Re: Auto Logout Idle Users
Do your users need console access to the system. I my environment I usually control this via ssh and disable console access to normal users. A simple way to do it in /etc/ssh/sshd_config ClientAliveInterval 300 ClientAliveCountMax 0 Make all the users that require console access use ksh and you're done. Yavor On Fri, Oct 15, 2010 at 7:41 AM, Rodrigo Mosconi open...@mosconi.mat.brwrote: 2010/10/13 Brad Tilley b...@16systems.com: That works great. I've tried to do the same to the other default shell in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to /etc/csh.login as well (I'm turning knobs like a good clueless user). I then read the csh man page, but saw no mention of autologout. Perhaps the OpenBSD version of csh does not support this? Is there a way to do this with csh? If not, I'll need to remove access to the shell. I know that TCSH have the autologout feature. Deveolpers, just for curiosity (no flame war please): There is any problem IF the tcsh replaces the csh on the base system? Thanks, Mosconi -- Yavor Shahpasov yavosh.at.gmail.com
Re: Auto Logout Idle Users
On Fri, 15 Oct 2010 01:12:03 +0200 Ingo Schwarze schwa...@usta.de wrote: Much of the compliance efforts may look good on paper, but have no impact on actual usage or may be trivially circumvented or even worse, will likely end up compromising security in case somebody aiming for hardening manipulates the system without fully understanding the consequences. Introducing denial of service springs to mind by enabling account lockout and with no benefit. The auth system and crypto is good in OpenBSD as I'm sure you know. You also want to catch attempted brute force attacks that don't steal the password file. I guess there's no extenuating circumstances procedure especially after the banks changed the chip and pin system for convenience after it was deemed acceptable, opening up local attacks. The bunch of jokers.
Re: Auto Logout Idle Users
On Oct 14 18:15:16, Brad Tilley wrote: On 10/14/2010 05:13 PM, Jan Stary wrote: On Oct 14 17:01:30, Brad Tilley wrote: Jan Stary wrote: Why do you want to logout idle users? There is sysutils/idled if you need it. I'm experimenting with getting an OpenBSD base system to meet the PCI DSS requirements. Does PCI DSS require you to log users out? After 15 minutes of inactivity, users must re-enter the password. Something such as that. So if I put { while true ; sleep $((15*60)) ; done ; } into my ~/.shrc I am OK, because I have a background process running (is that activity?). Makes me feel very secure, as a user. Almost as secure as if my admin knew what he was doing. I'm trying to avoid using any software outside the base system. rm /bin/csh cp /bin/ksh /bin/csh You just forced your csh users to use ksh. Why do you want them to hate you? It's just a shell, they'll get over it. Unbelievable. I'm not actually doing this to users on an existing system. I'm just experimenting. Thinking out loud about the issues before having to deal with it. The only issue so far is that you have broken everybody's csh scripts.
Re: Auto Logout Idle Users
On Thu, Oct 14, 2010 at 03:28:20PM -0400, Brad Tilley wrote: Brad Tilley wrote: I created (...) /etc/profile to force sh and ksh to logout users after a certain period of idleness: $ cat /etc/profile # Force sh and ksh to logout idle users after 15 minutes # Prevent normal users from disabling this setting readonly TMOUT=900 export TMOUT That works great. I've tried to do the same to (...) csh. Replying to myself. I can't seem to make csh auto logout inactive users. So I did this: rm /bin/csh cp /bin/ksh /bin/csh Any good reason to not do this? Allow me to echo the general wtf?! sentiment. You do realize that the following hack works even for ksh, right? $ export TMOUT=10 $ readonly TMOUT $ exec env -i HOME=$HOME PATH=$PATH ... /bin/ksh I suspect that a less-than-unbreakable solution might be enough for PCI compliance; in that case, look at sysutils/idled or pester the devio.us guys for their logout daemon. Joachim -- getenv, putenv, setenv, unsetenv (3) - environment variable functions http://www.joachimschipper.nl/
Re: Auto Logout Idle Users
On Oct 14 18:17:23, Brad Tilley wrote: On 10/14/2010 05:08 PM, Darrin Chandler wrote: rm /bin/csh cp /bin/ksh /bin/csh You just forced your csh users to use ksh. Why do you want them to hate you? It's just a shell, they'll get over it. Remove it from /etc/shells instead. Replacing csh with ksh is evil, and I don't mean that in a good way. I thought about doing that too. I need to test it more to see what happens when ksh is the shell and the user executes csh manually. I suppose ksh will still honor TMOUT in that case. From ksh's point of view, there is a process running, namely csh.
