search

liftoff / GateOne

Gate One is an HTML5-powered terminal emulator and SSH client
http://liftoffsoftware.com/Products/GateOne
Other
6.28k stars 925 forks source link

Possibility to secure the Webfrontend with .htaccess ?? #100

Closed cutzenfriend closed 12 years ago

cutzenfriend commented 12 years ago

Hi me and 2 friends would try your gateone... it runs ok so far... but this installation is online accessible but should only be used by me and 4 friends of mine. So i thought is it anyhow possible to just secure the web frontend with .htaccess or something similar ?

greets

liftoff commented 12 years ago

On Wed, Apr 4, 2012 at 10:04 AM, domenikniemietz < reply@reply.github.com

wrote:

Hi me and 2 friends would try your gateone... it runs ok so far... but this installation is online accessible but should only be used by me and 4 friends of mine. So i thought is it anyhow possible to just secure the web frontend with .htaccess or something similar ?

greets

I plan to eventually add access control and authorization capabilities to Gate One but in the mean time you can accomplish what you want by using PAM authentication. Just "useradd" the accounts you want to have access and set 'auth = "pam"' in your server.conf. Gate One doesn't care about the user's shell so it could be /bin/false if you like.

Using PAM, only those users that have accounts in /etc/passwd (or whatever you have nsswitch.conf configured to use) will have access to your Gate One server.

For reference, I have "ACLs" in the roadmap for Gate One 2.0. No idea when it will be out :)

Dan McDougall - Chief Executive Officer and Developer Liftoff Software ✈ Your flight to the cloud is now boarding. 904-446-8323

cutzenfriend commented 12 years ago

thx for your fast answer. i just tried that with auth = "pam"

and now everytime i try to open the webfrontend on my pc it always reloads itself. it does not ask for username and password!

here is the log:

[I 120404 18:18:57 web:1393] 302 GET / (...) 0.44ms [I 120404 18:18:57 gateone:943] WebSocket closed (ANONYMOUS). [I 120404 18:18:57 web:1393] 302 GET /auth?next=%2F (...) 0.73ms [I 120404 18:18:57 web:1393] 200 GET / (...) 1.73ms [I 120404 18:18:57 web:1393] 304 GET /static/gateone.css (...) 0.44ms [I 120404 18:18:57 web:1393] 304 GET /static/gateone.js (...) 0.47ms [I 120404 18:18:57 web:1393] 304 GET /style?theme=black&container=gateone&prefix=go (79.218.188.103) 6.41ms [I 120404 18:18:57 web:1393] 304 GET /style?colors=default&container=gateone&prefix=go (79.218.188.103) 5.21ms [I 120404 18:18:57 web:1393] 304 GET /combinedjs (...) 1.37ms [I 120404 18:18:58 web:1393] 200 GET /auth?check=True (..._) 0.41ms [I 120404 18:18:58 gateone:880] WebSocket opened (ANONYMOUS). [E 120404 18:18:59 gateone:977] Unauthenticated WebSocket attempt.

HERE ARE MY CONFIGS:

/etc/nsswitch.conf

#

Example configuration of GNU Name Service Switch functionality.

If you have the glibc-doc-reference' andinfo' packages installed, try:

`info libc "Name Service Switch"' for information about this file.

passwd: ldap compat group: ldap compat shadow: ldap compat

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files

protocols: db files services: db files ethers: db files rpc: db files

netgroup: nis

server.conf

sso_service = "HTTP" locale = "de_DE" https_redirect = True pam_service = "login" syslog_facility = "daemon" disable_ssl = False session_logging = True syslog_host = None cookie_secret = "YWFlMzdkOTVjZGJhNGJlNDk5YTRmZTZiN2ZhMGM2ZjMwZ" syslog_sessionlogging = False address = "****.DOMAIN" auth = "pam" port = 4433 url_prefix = "/" user_dir = "/opt/gateone/users" log_file_num_backups = 10 logging = "info" dtach = True certificate = "certificate.pem" command = "/opt/gateone/plugins/ssh/scripts/ssh_connect.py -S '/tmp/gateone/%SESSION%/%SHORT_SOCKET%' --sshfp -a '-oUserKnownHostsFile=%USERDIR%/%$ log_to_stderr = False session_timeout = "5d" log_file_max_size = 104857600 session_dir = "/tmp/gateone" sso_realm = None embedded = False keyfile = "keyfile.pem" debug = False js_init = "" log_file_prefix = "/opt/gateone/logs/webserver.log" pamrealm = "****.DOMAIN"

/etc/ldap/ldap.conf

LDAP Defaults

#

See ldap.conf(5) for details

This file should be world readable but not world writable.

BASE dc=example,dc=com

URI ldap://ldap.example.com ldap://ldap-master.example.com:666

SIZELIMIT 12

TIMELIMIT 15

DEREF never

/etc/pam.d/login

auth optional pam_faildelay.so delay=3000000

auth required pam_issue.so issue=/etc/issue

auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so auth requisite pam_nologin.so session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth auth optional pam_group.so session required pam_limits.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard @include common-account @include common-session @include common-password session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

pls help

liftoff commented 12 years ago

I think your problem might be with your cookie: It has the credentials from whatever you were using before you changed auth types. Just delete all cookies associated with your Gate One URL and it should ask you for your password after that.

NOTE: It should automatically delete your cookie for you when you change auth types like that... What browser is this? Also, what auth type were you using before you switched it to PAM?

cutzenfriend commented 12 years ago

I am using Chrome on MacOS i tried deleting the cookies and also tried another browser same problem...

Before i used auth type none just to test...

liftoff commented 12 years ago

This line:

WebSocket opened (ANONYMOUS)

...says that Gate One still thinks your username is ANONYMOUS. Can you paste the logs from when you connected using the other browser?

Also, is there anything in your browser's JavaScript console (Gate One sends logs there too)?

liftoff commented 12 years ago

Have you made any progress with this? If I don't hear back from you soon I'm going to close out this ticket.

liftoff commented 12 years ago

I just pushed a commit that should fix running Gate One on Macs. Also, it is possible to restrict access to Gate One to a very specific subset of individuals by configuring Gate One to use PAM (with its own pam_service) and then configuring PAM to use the pam_userdb module.

Please try out the latest code and let me know how it goes. Thanks!

liftoff commented 12 years ago

Since I haven't heard back from you I'm going to go ahead and close this ticket. Feel free to reopen it if you're still having issues.

dan-r commented 12 years ago

I am also having this problem running on Ubuntu 12.04

liftoff commented 12 years ago

@deejay31 what problem are you having? There were several reported in this issue. Please open up a new issue to report your problem. Thanks