Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
forcing security onto lightdm and maybe multiple xdmcp
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Wed Jun 15, 2016 11:17 pm    Post subject: forcing security onto lightdm and maybe multiple xdmcp Reply with quote

With kdm's days numbered, I'm moving on to looking at lightdm and sddm for my greeter. Right now I'm looking at lightdm since I'm also in the process of locking down a kubuntu 14.04 vm image.

So far I have the following conf file to enable xdmcp and disable the stinking user lists that everybody provides by default without even thinking about security:

File /etc/lightdm/lightdm.conf

Code:
[SeatDefaults]
allow-guest=false
autologin-guest=false
autologin-user=
greeter-hide-users=true
greeter-show-manual-login=true

[VNCServer]
enabled=false

[XDMCPServer]
enabled=true


I haven't yet gotten into the weeds of figuring out how to set up a multiple xdmcp session config like I did with kdm here:

https://forums.gentoo.org/viewtopic-t-1044602-highlight-.html

However I'm getting a last username filled out by default (very bad security) since it appears that lightdm is caching state in /var/lib/lightdm/.kde/share/config/state-kde as follows:

Code:
[lightdm]
lastUser=vaxbrat


Is there a way of turning this stuff off, or am I going to have to set up some sort of pre-trigger script to make sure that this file gets blown away each time the greeter gets cycled?
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Wed Jun 15, 2016 11:46 pm    Post subject: blasting username Reply with quote

After poking around in the "classic" theme here:

/usr/share/kde4/apps/lightdm-kde-greeter/themes/classic

I found out that I could force the username to be blank by hacking on main.qml. The relevant usernameInput section originally looks like:

Code:
/*PlasmaComponents.*/TextField {
  id: usernameInput;
  placeholderText: i18n("Username");
  text: greeter.lastLoggedInUser
  onAccepted: {
      passwordInput.focus = true;
  }


I changed the text from greeter.lastLoggedInUser to

Code:
text: ""


Didn't need to restart lightdm for the change to take effect after I logged out. Focus is on the username field and the blank string has already replaced the "Username" placeholder text above. The "password" placeholder text is still in place.
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Fri Jun 17, 2016 1:41 am    Post subject: In case anybody does DOD work Reply with quote

Here's a pimped up version of the main.qml file derived from Kubuntu 14.04 which implements a DOD warning banner. Note that this banner is for a defense contractor and not the one used by the US govt itself.

The png file I used for the corporate logo below was 500x85. I've stubbed that section out and left it with the original source: field which gets whatever logo may be present from the theme itself.

It makes you wonder how much money they blew paying the lawyers to generate all that babble.

Code:
/*
This file is part of LightDM-KDE.

Copyright 2011, 2012 David Edmundson <kde@davidedmundson.co.uk>

LightDM-KDE is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

LightDM-KDE is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with LightDM-KDE.  If not, see <http://www.gnu.org/licenses/>.
*/
import QtQuick 1.0
//TODO phase this out
import org.kde.plasma.graphicswidgets 0.1 as PlasmaWidgets
import org.kde.plasma.components 0.1 as PlasmaComponents
import org.kde.qtextracomponents 0.1 as ExtraComponents
import org.kde.plasma.core 0.1 as PlasmaCore

Item {
    width: screenSize.width;
    height: screenSize.height;

    ScreenManager {
        id: screenManager
        delegate: Image {
            // default to keeping aspect ratio
            fillMode: config.readEntry("BackgroundKeepAspectRatio") == false ? Image.Stretch : Image.PreserveAspectCrop;
            //read from config, if there's no entry use plasma theme
            source: config.readEntry("Background") ? config.readEntry("Background"): plasmaTheme.wallpaperPath(Qt.size(width,height));
        }
    }

    Item { //recreate active screen at a sibling level which we can anchor in.
        id: activeScreen
        x: screenManager.activeScreen.x
        y: screenManager.activeScreen.y
        width: screenManager.activeScreen.width
        height: screenManager.activeScreen.height
    }