Re: Auto Logout Idle Users
On Thu, Oct 14, 2010 at 06:17:23PM -0400, Brad Tilley wrote: I thought about doing that too. I need to test it more to see what happens when ksh is the shell and the user executes csh manually. I suppose ksh will still honor TMOUT in that case. TMOUT is at most a convenience, not a security measure: $ TMOUT=600 $ readonly TMOUT $ exec perl -e 'delete $ENV{TMOUT} ; exec /bin/ksh;' $ echo $TMOUT 0 $ -- Jurjen Oskam Savage's Law of Expediency: You want it bad, you'll get it bad.
Re: Auto Logout Idle Users
Jurjen Oskam wrote: On Thu, Oct 14, 2010 at 06:17:23PM -0400, Brad Tilley wrote: I thought about doing that too. I need to test it more to see what happens when ksh is the shell and the user executes csh manually. I suppose ksh will still honor TMOUT in that case. TMOUT is at most a convenience, not a security measure: $ TMOUT=600 $ readonly TMOUT $ exec perl -e 'delete $ENV{TMOUT} ; exec /bin/ksh;' $ echo $TMOUT 0 $ Understood. If an employee did that, there should be measures in place at the policy level to deal with that behavior (if it is discovered). 70% of the PCI DSS controls are policy and procedure, not technical. Thanks to all for feedback, I appreciate it. Brad
Re: Auto Logout Idle Users
On 2010-10-15 00.59, Brad Tilley wrote: On 10/14/2010 06:45 PM, Ben Niccum wrote: I thought about doing that too. I need to test it more to see what happens when ksh is the shell and the user executes csh manually. I suppose ksh will still honor TMOUT in that case. Brad Don't mean to complicate things for you, but just thought I should mention that if the user does: # exec /bin/csh Then csh takes over ksh's active process, and even though the TMOUT variable is still there, csh doesn't honor it, and ksh is no longer around to object. -Ben Great point. That's precisely the sort of thing I'd like to have thought about. Much of the compliance efforts may look good on paper, but have no impact on actual usage or may be trivially circumvented as you point out. So while disabling a shell may get a check mark during PCI compliance efforts, that may be all you end up with. You mentioned not wanting to use anything not in base. How about a simple shell script, using nothing but standard utilities, to regularly monitor logged-in users and kick idle ones out? I whipped something together as an example, se below. (Very slightly tested, use at your own risk :-) ) As an added bonus you can't as a regular user circumvent its watchful eye by exec:ing a different shell or simply by changing the idle timeout value in the current login shell. Regards, /Benny 88888 (cut) #!/bin/ksh # # idlehup -- hang up idle tty connections # --- # # Written on a whim in 2010-10-15 by Benny Lofgren # # benny -at- internetlabbet.se / +46 70 718 11 90 # # Use at your own risk :-) # # Run with nohup (or remove infinite loop at the end # and run with cron) # PROG=$0 if [ $# -ne 1 ] then echo ${PROG}: usage: ${PROG} max_idle_time_in_minutes exit 1 else IDLETIME=`expr $1 + 0` 2/dev/null if [ $? != 0 ] then echo ${PROG}: ERROR: idle time argument must be numeric exit 2 fi if [ ${IDLETIME} -gt 1440 ] then echo ${PROG}: ERROR: idle time must be = 1440 minutes (24 h) exit 3 fi fi getidle() { idletime=$1 who -u | while read user tty mon day time idle rest do # Check each logged-in user for excessive idle times isidle=false case ${idle} in .);; # Active tty, do nothing old)isidle=true;; # Very old, kick them out ??:??)H=`echo $idle | cut -d: -f1` M=`echo $idle | cut -d: -f2` M=`expr $H \* 60 + $M` if [ $M -gt $idletime ] then isidle=true fi ;; esac # Find and eliminate session leader and the rest will follow if [ ${isidle} = true ] then ps -t`echo $tty | sed s/^tty//` -opid,stat | while read pid stat do case $stat in *s*) echo $pid;; # He's the leader, stone him! esac done fi done } while true do PIDS=`getidle ${IDLETIME}` if [ X${PIDS} != X ] then kill -HUP ${PIDS} fi sleep 60 done 88888 (cut) -- internetlabbet.se / work: +46 8 551 124 80 / Words must Benny Lvfgren/ mobile: +46 70 718 11 90 / be weighed, / fax:+46 8 551 124 89/not counted. /email: benny -at- internetlabbet.se
