Re: [CentOS] How to disable screen locking system-wide?

[Dr. Ed Morbius]

on 13:11 Fri 21 Jan, Michael Gliwinski (michael.gliwin...@henderson-group.com) 
wrote:
 On Thursday 20 Jan 2011 22:26:08 Bob Eastbrook wrote:
  On Wed, Jan 19, 2011 at 12:18 PM,  m.r...@5-cent.us wrote:
   But the locked screensaver wants the *same* password that you log in
   with. I'm having trouble understanding the problem... or is it that many
   of the users *never* log out?
  
  Yes, users will sign onto a workstation, and then disappear somewhere
  in the building.  They usually forget that they're logged on, which
  means the workstation is unusable by anyone else for several days.
  
  Restarting the X server is one solution, but it will kill any running jobs.
 
 I'm not sure about GNOME or if that's available in version currently shipped 
 in CentOS but in KDE the screensaver allows you to switch user, i.e. leave 
 the 
 currently logged on user's session running and start a new one for another 
 user.  That seems like a better solution if possible, no?

Or, so long as your graphics card doesn't kill console access, go old
school:

 - Switch to console.
 - Log into console.
 - Launch X.

The problem here is the hanging console session, which you should kill.

Better:  Institute a policy that abandoned desktop sessions are fair
game to be killed.  As with hot stoves and children, the lesson would be
learned after a few experiences.

Systems work should be handled remotely via ssh (or VNC), within screen
session, or via cronjobs. 

Another useful feature would be to have an auto-logoff set after a
certain amount of inactivity.  This doesn't seem to be available within
GNOME, so you'd probably have to homebrew it.

-- 
Dr. Ed Morbius
Chief Scientist
Krell Power Systems Unlimited
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Sorin Srbu]

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Joshua Baker-LePain
Sent: Thursday, January 20, 2011 4:49 PM
To: CentOS mailing list
Subject: Re: [CentOS] How to disable screen locking system-wide?

I was going to leave this alone, but I feel this lowers to the level of
personal attacks and I'd like to address that.  Yes, my response was a bit
glib (and tongue-in-cheek, which obviously didn't come across correctly).

But that doesn't mean that the reasoning behind it isn't valid in some
situations, and it certainly doesn't make me arrogant or unprofessional.
As others have pointed out, there are industries and workplaces where any
unlocked, unattended workstation is a major security risk.  Please don't
assume that your use case is everybody else's.  And please keep it
civil.

Suddenly came to think of Mordac, the IT-preventer in the Dilbert strip. ;-)

One a more serious note, personally, if I run across an unlocked workstation 
and there's nobody around, I take a few seconds to start up Notepad (if 
Windows) or OpenOffice (if linux) and type in a message like If I'd been a 
bad guy, your data would all have been gone and your homepage been set to 
www.bestialporn.com. //Your friendly Sysadmin in real big letters, and then 
maximize the window, and lastly activated the (password-protected) 
screensaver, before I walked away.

I've done this a few times over the years, and the message has usually been 
acknowledged and accepted with no questions asked.

No need to restart any machines; that's just mean. Although I have been 
dreaming about doing that... ;-)
-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Sorin Srbu]

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Mike McCarty
Sent: Thursday, January 20, 2011 9:08 PM
To: CentOS mailing list
Subject: Re: [CentOS] How to disable screen locking system-wide?

OTOH, I have cats :-)

Funny you should mention that. One of my cockatiels once almost managed to
delete a file for me at home, wandering and pecking on the keyboard. Beats
me how he managed... Since then I always lock the screen when leaving the
computer and the birds are out in the room. Saving yourself some
aggravation... Kinda'...

-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Tom H]

On Thu, Jan 20, 2011 at 11:52 AM, Rudi Ahlers r...@softdux.com wrote:
 On Thu, Jan 20, 2011 at 6:44 PM, Tom H tomh0...@gmail.com wrote:

 You clearly work in an insecure environment.

 By who's definition? The fact that you're PC is connected to the
 internet place you in the same environment :)

Yes, we've all heard the joke that the only secure computer is one
that is turned off. But my comment was not meant as a joke.

By insecure, I mean that you don't mind that employee masquerades as
another on your company's network. You therefore have no security and
no accountability.


 No one should have access to anyone else's login. I have no admin
 privileges over my desktop. If I need something installed or
 uninstalled, I have to ask the Windows desktop support team who'll
 access my box remotely after I accept their request to a access my box
 in a popup on my screen. Of course, the Windows server support team
 can access my roaming profile on their boxes but (I presume since this
 is what we do and I don't know any of them to ask them) they'd have to
 justify that access.

 Yes, IT staff on a Windows Domain can access everyone's accounts,
 without their passwords or consent. Does it make it more secure? Yes.
 And No. IT staff can go rouge as well, just bear that in mind. Reminds
 me of a previous company I used to work for many years ago.

 Some of the IT admin scanned all incoming mail, especially if they
 contained any attachments. They casually copied whatever attachments
 they wanted to their own desktops, which was more often move clips,
 cracked games, music, pr0n, etc.
 Do you think management knew about this? Nope.

 Is it less safe than your environment? Really? Can you honestly tell
 me this doesn't happen in your company?

You're confusing, as you have throughout this thread, an employee
assuming someone's logon/identity on the network with an administrator
accessing data on the servers that they manage.

No one can or should be able to logon to the network with someone
else's credentials.

We have, AFAIK, two security teams that go through server logs and
support tickets to reconcile them and to check that we aren't logging
to boxes that we aren't supposed to have logged on to, checking
whether we used su or sudo for a valid reason, and what we commands
we've run while logged on. So we can't just go through data,
confidential or otherwise, out of curiosity or with some bad
intentions.

So, no, there's no such activity on our network. Eleven years ago, I
worked at a firm where the Exchange admins used to copy all the
attachments that dealers and brokers received and burn DVDs for
themselves, their friends, and for sale (!) with any porn-related
files. There's no way that this is still happening.


 There's absolutely no reason to access a PC of a staff member who is
 busy, that's terrible practice; and there's absolutely no way that
 anyone should know anyone else's password (a punishable violation of
 IT policy in our environment).

 True, and that's not what I said either.

 Both the OP and I am trying to say that sometimes you need to get onto
 a PC when the user is not actually there.

So why would you not want them to have password-locked screensavers.

You either want to access that employees account or you want to access
data on that computer by switching users. I've already covered the
former and the latter simply shows that you're keeping data locally
rather than on a server; not a good practice either...


 IF, on the other hand I worked at a financial institution or something
 like that then the security would have been more strict. I don't see
 the need for it in our office.