    Connections {
        target: greeter;
        onShowPrompt: {
            greeter.respond(passwordInput.text);
        }

        onAuthenticationComplete: {
            if(greeter.authenticated) {
                loginAnimation.start();
            }
            else {
                feedbackLabel.text = i18n("Sorry, incorrect password please try again.");
                passwordInput.selectAll()
                passwordInput.forceActiveFocus()
            }
        }
    }

    function login() {
        if (useGuestOption.checked) {
            greeter.authenticateAsGuest();
        } else {
            greeter.authenticate(usernameInput.text);
        }
    }

    function doSessionSync() {
        var session = optionsMenu.currentSession;
        greeter.startSessionSync(session);
    }

    ParallelAnimation {
        id: loginAnimation
        NumberAnimation { target: dialog; property: "opacity"; to: 0; duration: 400; easing.type: Easing.InOutQuad }
        NumberAnimation { target: powerDialog; property: "opacity"; to: 0; duration: 400; easing.type: Easing.InOutQuad }
        onCompleted: doSessionSync()
    }

    PlasmaCore.FrameSvgItem {
        id: dialog;
        imagePath: "widgets/background"
        anchors.centerIn: activeScreen;

        width: childrenRect.width + 55;
        height: childrenRect.height + 55;

        Column {
            spacing: 15
            anchors.centerIn: parent

            Image {
                id: logo
                source: config.readEntry("Logo")
      //source: "/usr/share/pixmaps/logo.png"
                //fillMode: Image.PreserveAspectFit
      //width: 500
                //height: 85
                anchors.horizontalCenter: parent.horizontalCenter
                smooth: true
            }


            PlasmaComponents.Label {
                anchors.horizontalCenter: parent.horizontalCenter;
                id: feedbackLabel;
                font.pointSize: 14
                //text: config.readEntry("GreetMessage").replace("%hostname%", greeter.hostname);
      text: greeter.hostname
            }

       PlasmaComponents.Label {
          anchors.horizontalCenter: parent.horizontalCenter;
      id: riotact_header;
      font.pointSize: 10
      text: "DSS Accredited Non-DoD System Warning Banner"
      }

      PlasmaComponents.Label {
          anchors.left: parent.left;
      id: riotact;
      font.pointSize: 8
      text: "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.

This is a DoD interest computer system. All DoD interest computer systems and related equipment are
intended for the communication, transmission, processing, and storage of official U.S. Government or
other authorized information only. All DoD interest computer systems are subject to monitoring at
all times to ensure proper functioning of equipment and systems including security devices and
systems, to prevent unauthorized use and violations of statutes and security regulations, to deter
criminal activity, and for other similar purposes. Any user of a DoD interest computer system should
be aware that any information placed in the system is subject to monitoring and is not subject to
any expectation of privacy.

If monitoring of this or any other DoD interest computer system reveals possible evidence of
violation of criminal statutes, this evidence and any other related information, including
identification information about the user, may be provided to law enforcement officials. If
monitoring of this or any other DoD interest computer systems reveals violations of security
regulations or unauthorized use, employees who violate security regulations or make unauthorized use
of DoD interest computer systems are subject to appropriate disciplinary action.

Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."
            }


            //if guest checked, replace the normal "user/pass" textboxes with a big login button
            PlasmaComponents.Button {
                visible: useGuestOption.checked
                text: i18n("Log in as guest");
                onClicked: login()
            }

            Row {
                visible: !useGuestOption.checked
                spacing: 10
                width: childrenRect.width
                height: childrenRect.height
               
                Grid {
                    columns: 2
                    spacing: 15
                   
                    ExtraComponents.QIconItem {
                        icon: "meeting-participant"
                        height: usernameInput.height;
                        width: usernameInput.height;
                    }

                    /*PlasmaComponents.*/TextField {
                        id: usernameInput;
                        placeholderText: i18n("Username");
         //
         // not with my security ya dont!
                        //text: greeter.lastLoggedInUser
         //
         text: ""
                        onAccepted: {
                            passwordInput.focus = true;
                        }
                        width: 160
                       
                        Component.onCompleted: {
                            //if the username field has text, focus the password, else focus the username
                            if (usernameInput.text) {
                                passwordInput.focus = true;
                            } else {
                                usernameInput.focus = true;
                            }
                        }
                        KeyNavigation.tab: passwordInput
                    }