Re: Auto Logout Idle Users
On Fri, 15 Oct 2010 16:28:51 +0200 Benny LC6fgren bl-li...@lofgren.biz wrote: On 2010-10-15 00.59, Brad Tilley wrote: On 10/14/2010 06:45 PM, Ben Niccum wrote: I thought about doing that too. I need to test it more to see what happens when ksh is the shell and the user executes csh manually. I suppose ksh will still honor TMOUT in that case. Brad Don't mean to complicate things for you, but just thought I should mention that if the user does: # exec /bin/csh Then csh takes over ksh's active process, and even though the TMOUT variable is still there, csh doesn't honor it, and ksh is no longer around to object. -Ben Great point. That's precisely the sort of thing I'd like to have thought about. Much of the compliance efforts may look good on paper, but have no impact on actual usage or may be trivially circumvented as you point out. So while disabling a shell may get a check mark during PCI compliance efforts, that may be all you end up with. You mentioned not wanting to use anything not in base. How about a simple shell script, using nothing but standard utilities, to regularly monitor logged-in users and kick idle ones out? I whipped something together as an example, se below. (Very slightly tested, use at your own risk :-) ) As an added bonus you can't as a regular user circumvent its watchful eye by exec:ing a different shell or simply by changing the idle timeout value in the current login shell. Regards, /Benny 88888 (cut) #!/bin/ksh # # idlehup -- hang up idle tty connections # --- # # Written on a whim in 2010-10-15 by Benny Lofgren # # benny -at- internetlabbet.se / +46 70 718 11 90 # # Use at your own risk :-) # # Run with nohup (or remove infinite loop at the end # and run with cron) # PROG=$0 if [ $# -ne 1 ] then echo ${PROG}: usage: ${PROG} max_idle_time_in_minutes exit 1 else IDLETIME=`expr $1 + 0` 2/dev/null if [ $? != 0 ] then echo ${PROG}: ERROR: idle time argument must be numeric exit 2 fi if [ ${IDLETIME} -gt 1440 ] then echo ${PROG}: ERROR: idle time must be = 1440 minutes (24 h) exit 3 fi fi getidle() { idletime=$1 who -u | while read user tty mon day time idle rest do # Check each logged-in user for excessive idle times isidle=false case ${idle} in .);; # Active tty, do nothing old)isidle=true;; # Very old, kick them out ??:??)H=`echo $idle | cut -d: -f1` M=`echo $idle | cut -d: -f2` M=`expr $H \* 60 + $M` if [ $M -gt $idletime ] then isidle=true fi ;; esac # Find and eliminate session leader and the rest will follow if [ ${isidle} = true ] then ps -t`echo $tty | sed s/^tty//` -opid,stat | while read pid stat do case $stat in *s*) echo $pid;; # He's the leader, stone him! esac done fi done } while true do PIDS=`getidle ${IDLETIME}` if [ X${PIDS} != X ] then kill -HUP ${PIDS} fi sleep 60 done 88888 (cut) As already said in this thread, there is no way to handle everything. For example, this script does not work when a user connects with ssh without allocating a pseudo-tty. Still, it does not seem to be a problem for the PCI DSS ... -- Stephane Sezer
Re: Auto Logout Idle Users