I worked a few years ago, in between finance jobs, at a publisher who
had similar rules. This is a standard for any properly-run IT
department.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Tom H]

On Thu, Jan 20, 2011 at 12:45 PM, Giles Coochey gi...@coochey.net wrote:

 And in those nine years you claim to have had at least one major security
 incident.
 It beggars my belief
 You now publicly declare that your company not just advocates the sharing of
 passwords, but certainly encourages it, if not make it compulsory.
 If you were to have another security incident you would probably be hard
 pressed to be able to point the finger at anyone, especially as your lax
 security procedures are now public knowledge.

 Troll?

I don't think that he's a troll; he's posted many times here in the
past. He's probably never worked in a properly-structured environment
and he'll change his mind the day that some servers are killed,
intentionally or not, and admins'll point fingers at each other
because everyone can logon as everyone else.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Nico Kadel-Garcia]

On Thu, Jan 20, 2011 at 5:53 PM, Ross Walker rswwal...@gmail.com wrote:
 On Thu, Jan 20, 2011 at 12:03 PM,  m.r...@5-cent.us wrote:

 I can beat that: I read, a month or so ago, how a bunch of elementary
 school kids discovered that wet Gummi Bears would hold a fingerprint,
 *and* (they didn't understand this) have more or less the same electrical
 conductivity

 Fortunately I don't go sticking my fingers in wet gummy bears, so that
 risk is mitigated!

 While finger prints can be faked, it often requires access to the
 finger to fake. I haven't heard of someone lifting a latent oil print
 and creating a fake out of that. I'm sure with enough ingenuity it can
 be done. Then again if someone is that intent on accessing your data,
 well I'm sure they could figure another way as well...

Nope.

I found this link in a reference from 2002, and have seen nothing to
indicate any significant improvement of fingerprint scanners to ignore
gelatin based fake fingerprints, overlaid on a living person's finger
to fool the electrostatic or thermal sensors of some sensors, and and
with the fingeprints transferred from a Xerox of a police or other
official fingerprint.

http://www.schneier.com/crypto-gram-0205.html

This has me laughing my tail off at the insistence on including
fingerprint authorization as a default in RHEL 6, and the difficulty
of extracting the daemons and utilities from the base image. Too many
scattered RPM dependencies for other utilities. It's actually now a
default enabled feature in anaconda for kickstart installations.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Rajagopal Swaminathan]

Greetings,

On 1/21/11, JohnS jse...@gmail.com wrote:

 On Thu, 2011-01-20 at 20:13 -0600, Mike McCarty wrote:


 This is on software which ran as POS stuff.



hmm... how about a vlock -a (or inverse thereof) wrapper?

Regards,

Rajagopal
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Michael Gliwinski]

On Thursday 20 Jan 2011 22:26:08 Bob Eastbrook wrote:
 On Wed, Jan 19, 2011 at 12:18 PM,  m.r...@5-cent.us wrote:
  But the locked screensaver wants the *same* password that you log in
  with. I'm having trouble understanding the problem... or is it that many
  of the users *never* log out?
 
 Yes, users will sign onto a workstation, and then disappear somewhere
 in the building.  They usually forget that they're logged on, which
 means the workstation is unusable by anyone else for several days.
 
 Restarting the X server is one solution, but it will kill any running jobs.

I'm not sure about GNOME or if that's available in version currently shipped 
in CentOS but in KDE the screensaver allows you to switch user, i.e. leave the 
currently logged on user's session running and start a new one for another 
user.  That seems like a better solution if possible, no?


-- 
Michael Gliwinski
Henderson Group Information Services
9-11 Hightown Avenue, Newtownabby, BT36 4RT
Phone: 028 9034 3319

**
The information in this email is confidential and may be legally privileged.  
It is intended solely for the addressee and access to the email by anyone else 
is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or 
any action taken or omitted to be taken in reliance on it, is prohibited and 
may be unlawful.
When addressed to our clients, any opinions or advice contained in this e-mail 
are subject to the terms and conditions expressed  in the governing client 
engagement leter or contract.
If you have received this email in error please notify 
supp...@henderson-group.com

John Henderson (Holdings) Ltd
Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, 
BT36 4RT.
Registered in Northern Ireland
Registration Number NI010588
Vat No.: 814 6399 12
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Lamar Owen]

On Thursday, January 20, 2011 05:53:14 pm Ross Walker wrote:
  I haven't heard of someone lifting a latent oil print
 and creating a fake out of that. I'm sure with enough ingenuity it can
 be done. 

Let me repeat: that is exactly what MythBusters did in the episode I 
referenced, 'Crime and Mythdemeanors 2' which aired a few years ago.  The print 
was Grant's, and it was lifted from a CD case, duplicated into ballistics gel 
using a partially obscured process that included PC board etching and print 
cleanup in a graphics editor, and successfully opened the fingerprint door lock 
(as well as logging in to a PC).  The narrator in the episode did state that 
one critical part of the process was omitted to keep that episode from being a 
HOWTO, but it probably wouldn't take a rocket scientist to figure it out.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Mike McCarty]

Rajagopal Swaminathan wrote:
 Greetings,
 
 On 1/21/11, JohnS jse...@gmail.com wrote:
 On Thu, 2011-01-20 at 20:13 -0600, Mike McCarty wrote:

 This is on software which ran as POS stuff.
 
 
 hmm... how about a vlock -a (or inverse thereof) wrapper?

We wanted to log the user out of the POS application, not
lock out of the machine. That also doesn't address overwriting
of sensitive material in RAM. Also, it was with SCO, not
Linux. It should really be thought of more as an embedded
application. Upon boot up, the first thing run was the app,
and that occurred automatically. The users were not computer
savvy. In fact, the ones who thought they had some savvy
were the ones causing most of the problems, by messing
up the configuration.

One guy liked to rename directories to suit his fancy.

Mike
-- 
p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Sorin Srbu]

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Joshua Baker-LePain
Sent: Wednesday, January 19, 2011 8:47 PM
To: CentOS mailing list
Subject: Re: [CentOS] How to disable screen locking system-wide?

 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.

Ctrl-Alt-Bksp will fix that right up.  I'm not a big fan of users leaving
workstations unsecured when they walk away.


Wouldn't that kill any programs, or whatever, the user has running?

-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Rudi Ahlers]

On Thu, Jan 20, 2011 at 10:34 AM, Sorin Srbu sorin.s...@orgfarm.uu.se wrote:
-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Joshua Baker-LePain
Sent: Wednesday, January 19, 2011 8:47 PM
To: CentOS mailing list
Subject: Re: [CentOS] How to disable screen locking system-wide?

 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.

