config, than to manage it for them. Documentation and handholding time!
But it seems to be possible to manage applying a profile via automation. The kind support people at my VPN provider pointed me to this article on JAMF community board:
https://community.jamf.com/t5/jamf-pro/wireguard-configuration-file-distribution/m-p/264747
There's a related page on the wireguard-apple repository:
https://github.com/WireGuard/wireguard-apple/blob/master/MOBILECONFIG.md
If we do end up trying to manage the users configs, I'll update here.
I want to be able to block or allow users based on the result of an external script using OpenSSH. I see that libssh has support for callbacks, but after reading the OpenSSH man pages I cannot find anywhere that this functionality is handed to the user.
For example, I'd like to be able to maintain either a file or even an API that contains a username blacklist or whitelist, and have OpenSSH consult these lists during the authentication process.
Ideas I've had so far, and why they are insufficient:
Make use of sshd_config: AllowUsers. This is a start, but since it does not read from a file, it is not dynamic. The configuration file would need to be changed every time and the service restarted. Additionally, modifying the config file from a script is dangerous and terrible.
Make use of sshd_config: AuthorizedKeysCommand. Unfortunately, while this does allow you to specify a script and grant access based on the result, it does not allow denial of access. If the script returns nothing, sshd continues to try other methods of authentication.
Recompile OpenSSH with an addition that implements the libssh callbacks. I'd rather not do this for obvious reasons of maintainability.
Is there another method that I have missed while reading the documentation?
For 2. you could limit authentication to publickey with AuthenticationMethods.
Another option is to use PAM and implement your own PAM authz module.
Option 2 is sufficient if you disable checking authorized_keys:
sshd_config:
AuthorizedKeysCommand /etc/ssh/my-custom-command
AuthorizedKeysUser nobody
AuthorizedKeysFile none
my-custom-command:
# $1 is user, as passed from sshd
#psuedo code:
if $1 is in whitelist:
cat /home/$1/.ssh/authorized_keys
exit 0
else
exit 1
I'm working on a tool that generates .rdp files and then invokes them using Microsoft RDP Client. This tool is running on Mac OS.
Everything works well, the only problem is that I can't figure out of how I can generate 'password 51:b' field properly. On Windows this can be done easily by using CryptProtectData method from Crypt32.dll library. How can I do the same on Mac.
Another option could be to use "rdp://" URL scheme, but it doesn't seem allow to pass password this way.
So the question is how can I implement auto-login on Mac if I use third-party RDP client.
As far as i know you can't. You can however create a "User Account" and a Server configuration and add both to the client. The connection will then be visible on the main window and you just need to double click it.
To do so, you need to add the password to the Keychain, use /usr/bin/security to do so from a script. It needs to be a generic-password and saved in com.microsoft.rdc.macos. Also be sure to generate an ID according to the RDP Clients scheme, like BFF77777-7777-7777-7777-777777777777.
You may also set the permissions to read that key using /usr/bin/security and set-generic-password-partition-list specifying the right teamid (UBF8T346G9) and again com.microsoft.rdc.macos. You need the admin password to do this step.
Then you can alter the RDP Clients config file, which is a .sqlite file located at /Users/$(whoami)/Library/Containers/com.microsoft.rdc.macos/Data/Library/Application Support/com.microsoft.rdc.macos/com.microsoft.rdc.application-data.sqlite. Add the user configuration in the ZCREDENTIALENTITY table and make sure the ZID matches the one added to the keychain.
To add a server configuration you need to alter the ZBOOKMARKENTITY table. Just add a configuration by hand using the UI and look at the table to get a feeling of how it needs to be setup. Basically you link your user configuration with the server configuratio by making sure that ZCREDENTIAL in ZBOOKMARKENTITY matches Z_PK in ZCREDENTIALENTITY of your user configuration.
I know the answer is a bit late, but it may give you a starting point. This will however not fully automate the process, you will still need to go to the UI and double click the connection you want to use.
Being fairly new to the Linux environment, and not having local resources to inquire on, I would like to ask what is the preferred method of starting a process at startup as a specific user on a Ubuntu 12.04 system. The reasoning for such a setup is that this machine(s) will be hosting an Input/Output Controller (IOC) in an industrial setting. If the machine fails or restarts, this process must boot automatically..... everytime.
My internet searches have provided two such area's to perform this task:
/etc/rc.local
/etc/init.d/
I ask for the specific advantages and disadvantages of each approach. I'll add that some of these machines are clients and some are servers, but all need to run an IOC, and preferably in the same manner.
Within what ever method above is deemed to be the most appropriate, a bash shell script must be run as my specified user. It is my understanding all start up process are owned by root. So I question if this is the best practice:
sudo -u <user> start_ioc.sh
If this is the case, then I believe it is required to create a file under:
/etc/sudoers.d/
Using:
sudo visudo -f <filename>
Where within this file you assign the appropriate rights and paths to the user. Most of my searches has shown this as the proper format:
<user or group> <host or IP>=(<user or group to run as>)NOPASSWD:<list of comma separated applications>
root ALL=(user)NOPASSWD:/usr/bin/start_ioc.sh
So for final additional information, the ultimate reason for this approach, which may also be flawed logic, is that the IOC process needs to have access to a network attached server (NAS). Allowing root access to the NAS is I believe a no-no, where the user can have the appropriate permissions assigned.
This may not be the best answer, but it is how I decided to complete this task:
Exactly as this post here:
how to run script as another user without password
I did use rc.local to initiate the process at startup. It seems to be working quite well.
I have an NGINX server set-up to handle caching for a website (running elsewhere).
Works like a charm, however we want to administrators to have an option to flush the cache from their backoffice. I was thinking of handling this using FTP, by simply removing all the files from the cache directory.
I have set up the caching like this:
proxy_cache_path /var/cache/nginx/my_site levels=1:2 keys_zone=MY_SITE:8m max_size=2048m inactive=720m;
However the files are stored with permissions 700. How can I tell NGINX to also give permissions to the group (770)? I would add the FTP user I created to that group then.
Any other suggestion to handle the flushing would be OK (I heave read the other thread). The backoffice is located on another location so I would have to use some remote technology.
You could use proxy_cache_purge directive, look for details http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_purge (this directive apeared in 1.5.7)