On 2010-10-15 17.13, Stephane Sezer wrote: On Fri, 15 Oct 2010 16:28:51 +0200 Benny LC6fgrenbl-li...@lofgren.biz wrote: On 2010-10-15 00.59, Brad Tilley wrote: On 10/14/2010 06:45 PM, Ben Niccum wrote: I thought about doing that too. I need to test it more to see what happens when ksh is the shell and the user executes csh manually. I suppose ksh will still honor TMOUT in that case. Brad Don't mean to complicate things for you, but just thought I should mention that if the user does: # exec /bin/csh Then csh takes over ksh's active process, and even though the TMOUT variable is still there, csh doesn't honor it, and ksh is no longer around to object. -Ben Great point. That's precisely the sort of thing I'd like to have thought about. Much of the compliance efforts may look good on paper, but have no impact on actual usage or may be trivially circumvented as you point out. So while disabling a shell may get a check mark during PCI compliance efforts, that may be all you end up with. You mentioned not wanting to use anything not in base. How about a simple shell script, using nothing but standard utilities, to regularly monitor logged-in users and kick idle ones out? I whipped something together as an example, se below. (Very slightly tested, use at your own risk :-) ) As an added bonus you can't as a regular user circumvent its watchful eye by exec:ing a different shell or simply by changing the idle timeout value in the current login shell. [boring script snipped out] As already said in this thread, there is no way to handle everything. For example, this script does not work when a user connects with ssh without allocating a pseudo-tty. Still, it does not seem to be a problem for the PCI DSS ... Indeed, this was never meant to be a catch-all, just an example of what can be done with standard tools that are all in base. (Also, I find perverse happiness in writing an 80+ line script that works on the first try. :-) ) Then again, how does the PCI DSS standard define a user? If there is no pseudo-tty (or for that matter, a real tty) allocated, that normally means it isn't an interactive session but rather something like a connection established to transfer a file, communicate with a server resource or similar. Something that probably wouldn't even be a good idea to idle-kill anyway. Regards, /Benny -- internetlabbet.se / work: +46 8 551 124 80 / Words must Benny Lvfgren/ mobile: +46 70 718 11 90 / be weighed, / fax:+46 8 551 124 89/not counted. /email: benny -at- internetlabbet.se
Re: Auto Logout Idle Users
Brad Tilley wrote: I created the file /etc/profile to force sh and ksh to logout users after a certain period of idleness: $ cat /etc/profile # Force sh and ksh to logout idle users after 15 minutes # Prevent normal users from disabling this setting readonly TMOUT=900 export TMOUT That works great. I've tried to do the same to the other default shell in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to /etc/csh.login as well (I'm turning knobs like a good clueless user). I then read the csh man page, but saw no mention of autologout. Perhaps the OpenBSD version of csh does not support this? Is there a way to do this with csh? If not, I'll need to remove access to the shell. Replying to myself. I can't seem to make csh auto logout inactive users. So I did this: rm /bin/csh cp /bin/ksh /bin/csh Any good reason to not do this? Brad
Re: Auto Logout Idle Users
Any good reason to not do this? They're not the same shell. I can't think of any security reasons because I'm not familiar with the code but as far as logs and noise factor I imagine it would go up or various things might start breaking that depend on csh.
Re: Auto Logout Idle Users
Adam M. Dutko wrote: Any good reason to not do this? They're not the same shell. Yes, I know that part :) I can't think of any security reasons because I'm not familiar with the code but as far as logs and noise factor I imagine it would go up or various things might start breaking that depend on csh. Base seems to only have two shells as ksh and sh have the same md5 checksum. I'm hoping csh is only included for historical reasons or in honor of Bill Joy or something such as that. Brad
Re: Auto Logout Idle Users
On Oct 14 15:28:20, Brad Tilley wrote: Brad Tilley wrote: I created the file /etc/profile to force sh and ksh to logout users after a certain period of idleness: Why do you want to logout idle users? There is sysutils/idled if you need it. $ cat /etc/profile # Force sh and ksh to logout idle users after 15 minutes # Prevent normal users from disabling this setting readonly TMOUT=900 export TMOUT That works great. I've tried to do the same to the other default shell in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to /etc/csh.login as well (I'm turning knobs like a good clueless user). I then read the csh man page, but saw no mention of autologout. Perhaps the OpenBSD version of csh does not support this? Is there a way to do this with csh? If not, I'll need to remove access to the shell. Why? Replying to myself. I can't seem to make csh auto logout inactive users. So I did this: rm /bin/csh cp /bin/ksh /bin/csh lol wut? Any good reason to not do this? You just forced your csh users to use ksh. Why do you want them to hate you? Why don't you also 'mv /bin/rm /bin/ls' while you are at it? Base seems to only have two shells as ksh and sh have the same md5 checksum. And the same inode number. I'm hoping csh is only included for historical reasons or in honor of Bill Joy or something such as that. Or maybe to be used by the thousands of people that want to use it.
Re: Auto Logout Idle Users
Jan Stary wrote: Why do you want to logout idle users? There is sysutils/idled if you need it. I'm experimenting with getting an OpenBSD base system to meet the PCI DSS requirements. I'm trying to avoid using any software outside the base system. rm /bin/csh cp /bin/ksh /bin/csh You just forced your csh users to use ksh. Why do you want them to hate you? It's just a shell, they'll get over it. Why don't you also 'mv /bin/rm /bin/ls' while you are at it? Not a very similar comparison.
Re: Auto Logout Idle Users
rm /bin/csh cp /bin/ksh /bin/csh You just forced your csh users to use ksh. Why do you want them to hate you? It's just a shell, they'll get over it. Remove it from /etc/shells instead. Replacing csh with ksh is evil, and I don't mean that in a good way. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG dwchand...@stilyagin.com | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: Auto Logout Idle Users
On Oct 14 17:01:30, Brad Tilley wrote: Jan Stary wrote: Why do you want to logout idle users? There is sysutils/idled if you need it. I'm experimenting with getting an OpenBSD base system to meet the PCI DSS requirements. Does PCI DSS require you to log users out? I'm trying to avoid using any software outside the base system. rm /bin/csh cp /bin/ksh /bin/csh You just forced your csh users to use ksh. Why do you want them to hate you? It's just a shell, they'll get over it. Unbelievable.
Re: Auto Logout Idle Users
On Thu, Oct 14, 2010 at 4:01 PM, Brad Tilley b...@16systems.com wrote: Jan Stary wrote: Why do you want to logout idle users? There is sysutils/idled if you need it. I'm experimenting with getting an OpenBSD base system to meet the PCI DSS requirements. I'm trying to avoid using any software outside the base system. rm /bin/csh cp /bin/ksh /bin/csh You just forced your csh users to use ksh. Why do you want them to hate you? It's just a shell, they'll get over it. Also their scripts, and transparently... Why don't you also 'mv /bin/rm /bin/ls' while you are at it? Not a very similar comparison.