Ctrl-Alt-Bksp will fix that right up.  I'm not a big fan of users leaving
workstations unsecured when they walk away.


 Wouldn't that kill any programs, or whatever, the user has running?


Yup, and it totally defeats the purpose of what the OP actually wanted
todo. Imagine your account being busy with your year-end books, and
has to run to the toilet (she is a bit sick) now you come and press
CTRL+ALT+Bksp and loose everything she's done. And, if she had a lot
of invoices and statements already processed then she may need to redo
it. Now, how do you explain to your boss that you just cost him
another day with an expensive accountant because you're too ignorant
to properly address the issue?




-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Rudi Ahlers]

On Wed, Jan 19, 2011 at 10:35 PM, Keith Keller
kkel...@wombat.san-francisco.ca.us wrote:


 For the OP: what's the goal behind preventing an X session from locking?
 Perhaps there is a more elegant solution than simply disabling it.

 --keith

 --
 kkel...@wombat.san-francisco.ca.us



It probably depends on his environment. If it's an office where people
actually work for money and need to address client issues then I'm
sure your colleagues won't be please if you make them loose all their
work just to be an arrogant IT manager who wants to prove a point.

I don't know about you, but a user leaving his desk (for any purpose,
other than going home) doesn't cause a security risk. I trust all our
staff, and when Andrew goes on lunch I expect him to leave his PC
unlocked.
1. It's our property and he should have any personal stuff on there,
as per our NDA, that could cause problem.
2. If a client, which Andrew was busy with phones in, I or one of the
other staff members would need access to that work.

So, in such a  case I do think the OP has a valid question and it
could be addressed more professionally than to restart X, or even the
PC just to prove a point.

P.S. And I don't know the answer either.


-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Sorin Srbu]

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Rudi Ahlers
Sent: Thursday, January 20, 2011 9:55 AM
To: CentOS mailing list
Subject: Re: [CentOS] How to disable screen locking system-wide?

 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.

Ctrl-Alt-Bksp will fix that right up.  I'm not a big fan of users leaving
workstations unsecured when they walk away.


 Wouldn't that kill any programs, or whatever, the user has running?


Yup, and it totally defeats the purpose of what the OP actually wanted
todo. Imagine your account being busy with your year-end books, and
has to run to the toilet (she is a bit sick) now you come and press
CTRL+ALT+Bksp and loose everything she's done. And, if she had a lot
of invoices and statements already processed then she may need to redo
it. Now, how do you explain to your boss that you just cost him
another day with an expensive accountant because you're too ignorant
to properly address the issue?

Yeah, that's exactly what I was getting to. 8-)

Actually, I'd be interested in an answer to the OP's question too. So far
I've always used a somewhat crude method to kill a users screen-saver to be
able to get to the desktop...

Disabling the screen-saver's password-protection globally, while still
keeping the screen-saver on and working, would be pretty nifty. We use
mostly Gnome, and KDE here and there. Is this possible to do in either?

-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[John Hodrien]

On Thu, 20 Jan 2011, Rudi Ahlers wrote:

 I don't know about you, but a user leaving his desk (for any purpose,
 other than going home) doesn't cause a security risk. I trust all our
 staff, and when Andrew goes on lunch I expect him to leave his PC
 unlocked.

I think I see things differently.  Allowing others to access your account *is*
a security risk.  It potentially opens confidential data open to other people,
and leaves that specific user open to abuse through people using their
machine.  You might as well just pin your passwords on the notice board and be
done.  After all, you trust all your staff.

 2. If a client, which Andrew was busy with phones in, I or one of the
 other staff members would need access to that work.

That's a data storage issue.  Appropriate software systems should ensure you
have access to the data you need from your own account.  Anyone's free to use
my machine while I'm not there, but they're certainly not free to use my
login.

 So, in such a  case I do think the OP has a valid question and it
 could be addressed more professionally than to restart X, or even the
 PC just to prove a point.

 P.S. And I don't know the answer either.

For gnome how about something like:

gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool \
--set /apps/gnome-screensaver/lock_enabled false

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Rudi Ahlers]

On Thu, Jan 20, 2011 at 12:00 PM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:




 I think I see things differently.  Allowing others to access your account *is*
 a security risk.  It potentially opens confidential data open to other people,
 and leaves that specific user open to abuse through people using their
 machine.  You might as well just pin your passwords on the notice board and be
 done.  After all, you trust all your staff.

I don't agree with that, sorry.

A few years ago one of our staff members decided his salary isn't good
enough so he started a side-line business, on our company time. He
stole some of our client's data (contact details, emails, and even
contracts) and sold it to 3rd parties. This went on for about 6 months
before we actually realized what was going on.


Needless to say, he was fined heavily and sent to jail for 3 years.
So, I don't care if you feel the PC is your's, as long as it's a
company PC, with company data and company property, we will take a
look at the data on it.


I'm not talking about your home / private PC, that's an altogether
different story.






-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Giles Coochey]

On 20/01/2011 11:55, Rudi Ahlers wrote:

On Thu, Jan 20, 2011 at 12:00 PM, John Hodrienj.h.hodr...@leeds.ac.uk  wrote:




I think I see things differently.  Allowing others to access your account *is*
a security risk.  It potentially opens confidential data open to other people,
and leaves that specific user open to abuse through people using their
machine.  You might as well just pin your passwords on the notice board and be
done.  After all, you trust all your staff.

I don't agree with that, sorry.

A few years ago one of our staff members decided his salary isn't good
enough so he started a side-line business, on our company time. He
stole some of our client's data (contact details, emails, and even
contracts) and sold it to 3rd parties. This went on for about 6 months
before we actually realized what was going on.


Needless to say, he was fined heavily and sent to jail for 3 years.
So, I don't care if you feel the PC is your's, as long as it's a
company PC, with company data and company property, we will take a
look at the data on it.


I'm not talking about your home / private PC, that's an altogether
different story.


I disagree. There are two points here.

A user account should belong to the person who has been assigned that 
account. They are the only person who should be able to use that 
account. This is critical is you are going to have an audit trail as to 
who did what and when. If someone else is able to use an account, be it 
by not locking unattended workstations or by sharing of passwords then 
the staff member who went to jail would have had a very good defence.
Now, the data that is owned by an account is a completely different 
matter, this is why computer file systems have both access control lists 
as well as owners defined for the files, as well as access and 
modification times. Any _data_ on a business system belongs to the 
business and the access control list defines who has been given the 
responsibility and permissions to access that data.


Data and Accounts are distinct, and the policies regarding their use 
should be distinct  too.