                    ExtraComponents.QIconItem {
                        icon: "object-locked"
                        height: passwordInput.height;
                        width: passwordInput.height;
                    }

                    /*PlasmaComponents.*/TextField {
                        id: passwordInput
                        echoMode: TextInput.Password
                        placeholderText: i18n("Password")
                        onAccepted: {
                            login();
                        }
                        width: 160
                        KeyNavigation.backtab: usernameInput
                        KeyNavigation.tab: loginButton
                    }
                }
               
                /*PlasmaComponents.*/ToolButton {
                    id: loginButton
                    anchors.verticalCenter: parent.verticalCenter
                    iconSource: "go-next"
                    onClicked: {
                        login();
                    }
                    KeyNavigation.backtab: passwordInput
                    KeyNavigation.tab: usernameInput
                }
            }

            Item {
                height: 10
            }
           
            Row {               
                spacing: 8;
                IconButton {
                    icon: "system-shutdown"                   
                    onClicked: {
                        if (powerDialog.opacity == 1) {
                            powerDialog.opacity = 0;
                        } else {
                            powerDialog.opacity = 1;
                        }
                    }
                }

                PlasmaComponents.ContextMenu {
                    id: sessionMenu
                    visualParent: sessionMenuOption
                }

                Repeater {
                    parent: sessionMenu
                    model: sessionsModel
                    delegate : PlasmaComponents.MenuItem {
                        text: model.display
                        checkable: true
                        checked: model.key === optionsMenu.currentSession
                        onClicked : {
                            optionsMenu.currentSession = model.key;
                        }

                        Component.onCompleted: {
                            parent = sessionMenu
                        }
                    }
                    Component.onCompleted: {
                        model.showLastUsedSession = true
                    }
                }

                PlasmaComponents.ContextMenu {
                    id: optionsMenu
                    visualParent: optionsButton
                    //in LightDM  "" means "last user session". whereas NULL is default.
                    property string currentSession: ""
                    PlasmaComponents.MenuItem {
                        id: useGuestOption
                        text: i18n("Log in as guest")
                        checkable: true
                        enabled: greeter.hasGuestAccount
                    }
                    PlasmaComponents.MenuItem {
                        separator: true
                    }

                    PlasmaComponents.MenuItem {
                        text: i18n("Session")
                        id: sessionMenuOption
                        onClicked: sessionMenu.open()
                    }
                }

                IconButton {
                    id: optionsButton
                    icon: "system-log-out"
                    onClicked: {
                        optionsMenu.open();
                    }
                }
            }
        }
    }

    PlasmaCore.FrameSvgItem {
        id: powerDialog
        anchors.top: dialog.bottom
        anchors.topMargin: 3
        anchors.horizontalCenter: activeScreen.horizontalCenter
        imagePath: "translucent/dialogs/background"
        opacity: 0

        Behavior on opacity { PropertyAnimation { duration: 500} }

        width: childrenRect.width + 30;
        height: childrenRect.height + 30;

        Row {
            spacing: 5
            anchors.centerIn: parent

            PlasmaWidgets.IconWidget {
                text: i18n("Suspend")
                icon: QIcon("system-suspend")
                enabled: power.canSuspend;
                onClicked: {power.suspend();}
            }
           
            PlasmaWidgets.IconWidget {
                text: i18n("Hibernate")
                icon: QIcon("system-suspend-hibernate")
                //Hibernate is a special case, lots of distros disable it, so if it's not enabled don't show it
                visible: power.canHibernate;
                onClicked: {power.hibernate();}
            }

            PlasmaWidgets.IconWidget {
                text: i18n("Restart")
                icon: QIcon("system-reboot")
                enabled: power.canRestart;
                onClicked: {power.restart();}
            }
           
            PlasmaWidgets.IconWidget {
                text: i18n("Shutdown")
                icon: QIcon("system-shutdown")
                enabled: power.canShutdown;
                onClicked: {power.shutdown();}
            }     
        }

    }
}
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum