[SOLVED] Need to exclude root from logging into KDE via VNC

mfoley · 10-17-2016, 10:14 PM

Hopefully this is simple. I have x11vnc running as a daemon in my Slackware64 14.2 system. The desktop is KDE and the greeter is lightdm. I'd like to prevent root from being able to log in via VNC (i.e. remotely). Can I do that? If necessary, I can exclude root from the KDE desktop altogether, but it would be best if I could just exclude remote VNC desktop sessions.

GazL · 10-19-2016, 08:25 AM

Can't speak for lightdm, but as no-one else has posted: xdm has a "xlogin.Login.allowRootLogin" resource you can set true/false. Perhaps lightdm has something equivalent.

mfoley · 10-22-2016, 12:48 AM

GazL: Thanks for making the effort. To everyone else, hey! I thought this Slackware forum was the GoTo spot for things KDE!?

I found the answer for KDE: In the file /etc/kde/kdm/kdmrc, set: AllowRootLogin=false

However, this didn't work for me even after restarting init level 4. Perhaps it requires a reboot? I'm not in a position to test that yet.

I'm thinking that won't work either because it's lightdm that does the logging in.

I'll experiment more and report back.

HermanAB · 10-22-2016, 03:16 AM

There are various ways - i.e. use sudo and delete the root password.

kjhambrick · 10-22-2016, 04:58 AM

Quote:

Originally Posted by mfoley

GazL: Thanks for making the effort. To everyone else, hey! I thought this Slackware forum was the GoTo spot for things KDE!?

I found the answer for KDE: In the file /etc/kde/kdm/kdmrc, set: AllowRootLogin=false

However, this didn't work for me even after restarting init level 4. Perhaps it requires a reboot? I'm not in a position to test that yet.

I'm thinking that won't work either because it's lightdm that does the logging in.

I'll experiment more and report back.

mfoley --

Maybe try the same in /usr/share/config/kdm/kdmrc ?

HTH

-- kjh

Code:

# less /usr/share/config/kdm/kdmrc
:
<<snip>>
# Allow root logins?
# Default is true
AllowRootLogin=true
<<snap>>
:

kjhambrick · 10-22-2016, 05:08 AM

Oops. you're running lightdm, not kdm.

Since this may be for your PAM-on-Slackware endeavor and if you have an /etc/pam.d/lightdm config, maybe the last post on this thread in the Debian Forum will work for you ?

-- kjh

GazL · 10-22-2016, 05:26 AM

I had a quick google and couldn't see anything similar to the options that kdm/xdm provide in lightdm.

Short of doing something hackish like the following at the start of the session-startup script I'm not sure what you could do (note: this is not ideal as it will happen post-authentication).
[ "$(/usr/bin/id -u)" = '0' ] && exit 0

Alternatively, you could just choose to use a more functional display manager...

kjhambrick · 10-23-2016, 08:30 AM

mfoley --

If this is for your ivandi-PAM-enabled version of Slackware AND you're using tigervnc from the Slackware64-14.2/extra/ directory ...

If not, never mind

If so, you MIGHT be able to rebuild tigervnc to include PAM support by applying the patch below my sig to the Slackware tigervnc.SlackBuild script.

With that, you'll need an /etc/pam.d/tigervnc file which is which is one place that you could disable root logins via vnc ...

I also see that tigervnc 1.7.0 is available and it is natively compatible with xorg 1.18 so as long as you're rebuilding tigervnc you might want to try the latest, maybe after you've got a fresh build of tigervnc-1.6.0 ...

But then again, Slackware includes a 'buncha' patches with 1.18 in the name, so maybe not

-- kjh

These are the Patches for tigervnc 1.60 on Slackware64-14.2:

Code:

# pwd

/home/dld/slackware/slackware-14.2-64/extra/source/tigervnc

# ls -la patches

total 32
drwxr-xr-x 2 4015 4015 4096 Nov 12  2015 .
drwxr-xr-x 4 4015 4015 4096 Nov  7  2015 ..
-rw-r--r-- 1 4015 4015 5108 Nov 12  2015 tigervnc-xorg118-QueueKeyboardEvents.patch
-rw-r--r-- 1 4015 4015  509 Nov 12  2015 tigervnc.support.xorg.118.patch
-rw-r--r-- 1 4015 4015  330 Apr 11  2015 tigervnc13_link_png.patch
-rw-r--r-- 1 4015 4015 5356 Jul 11  2015 xserver118.patch

This is a unified diff where I turned on PAM for the Slackware 14.2 tigervnc.SlackBuild

Code:

--- /tmp/tigervnc.SlackBuild.orig       2016-04-05 20:45:45.000000000 -0500
+++ /tmp/tigervnc.SlackBuild    2016-10-23 08:10:56.945636566 -0500
@@ -204,7 +204,9 @@
 sed -e 's,set(MAN_DIR "${DATA_DIR}/man"),set(MAN_DIR "${MAN_INSTALL_DIR}"),' \
     -e 's,set(DOC_DIR "${CMAKE_INSTALL_PREFIX}/share/,set(DOC_DIR "${CMAKE_INSTALL_PREFIX}/,' \
     -i CMakeLists.txt
-
+#
+# kjh turned on -DENABLE_PAM for ivandi-PAM-enabled Slackware64-14.2
+#
 mkdir -p build
 cd build
   echo -e "\n*** Building vnc client ***\n"
@@ -217,7 +219,7 @@
     -DMAN_INSTALL_DIR=/usr/man \
     -DSYSCONF_INSTALL_DIR=/etc \
     -DLIB_SUFFIX=${LIBDIRSUFFIX} \
-    -DENABLE_PAM:BOOL=OFF \
+    -DENABLE_PAM:BOOL=ON \
     -DBUILD_JAVA:BOOL=${CMAKE_JAVA} \
     ..
   make V=1 $NUMJOBS || make || exit 1

mfoley · 10-23-2016, 11:21 AM

Quote:

Originally Posted by kjhambrick

Oops. you're running lightdm, not kdm.

Since this may be for your PAM-on-Slackware endeavor and if you have an /etc/pam.d/lightdm config, maybe the last post on this thread in the Debian Forum will work for you ?

-- kjh

Yes, I'm using the Ivandi PAM-enabled lightdm. The solution on that link worked, which is to put the following line in /etc/pam.d/lightdm:

auth required pam_succeed_if.so user != root quiet

I'm currently using x11vnc, not tigervnc, but your idea is worth investigating. However, in the configuration I'm using, the user only has ONE login to deal with -- the VNC server does not do additional interactive authentication. Still, your procedure on that is worth keeping.