--
Best Regards,

Giles Coochey
NetSecSpec Ltd
NL T-Systems Mobile: +31 681 265 086
NL Mobile: +31 626 508 131
GIB Mobile: +350 5401 6693
Email/MSN/Live Messenger: gi...@coochey.net
Skype: gilescoochey





smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[John Hodrien]

On Thu, 20 Jan 2011, Rudi Ahlers wrote:


I think I see things differently.  Allowing others to access your account *is*
a security risk.  It potentially opens confidential data open to other people,
and leaves that specific user open to abuse through people using their
machine.  You might as well just pin your passwords on the notice board and be
done.  After all, you trust all your staff.


I don't agree with that, sorry.

A few years ago one of our staff members decided his salary isn't good
enough so he started a side-line business, on our company time. He
stole some of our client's data (contact details, emails, and even
contracts) and sold it to 3rd parties. This went on for about 6 months
before we actually realized what was going on.


Yes, and with poor security like you're describing, you can actually mask your
activity under someone else's account.  Having weak security on accounts (and
leaving them unlocked definitely counts as that) makes this sort of abuse much
easier to hide.  If you can't reasonably trust (and there are various reasons
why you should never 100% trust this) that activity under an account maps back
to an individual, you've really diluted the quality of your evidence.


Needless to say, he was fined heavily and sent to jail for 3 years.
So, I don't care if you feel the PC is your's, as long as it's a
company PC, with company data and company property, we will take a
look at the data on it.


You're very much mixing two issues.  I have no objection with admins having
access to machines and data.  Some random colleague being able to pop open a
file browser and download some company confidential material, or send an email
to a client, or download some illegal material to my desktop?  No thanks.

An account is a personal account that should not be shared.  You shouldn't
tell someone else your password, nor should you let them use your account
unsupervised.  This is a rule that's often relaxed (shared accounts, admin
accounts etc.), but relaxing it doesn't typically improve security, it just
sometimes makes things easier to do.  But you should always be aware of the
compromises you're making by doing so.

jh___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Giles Coochey]

On 19/01/2011 21:35, Keith Keller wrote:


Are the screensavers not smart enough to intercept ctrl-alt-bksp?

For the OP: what's the goal behind preventing an X session from locking?
Perhaps there is a more elegant solution than simply disabling it.

Screensavers can't intercept... X gets the message and processes it 
before the Screensaver sees anything


If you want to disable CTRL-ALT-BACKSPACE use the X option DontZap in 
your X configuration.


--
Best Regards,

Giles Coochey
NetSecSpec Ltd
NL T-Systems Mobile: +31 681 265 086
NL Mobile: +31 626 508 131
GIB Mobile: +350 5401 6693
Email/MSN/Live Messenger: gi...@coochey.net
Skype: gilescoochey





smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Tom H]

On Thu, Jan 20, 2011 at 4:00 AM, Rudi Ahlers r...@softdux.com wrote:

 It probably depends on his environment. If it's an office where people
 actually work for money and need to address client issues then I'm
 sure your colleagues won't be please if you make them loose all their
 work just to be an arrogant IT manager who wants to prove a point.

 I don't know about you, but a user leaving his desk (for any purpose,
 other than going home) doesn't cause a security risk. I trust all our
 staff, and when Andrew goes on lunch I expect him to leave his PC
 unlocked.

 1. It's our property and he should have any personal stuff on there,
 as per our NDA, that could cause problem.

 2. If a client, which Andrew was busy with phones in, I or one of the
 other staff members would need access to that work.

 So, in such a  case I do think the OP has a valid question and it
 could be addressed more professionally than to restart X, or even the
 PC just to prove a point.

 P.S. And I don't know the answer either.

In our environment, leaving your desk without locking your
computer/screen is punished with a disciplinary hearing and three such
hearings result in dismissal. Having one person using another's
account is considered a security risk.

I don't know the exact path but you can use gconftool-2 (or
gconf-editor as a GUI) to set the screensaver not to lock (and mimick
doing so by changing the screensaver preferences in
System-Preferences-Screensaver).
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Adam Tauno Williams]

On Thu, 2011-01-20 at 11:05 +, John Hodrien wrote: 
 An account is a personal account that should not be shared.  

+1

Also, at least in the United States, locking a PC / workstation after 15
minutes of idle is a requirement of PCI/DSS - which your company almost
certainly agreed to if you process credit card or other payment
information.  HIPPA, FERPA, and friends have similar requirements /
strong-recommendations.

Ask a competent lawyer and he'll/she'll tell you to lock unattended
workstations.

This has nothing to do with auditing the access to or usage of data -
that is a separate issue.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Sorin Srbu]

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Tom H
Sent: Thursday, January 20, 2011 1:03 PM
To: CentOS mailing list
Subject: Re: [CentOS] How to disable screen locking system-wide?


In our environment, leaving your desk without locking your
computer/screen is punished with a disciplinary hearing and three such
hearings result in dismissal. Having one person using another's
account is considered a security risk.

Sounds kinda' harsh. May I ask what industry this is in?


I don't know the exact path but you can use gconftool-2 (or
gconf-editor as a GUI) to set the screensaver not to lock (and mimick
doing so by changing the screensaver preferences in
System-Preferences-Screensaver).

That's a per-user setting you describe, right?

-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[John Hodrien]

On Thu, 20 Jan 2011, Sorin Srbu wrote:

 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf Of Tom H
 Sent: Thursday, January 20, 2011 1:03 PM
 To: CentOS mailing list
 Subject: Re: [CentOS] How to disable screen locking system-wide?


 In our environment, leaving your desk without locking your
 computer/screen is punished with a disciplinary hearing and three such
 hearings result in dismissal. Having one person using another's
 account is considered a security risk.

 Sounds kinda' harsh. May I ask what industry this is in?


 I don't know the exact path but you can use gconftool-2 (or
 gconf-editor as a GUI) to set the screensaver not to lock (and mimick
 doing so by changing the screensaver preferences in
 System-Preferences-Screensaver).

 That's a per-user setting you describe, right?

No, you can make that work for all users with gconf-editor by editing the
right file.  My previously suggested solution just does that in one go without
a gui:

gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool \
--set /apps/gnome-screensaver/lock_enabled false

That makes it mandatory, so it can't be overridden, and will affect all users.
Only fixes it for gnome, I don't know what the equivalent fix is for KDE.  You
need to take other steps to enforce it in the other direction, as killall
gnome-screensaver would defeat it.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Tom H]

On Thu, Jan 20, 2011 at 7:55 AM, Sorin Srbu sorin.s...@orgfarm.uu.se wrote:
-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Tom H
Sent: Thursday, January 20, 2011 1:03 PM
To: CentOS mailing list
Subject: Re: [CentOS] How to disable screen locking system-wide?


