AboutBlogContact

Setting up a slightly more secure solution for home banking

2016.08.16 by Matthias Kirschner in #tech #fsfe

Recently I helped some friends to setup a slightly more secure solution to do home banking than running it in your default Web browser. In a nutshell you setup a dedicated user under GNU/Linux. This user is then merely used to execute a Web browser dedicated solely for home banking. Through ssh you can start it with your default user.

Money and remittance slips

First of all, open a terminal and run adduser homebanking to add the new user. Afterwards just enter a password and confirm it.

Switch to the just created user with su homebanking and type cd to go to the user's home directory.

Create a new directory for ssh with mkdir .ssh.

Then you create the file .ssh/authorized_keys in which you paste the content of your own users public ssh key (often .ssh/id_rsa.pub).

Switch back to you local user and create a small shortcut sudo vi /usr/local/bin/homebanking-browser with the content:

#!/bin/bash
ssh -fX homebanking@vita chromium

You have to make it executable with chmod u+x /usr/local/bin/homebanking-browser.

The first time you run homebanking-browser, you should do it from a terminal, as you will be asked to approve the SSH key.

That is it. As some friends use Gnome, and I first had to figure it out how to add it in the applications menu here those steps as well: Go to the applications folder cd /usr/share/applications/ and create a file sudo vi homebanking-browser.desktop with the following content: 

[Desktop Entry]
Name=Homebanking-Browser
GenericName=Browser for Homebanking
Comment=Use this browser to do your bank transfers
Exec=/usr/local/bin/homebanking-browser
Icon=terminal
Terminal=false
Type=Application
Categories=Office;
StartupNotify=true

Once logged out of Gnome and in again, you should be able to run homebanking-browser from your application launcher.

If you know about better solutions which work under all GNU/Linux distributions, please let me know.

Update 2016-12-17: On systems with systemd, you have to make sure to enable the sshd.service and to have X11Forwarding yes in your sshd config. I also made sure in the config that username + password login is not possible by setting PasswordAuthentication and UsePAM both to no.