Up until recently, I only ever worked on the server end of things — almost exclusively UNIX- or Linux-based (though, the past decade has been almost exclusively Linux). This meant that all I really had to worry about was ensuring a suitable "/etc/issue file was in place and that any interactive login services (mostly SSH; occasionally FTP) were configured to reference that file."
Any GUI-dependent developers that my customers might have had did all of their development work on Windows boxes or specially-prepared Linux desktops. In either case, they were using on-premises desktops that I didn't have to worry about.
With COVID19 and the mass adoption of telework, those carefully-prepared development desktops are sitting disused at my customers offices. Developers have been forced to work remote. As such, we've been asked, as part of our "enablement" mandate, to help these newly-remote developers set up cloud-hosted development-systems. A significant percentage of these developers rely on graphical tools. While most — if not all — of these graphical tools would be usable as individually-launched applications with their X11 tunneled through SSH back to the workstations they're using, that hasn't been enough for some of them:
- Many don't have X11 servers installed on their laptops
- I usually like to point BYOD Windows users to Cygwin/X, MobaXterm, Xming, VcXsrv and the corporate-issued Windows users to contact their employers and ask that they add any one of the commercial Xserver offerings to their laptops
- Though, given the number of Macintosh users in their ranks, they have Xservers, but it seems like they don't quite understand that fact:
In either case, most don't seem to understand that the "easy button" solution is to add:
To their ${HOME}/.ssh/config files. And that doing so allows them to SSH to their development-host and, by executing <GRAPHICAL_UTILITY> on the remote server, it will cause the utility to magically appear on their laptop.Host * ForwardAgent true
- Even once you show them the magic of X11 forwarding, many will whine "I don't want to have to have a terminal open just to executed programs, I want the entire remote desktop so I can just use the launchers."
Our standard AMIs are RHEL- and CentOS-based have little more on them than the @Core RPM-group. The AMIs also have boot-EBSes that are as small as we could make them and meet the server security-requirements that require the AMIs to be carved up into partitions. These initially led to several common questions:
- "Can you create new AMIs that have enough room for us to install the Gnome desktop onto"; and
- "Can you create an AMI with the Gnome-desktop preinstalled".
Unfortunately, with the sudden proliferation of people building themselves graphical, our various customers' security assessors have taken notice. That means that our (headless) server-oriented automated-hardening tools are not accounting for the now Gnome-enabled desktops. By itself, not a problem, but different assessors have different demands around banners.
For some assessors, simply painting the contents of /etc/issue on the Gnome login screen's root window is sufficient. Fortunately, the Gnome project provides instructions that are also somewhere in the neighborhood of "dead-easy to do". Once done, you have a login screen that looks something like:
Unfortunately, some assessors insist that your consent banner must be a pop-up that is displayed prior to the would-be-user being allowed to enter their username or password. Meeting this requirement is a skosh more-involved. Instead of doing the above Gnome mods, one needs to do:
- Move the existing /etc/gdm/Init/Default file contents aside (e.g., `mv /etc/gdm/Init/Default{,-DIST}`)
- Install a new /etc/gdm/Init/Default file with contents similar to:
Which uses Zenity to create a create a dialogue-box from the /etc/issue file./usr/bin/zenity --text-info --width=700 --height=300 \ --title="Security Message" --filename=/etc/issue
- Restart the GDM service (e.g., `systemctl restart gdm`)
If you want something marginally fancier, you can install `yad` (from EPEL). If using `yad`, changing your /etc/gdm/Init/Default contents to something like:
/usr/bin/yad \ --center \ --buttons-layout=center \ --button=OK:0 \ --no-escape \ --fontname="Monospace Regular 10" \ --fore tomato4 \ --text-info \ --width=700 \ --height=300 \ --wrap \ --title="Security Message" \ --filename=/etc/issue
Will produce a screen like:
Primary differences being ability to set the text-color and get rid of the extraneous "Cancel" button (and center the "Ok" button).
Thanks Thomas
ReplyDeleteWe've been doing the non-popup method for quite a while. Thanks for posting this.