In our environment, leaving your desk without locking your
computer/screen is punished with a disciplinary hearing and three such
hearings result in dismissal. Having one person using another's
account is considered a security risk.

 Sounds kinda' harsh. May I ask what industry this is in?

Finance.

I don't know the exact path but you can use gconftool-2 (or
gconf-editor as a GUI) to set the screensaver not to lock (and mimick
doing so by changing the screensaver preferences in
System-Preferences-Screensaver).

 That's a per-user setting you describe, right?

Yes but someone's posted a global gconftool-2 recipe.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Giles Coochey]

On 20/01/2011 13:12, Adam Tauno Williams wrote:

On Thu, 2011-01-20 at 11:05 +, John Hodrien wrote:

An account is a personal account that should not be shared.

+1

Also, at least in the United States, locking a PC / workstation after 15
minutes of idle is a requirement of PCI/DSS - which your company almost
certainly agreed to if you process credit card or other payment
information.  HIPPA, FERPA, and friends have similar requirements /
strong-recommendations.

Ask a competent lawyer and he'll/she'll tell you to lock unattended
workstations.

This has nothing to do with auditing the access to or usage of data -
that is a separate issue.


Yes, what you mention then becomes a legal compliance issue.

Note, however, that many small companies completely outsource credit 
card payment by using third-party processing (e.g. Worldpay). This means 
they have no card data environment and don't need to comply with PCI/DSS 
in their offices.
Even companies that do in-house card payment processing only have to 
enforce PCI/DSS in their CDE.


I can't speak for HIPPA, SOX etc... but automatic locking is part of  IT 
best practice.



--
Best Regards,

Giles Coochey
NetSecSpec Ltd
NL T-Systems Mobile: +31 681 265 086
NL Mobile: +31 626 508 131
GIB Mobile: +350 5401 6693
Email/MSN/Live Messenger: gi...@coochey.net
Skype: gilescoochey





smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Sorin Srbu]

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of John Hodrien
Sent: Thursday, January 20, 2011 2:02 PM
To: CentOS mailing list
Subject: Re: [CentOS] How to disable screen locking system-wide?

 I don't know the exact path but you can use gconftool-2 (or
 gconf-editor as a GUI) to set the screensaver not to lock (and mimick
 doing so by changing the screensaver preferences in
 System-Preferences-Screensaver).

 That's a per-user setting you describe, right?

No, you can make that work for all users with gconf-editor by editing the
right file.  My previously suggested solution just does that in one go
without a gui:

gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool
\
--set /apps/gnome-screensaver/lock_enabled false

That makes it mandatory, so it can't be overridden, and will affect all
users. Only fixes it for gnome, I don't know what the equivalent fix is for
KDE.  You need to take other steps to enforce it in the other direction, as
killall gnome-screensaver would defeat it.

Ah, I misunderstood first. The penny dropped now. 8-) Thanks.


-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Jerry Franz]

On 01/20/2011 02:55 AM, Rudi Ahlers wrote:

 I don't agree with that, sorry.

 A few years ago one of our staff members decided his salary isn't good
 enough so he started a side-line business, on our company time. He
 stole some of our client's data (contact details, emails, and even
 contracts) and sold it to 3rd parties. This went on for about 6 months
 before we actually realized what was going on.


 Needless to say, he was fined heavily and sent to jail for 3 years.
 So, I don't care if you feel the PC is your's, as long as it's a
 company PC, with company data and company property, we will take a
 look at the data on it.


 I'm not talking about your home / private PC, that's an altogether
 different story.



You are talking completely different issues. Allowing anyone walking 
past a machine to sit down and do whatever they want (which is stupid) 
is not in the least the same as having administrative access and 
auditing by IT (which is smart).

If you don't have full administrative access to the machine 
*independent* of people's day-to-day login accounts you are doing it 
wrong and need to hire a competent IT admin - because your current one 
doesn't know what heck they are doing.

-- 
Benjamin Franz
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[John Hodrien]

On Thu, 20 Jan 2011, Tom H wrote:

 Yes but someone's posted a global gconftool-2 recipe.

Run gconf-editor as root and you can edit the global mandatory rules too.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Adam Tauno Williams]

On Thu, 2011-01-20 at 14:08 +0100, Giles Coochey wrote: 
 On 20/01/2011 13:12, Adam Tauno Williams wrote:
  On Thu, 2011-01-20 at 11:05 +, John Hodrien wrote:
  An account is a personal account that should not be shared.
  +1
  Also, at least in the United States, locking a PC / workstation after 15
  minutes of idle is a requirement of PCI/DSS - which your company almost
  certainly agreed to if you process credit card or other payment
  information.  HIPPA, FERPA, and friends have similar requirements /
  strong-recommendations.
  Ask a competent lawyer and he'll/she'll tell you to lock unattended
  workstations.
  This has nothing to do with auditing the access to or usage of data -
  that is a separate issue
 Yes, what you mention then becomes a legal compliance issue.
 Note, however, that many small companies completely outsource credit 
 card payment by using third-party processing (e.g. Worldpay). This means 
 they have no card data environment and don't need to comply with PCI/DSS 
 in their offices.
 Even companies that do in-house card payment processing only have to 
 enforce PCI/DSS in their CDE.

Correct;  I'm just of the
stick-to-as-much-of-the-strictest-requirements-in-as-much-of-the-network-as-possible
 school.  It helps avoid debates and issues about where and where not a 
requirement applies [some of the clauses are pretty vague].  Call it CYA if you 
like.

While such standards are much-maligned I actually find them useful as a
tool for pushing for better security against crowds that don't like
password change requirements, etc...  The standards speak a language
suits understand and to some degree believe in [or at least fear,
which works well enough].

 I can't speak for HIPPA, SOX etc... but automatic locking is part of  IT 
 best practice.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Ross Walker]

On Jan 19, 2011, at 2:44 PM, Bob Eastbrook baconeater...@gmail.com wrote:

 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.
 
 Bob
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Ross Walker]

On Jan 19, 2011, at 2:44 PM, Bob Eastbrook baconeater...@gmail.com wrote:

 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.

Let's try this again...

KDE has a multi-user x login feature that allows another user to start a new 
session keeping the existing session active.

It might take a little config mod'ing to get it working, but it works. It works 
best if there is lots of RAM.

-Ross

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[John Hodrien]

On Thu, 20 Jan 2011, Ross Walker wrote:

 On Jan 19, 2011, at 2:44 PM, Bob Eastbrook baconeater...@gmail.com wrote:

 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.