Re: Auto Logout Idle Users
On 10/14/2010 05:08 PM, Darrin Chandler wrote: rm /bin/csh cp /bin/ksh /bin/csh You just forced your csh users to use ksh. Why do you want them to hate you? It's just a shell, they'll get over it. Remove it from /etc/shells instead. Replacing csh with ksh is evil, and I don't mean that in a good way. I thought about doing that too. I need to test it more to see what happens when ksh is the shell and the user executes csh manually. I suppose ksh will still honor TMOUT in that case. Brad
Re: Auto Logout Idle Users
On 10/14/2010 05:13 PM, Jan Stary wrote: On Oct 14 17:01:30, Brad Tilley wrote: Jan Stary wrote: Why do you want to logout idle users? There is sysutils/idled if you need it. I'm experimenting with getting an OpenBSD base system to meet the PCI DSS requirements. Does PCI DSS require you to log users out? After 15 minutes of inactivity, users must re-enter the password. Something such as that. I'm trying to avoid using any software outside the base system. rm /bin/csh cp /bin/ksh /bin/csh You just forced your csh users to use ksh. Why do you want them to hate you? It's just a shell, they'll get over it. Unbelievable. I'm not actually doing this to users on an existing system. I'm just experimenting. Thinking out loud about the issues before having to deal with it.
Re: Auto Logout Idle Users
On Thu, 14 Oct 2010 18:17:23 -0400 Brad Tilley b...@16systems.com wrote: On 10/14/2010 05:08 PM, Darrin Chandler wrote: rm /bin/csh cp /bin/ksh /bin/csh You just forced your csh users to use ksh. Why do you want them to hate you? It's just a shell, they'll get over it. Remove it from /etc/shells instead. Replacing csh with ksh is evil, and I don't mean that in a good way. I thought about doing that too. I need to test it more to see what happens when ksh is the shell and the user executes csh manually. I suppose ksh will still honor TMOUT in that case. Brad Don't mean to complicate things for you, but just thought I should mention that if the user does: # exec /bin/csh Then csh takes over ksh's active process, and even though the TMOUT variable is still there, csh doesn't honor it, and ksh is no longer around to object. -Ben -- be...@bendtel.com
Re: Auto Logout Idle Users
On 10/14/2010 06:45 PM, Ben Niccum wrote: I thought about doing that too. I need to test it more to see what happens when ksh is the shell and the user executes csh manually. I suppose ksh will still honor TMOUT in that case. Brad Don't mean to complicate things for you, but just thought I should mention that if the user does: # exec /bin/csh Then csh takes over ksh's active process, and even though the TMOUT variable is still there, csh doesn't honor it, and ksh is no longer around to object. -Ben Great point. That's precisely the sort of thing I'd like to have thought about. Much of the compliance efforts may look good on paper, but have no impact on actual usage or may be trivially circumvented as you point out. So while disabling a shell may get a check mark during PCI compliance efforts, that may be all you end up with. Brad
Re: Auto Logout Idle Users
Much of the compliance efforts may look good on paper, but have no impact on actual usage or may be trivially circumvented or even worse, will likely end up compromising security in case somebody aiming for hardening manipulates the system without fully understanding the consequences.
Re: Auto Logout Idle Users
2010/10/13 Brad Tilley b...@16systems.com: That works great. I've tried to do the same to the other default shell in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to /etc/csh.login as well (I'm turning knobs like a good clueless user). I then read the csh man page, but saw no mention of autologout. Perhaps the OpenBSD version of csh does not support this? Is there a way to do this with csh? If not, I'll need to remove access to the shell. I know that TCSH have the autologout feature. Deveolpers, just for curiosity (no flame war please): There is any problem IF the tcsh replaces the csh on the base system? Thanks, Mosconi
Auto Logout Idle Users
I created the file /etc/profile to force sh and ksh to logout users after a certain period of idleness: $ cat /etc/profile # Force sh and ksh to logout idle users after 15 minutes # Prevent normal users from disabling this setting readonly TMOUT=900 export TMOUT That works great. I've tried to do the same to the other default shell in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to /etc/csh.login as well (I'm turning knobs like a good clueless user). I then read the csh man page, but saw no mention of autologout. Perhaps the OpenBSD version of csh does not support this? Is there a way to do this with csh? If not, I'll need to remove access to the shell. Thanks Brad P.S. I only mean the local shells, not OpenSSH. I do this when required to autologout idle ssh users: ClientAliveInterval 900 ClientAliveMax 0