 Let's try this again...

 KDE has a multi-user x login feature that allows another user to start a new
 session keeping the existing session active.

 It might take a little config mod'ing to get it working, but it works. It
 works best if there is lots of RAM.

So does gnome (another gconf key:
/apps/gnome-screensaver/user_switch_enabled).  Not tried it on CentOS 5, but
it works okay on Fedora 12.  You have to be careful not to end up with
everybody logged in everywhere.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[m . roth]

Adam Tauno Williams wrote:
 On Thu, 2011-01-20 at 14:08 +0100, Giles Coochey wrote:
 On 20/01/2011 13:12, Adam Tauno Williams wrote:
  On Thu, 2011-01-20 at 11:05 +, John Hodrien wrote:
  An account is a personal account that should not be shared.
snip
 While such standards are much-maligned I actually find them useful as a
 tool for pushing for better security against crowds that don't like
 password change requirements, etc...  The standards speak a language
 suits understand and to some degree believe in [or at least fear,
 which works well enough].

Yeah, well, the problem is they're pushing more frequent password changes,
while, according the the other admin I work with, NIST only recommends
every two *years*. ESPECIALLY if you do *not* have single sign-on
everywhere, frequent password changes, and required a lot of difference
between the current password and the new one, *and* not coming anywhere
near the last year or two's worth of passwords is worse than useless, it's
counterproductive, since it makes social engineering much easier, since
*everyone* will be writing down their passwords.

 I can't speak for HIPPA, SOX etc... but automatic locking is part of  IT
 best practice.

HIPPA, and PII (Personal Information Identifier), and PHI (Personal Health
Information) is very, *very* much need-to-know *only*, and violation is
punishable by termination, and possibly criminal action.

  mark, who works for a US federal contractor with the US gov't, and
 had to get a position of trust* clearance for the job

* Which I assume entitles me to see bottom secrets, or maybe bargain
basement secrets g

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Ross Walker]

On Jan 20, 2011, at 9:18 AM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:

 On Thu, 20 Jan 2011, Ross Walker wrote:
 
 On Jan 19, 2011, at 2:44 PM, Bob Eastbrook baconeater...@gmail.com wrote:
 
 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.
 
 Let's try this again...
 
 KDE has a multi-user x login feature that allows another user to start a new
 session keeping the existing session active.
 
 It might take a little config mod'ing to get it working, but it works. It
 works best if there is lots of RAM.
 
 So does gnome (another gconf key:
 /apps/gnome-screensaver/user_switch_enabled).  Not tried it on CentOS 5, but
 it works okay on Fedora 12.  You have to be careful not to end up with
 everybody logged in everywhere.

I wonder if there is an auto logoff idle timeout feature?

That would help reduce orphaned sessions. Set it for 8 hours of idle, then 
auto-logoff.

-Ross
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Ross Walker]

On Jan 20, 2011, at 9:23 AM, m.r...@5-cent.us wrote:

 Adam Tauno Williams wrote:
 On Thu, 2011-01-20 at 14:08 +0100, Giles Coochey wrote:
 On 20/01/2011 13:12, Adam Tauno Williams wrote:
 On Thu, 2011-01-20 at 11:05 +, John Hodrien wrote:
 An account is a personal account that should not be shared.
 snip
 While such standards are much-maligned I actually find them useful as a
 tool for pushing for better security against crowds that don't like
 password change requirements, etc...  The standards speak a language
 suits understand and to some degree believe in [or at least fear,
 which works well enough].
 
 Yeah, well, the problem is they're pushing more frequent password changes,
 while, according the the other admin I work with, NIST only recommends
 every two *years*. ESPECIALLY if you do *not* have single sign-on
 everywhere, frequent password changes, and required a lot of difference
 between the current password and the new one, *and* not coming anywhere
 near the last year or two's worth of passwords is worse than useless, it's
 counterproductive, since it makes social engineering much easier, since
 *everyone* will be writing down their passwords.
 
 I can't speak for HIPPA, SOX etc... but automatic locking is part of  IT
 best practice.
 
 HIPPA, and PII (Personal Information Identifier), and PHI (Personal Health
 Information) is very, *very* much need-to-know *only*, and violation is
 punishable by termination, and possibly criminal action.
 
  mark, who works for a US federal contractor with the US gov't, and
 had to get a position of trust* clearance for the job
 
 * Which I assume entitles me to see bottom secrets, or maybe bargain
 basement secrets g

The whole 90 day password change recommendation came about because it was 
calculated to be the median number of days it would take to perform a brute 
password crack on a offline copy of the password hashes given a sufficiently 
complex password standard and a high-end desktop computer.

With Amazon's cloud services now I guess they'll have to cut it down to 7 days, 
or require finger print or retinal eye scans...

-Ross

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[m . roth]

Ross Walker wrote:
 On Jan 20, 2011, at 9:18 AM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
 On Thu, 20 Jan 2011, Ross Walker wrote:
 On Jan 19, 2011, at 2:44 PM, Bob Eastbrook baconeater...@gmail.com
 wrote:

 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.
snip
 I wonder if there is an auto logoff idle timeout feature?

 That would help reduce orphaned sessions. Set it for 8 hours of idle, then
 auto-logoff.

8? I'd think 2, long enough for a long meeting, or a 1 or 2 drink lunch.

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[m . roth]

Ross Walker wrote:
 On Jan 20, 2011, at 9:23 AM, m.r...@5-cent.us wrote:

 Adam Tauno Williams wrote:
 On Thu, 2011-01-20 at 14:08 +0100, Giles Coochey wrote:
 On 20/01/2011 13:12, Adam Tauno Williams wrote:
 On Thu, 2011-01-20 at 11:05 +, John Hodrien wrote:
 An account is a personal account that should not be shared.
 snip
 While such standards are much-maligned I actually find them useful as a
 tool for pushing for better security against crowds that don't like
 password change requirements, etc...  The standards speak a language
 suits understand and to some degree believe in [or at least fear,
 which works well enough].

 Yeah, well, the problem is they're pushing more frequent password
 changes, while, according the the other admin I work with, NIST only
recommends
 every two *years*. ESPECIALLY if you do *not* have single sign-on
 everywhere, frequent password changes, and required a lot of difference
 between the current password and the new one, *and* not coming anywhere
 near the last year or two's worth of passwords is worse than useless,
 it's counterproductive, since it makes social engineering much easier,
since
 *everyone* will be writing down their passwords.
snip
 The whole 90 day password change recommendation came about because it was
 calculated to be the median number of days it would take to perform a
 brute password crack on a offline copy of the password hashes given a
 sufficiently complex password standard and a high-end desktop computer.

 With Amazon's cloud services now I guess they'll have to cut it down to 7
 days, or require finger print or retinal eye scans...

You have not logged on in one hour: your account is locked; please have
it unlocked, and change your password

  mark it's even safer if you unplug it from the network

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Robert Spangler]

On Thursday 20 January 2011 09:14, Ross Walker wrote:

  On Jan 19, 2011, at 2:44 PM, Bob Eastbrook baconeater...@gmail.com wrote:
   By default, CentOS v5 requires a user's password when the system wakes
   up from the screensaver.  This can be disabled by each user, but how
   can I disable this system-wide?  Many of my users forget to do this,
   which results in workstations being locked up.

  Let's try this again...

  KDE has a multi-user x login feature that allows another user to start a
 new session keeping the existing session active.

And if that doesn't work you could always;

Press CTRL+ALT+F2-6
Logon
Start a new X session with 'statrx -- :1'


-- 

Regards
Robert

Linux
The adventure of a lifetime.

Linux User #296285
Get Counted
http://counter.li.org/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Mathieu Baudier]

 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.

Instead of removing the lock on your workstations (big security risk
as others have mentioned), why not rather activate the 'user switch'
button?

If you really need to access a workstation, you can then log in as
another user (e.g. admin user) and then do what you want (which may
involve killing the guilty session).

In gconf-editor, you find this option under:
/apps/gnome-screensaver/user_switch_enabled

You can then probably apply it system-wide using recommendations of
this thread (I haven't tested it).

I quickly scanned through the thread, so maybe somebody suggested that
already, sorry for the repeat in that case.

A bit OT, but something related that I discovered recently: you can
explicitly start the screensaver (and thus the lock) with Ctrl+Alt+L
(instead of looking for the button in the GNOME menu).
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Sorin Srbu]

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Ross Walker
Sent: Thursday, January 20, 2011 3:27 PM
To: CentOS mailing list
Cc: CentOS mailing list
Subject: Re: [CentOS] How to disable screen locking system-wide?

I wonder if there is an auto logoff idle timeout feature?

That would help reduce orphaned sessions. Set it for 8 hours of idle,
then auto-logoff.

Now that would be neat on public and semi-public machines over here!

-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Joshua Baker-LePain]

On Thu, 20 Jan 2011 at 11:00am, Rudi Ahlers wrote

 It probably depends on his environment. If it's an office where people
 actually work for money and need to address client issues then I'm
 sure your colleagues won't be please if you make them loose all their
 work just to be an arrogant IT manager who wants to prove a point.
*snip*
 So, in such a  case I do think the OP has a valid question and it
 could be addressed more professionally than to restart X, or even the
 PC just to prove a point.

I was going to leave this alone, but I feel this lowers to the level of 
personal attacks and I'd like to address that.  Yes, my response was a bit 
glib (and tongue-in-cheek, which obviously didn't come across correctly). 
But that doesn't mean that the reasoning behind it isn't valid in some 
situations, and it certainly doesn't make me arrogant or unprofessional. 
As others have pointed out, there are industries and workplaces where any 
unlocked, unattended workstation is a major security risk.  Please don't 
assume that your use case is everybody else's.  And please keep it civil. 
Thanks.

We now return you to your regularly scheduled CentOS list programming (no 
pun intended).

-- 
Joshua Baker-LePain
QB3 Shared Cluster Sysadmin
UCSF
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Les Mikesell]

On 1/20/2011 8:18 AM, John Hodrien wrote:

 KDE has a multi-user x login feature that allows another user to start a new
 session keeping the existing session active.

 It might take a little config mod'ing to get it working, but it works. It
 works best if there is lots of RAM.

 So does gnome (another gconf key:
 /apps/gnome-screensaver/user_switch_enabled).  Not tried it on CentOS 5, but
 it works okay on Fedora 12.  You have to be careful not to end up with
 everybody logged in everywhere.

Why is everyone stuck at the console of one particular workstation?  The 
point of a multiuser, networked OS is that you can have as many logins 
as you want from wherever you want.  I almost never log in directly at 
the console of a linux box unless it is broken - or at least the one 
where my desktop sessions run.

-- 
   Les Mikesell
 lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[m . roth]

Joshua Baker-LePain wrote:
 On Thu, 20 Jan 2011 at 11:00am, Rudi Ahlers wrote

 It probably depends on his environment. If it's an office where people
snip
 situations, and it certainly doesn't make me arrogant or unprofessional.
 As others have pointed out, there are industries and workplaces where any
 unlocked, unattended workstation is a major security risk.  Please don't
snip
Excuse me, but when I was in college, I heard the spiel about not leaving
workstations unlocked, if only because some idiots would get cute and do
something from your terminal to embarrass you, and/or aggravate someone
else.

 mark, who logs off his system at home every night and every
morning...
 (and the the only other resident, the fish, is too lazy to
  flop out of the tank to the keyboard)


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[John Hodrien]

On Thu, 20 Jan 2011, m.r...@5-cent.us wrote:

 Excuse me, but when I was in college, I heard the spiel about not leaving
 workstations unlocked, if only because some idiots would get cute and do
 something from your terminal to embarrass you, and/or aggravate someone
 else.

cat  .bashrc EOF
echo Logging off is important and fun
sleep 5
echo Logging off is important and fun
sleep 5
echo Logging off is important and fun
sleep 5
EOF

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Rudi Ahlers]

On Thu, Jan 20, 2011 at 3:47 PM, Jerry Franz jfr...@freerun.com wrote:
 On 01/20/2011 02:55 AM, Rudi Ahlers wrote:

 I don't agree with that, sorry.

 A few years ago one of our staff members decided his salary isn't good
 enough so he started a side-line business, on our company time. He
 stole some of our client's data (contact details, emails, and even
 contracts) and sold it to 3rd parties. This went on for about 6 months
 before we actually realized what was going on.


 Needless to say, he was fined heavily and sent to jail for 3 years.
 So, I don't care if you feel the PC is your's, as long as it's a
 company PC, with company data and company property, we will take a
 look at the data on it.


 I'm not talking about your home / private PC, that's an altogether
 different story.



 You are talking completely different issues. Allowing anyone walking
 past a machine to sit down and do whatever they want (which is stupid)
 is not in the least the same as having administrative access and
 auditing by IT (which is smart).

 If you don't have full administrative access to the machine
 *independent* of people's day-to-day login accounts you are doing it
 wrong and need to hire a competent IT admin - because your current one
 doesn't know what heck they are doing.

 --
 Benjamin Franz
 ___


Benjamin, I'm sorry to say this, but you're wrong!

Now, since we're doing the name-calling thing, let's get that out of the way.

Sometimes you need to access a PC of a staff member who is busy with
something right now. And I'm not talking about administrative access.
Sure, I can access any PC via root login, and frankly for that matter
I can also reset any user's password via root login.

The message I'm trying to bring across is that users in the company
shouldn't have passwords which admin doesn't know, or can't access.
The PC's and data, well at least in our company, is the property of
the company. Making it more difficult for an engineer to gain access
to a user's PC automatically arises suspicion

-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[John Hodrien]

On Thu, 20 Jan 2011, Rudi Ahlers wrote:

 Benjamin, I'm sorry to say this, but you're wrong!

I'm fairly sure he's not.

 Now, since we're doing the name-calling thing, let's get that out of the way.

 Sometimes you need to access a PC of a staff member who is busy with
 something right now. And I'm not talking about administrative access.
 Sure, I can access any PC via root login, and frankly for that matter
 I can also reset any user's password via root login.

No, you don't.  You don't need access to their account, you need access to
data.  If the data you need access to is inaccessible from your account,
that's your issue.

 The message I'm trying to bring across is that users in the company
 shouldn't have passwords which admin doesn't know, or can't access.
 The PC's and data, well at least in our company, is the property of
 the company. Making it more difficult for an engineer to gain access
 to a user's PC automatically arises suspicion

You really should be talking about data not accounts here, as that's what
you're interested in as a company.  You certainly don't want to know all the
passwords.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Lamar Owen]

On Thursday, January 20, 2011 03:54:45 am Rudi Ahlers wrote:
 Yup, and it totally defeats the purpose of what the OP actually wanted
 todo. Imagine your account being busy with your year-end books, and
 has to run to the toilet (she is a bit sick) now you come and press
 CTRL+ALT+Bksp and loose everything she's done. And, if she had a lot
 of invoices and statements already processed then she may need to redo
 it. Now, how do you explain to your boss that you just cost him
 another day with an expensive accountant because you're too ignorant
 to properly address the issue?

An IT admin should not be accessing the accountant's PC without the accountant 
or another financial person present, for control reasons (control in the 
financial, SCI, and auditing sense).  There are significant regulatory 
compliance issues with your specific example :-) Just because it's company 
data doesn't mean it's open season for any IT admin to access.  This is likely 
why CTRL-ALT-BACKSPACE is off by default, too.

If the PC is another IT admin's PC, that's a different story. But even then 
there are significant accountability issues, as when workstations are left 
unlocked anyone can come up and then do something as that user.

I understand what the OP wants to do, but honestly I think it's a bad idea to 
do it.  If the setting is changed it should be on a per-user basis, since at 
that point the user can know about it, and there is a degree of informed 
consent there. 

There may be a knob to do it, but I think there could be liability issues for 
tweaking that knob, which essentially changes all user's preferences without 
their informed consent.  I know that I would not do this in my environment, 
because I don't want that liability.  

But it definitely depends upon your specific environment.  And, yes, users need 
to log out, and many places do fairly harsh discipline if a workstation isn't 
either locked or logged out in the user's absence.  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Giles Coochey]

On 20/01/2011 17:11, Rudi Ahlers wrote:


The message I'm trying to bring across is that users in the company
shouldn't have passwords which admin doesn't know, or can't access.
The PC's and data, well at least in our company, is the property of
the company. Making it more difficult for an engineer to gain access
to a user's PC automatically arises suspicion



Hi Rudi,

Your stance on this is counter-intuitive to me, are you able to cite any 
good reference which recommends that administrators know user passwords?


--
Best Regards,

Giles Coochey
NetSecSpec Ltd
NL T-Systems Mobile: +31 681 265 086
NL Mobile: +31 626 508 131
GIB Mobile: +350 5401 6693
Email/MSN/Live Messenger: gi...@coochey.net
Skype: gilescoochey





smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Les Mikesell]

On 1/20/2011 10:11 AM, Rudi Ahlers wrote:

 Benjamin, I'm sorry to say this, but you're wrong!

 Now, since we're doing the name-calling thing, let's get that out of the way.

 Sometimes you need to access a PC of a staff member who is busy with
 something right now. And I'm not talking about administrative access.
 Sure, I can access any PC via root login, and frankly for that matter
 I can also reset any user's password via root login.

 The message I'm trying to bring across is that users in the company
 shouldn't have passwords which admin doesn't know, or can't access.
 The PC's and data, well at least in our company, is the property of
 the company. Making it more difficult for an engineer to gain access
 to a user's PC automatically arises suspicion

That actually sounds very strange.  Are there any published references 
for the concept that individual passwords should be shared instead of an 
administrator using his own granted privileges when accessing data owned 
by someone else?  And if group access is commonly needed, shouldn't the 
data be group-accessible, both in protection and location?

Are you working around some software constraint here?  I can understand 
both sharing of physical workstations (with different logins) and 
sharing common data, but don't see why you'd ever want one person to 
pretend to be someone else by sharing a login.

-- 
   Les Mikesell
lesmikes...@gmail.com


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Lamar Owen]

On Thursday, January 20, 2011 06:02:38 am Giles Coochey wrote:
 Data and Accounts are distinct, and the policies regarding their use 
 should be distinct  too.

+1.

The third 'A' of triple-A (AAA) is accountability.  If you share accounts you 
defeat accountability.  This has nothing to do with data access, or user home 
directory data access; yes, there should be mechanisms in place for monitoring. 
 But those mechanisms need their own accountability, too.  The access should be 
done only by an account authorized to do so.

Without accountability, authentication and authorization don't mean a whole lot.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[m . roth]

Rudi Ahlers wrote:
 On Thu, Jan 20, 2011 at 3:47 PM, Jerry Franz jfr...@freerun.com wrote:
 On 01/20/2011 02:55 AM, Rudi Ahlers wrote:

snip
 If you don't have full administrative access to the machine
 *independent* of people's day-to-day login accounts you are doing it
 wrong and need to hire a competent IT admin - because your current one
 doesn't know what heck they are doing.

 Benjamin, I'm sorry to say this, but you're wrong!

 Sometimes you need to access a PC of a staff member who is busy with
 something right now. And I'm not talking about administrative access.
 Sure, I can access any PC via root login, and frankly for that matter
 I can also reset any user's password via root login.

 The message I'm trying to bring across is that users in the company
 shouldn't have passwords which admin doesn't know, or can't access.
 The PC's and data, well at least in our company, is the property of
 the company. Making it more difficult for an engineer to gain access
 to a user's PC automatically arises suspicion

I very strongly disagree with this, and agree with Benjamin. I do *not*
want anyone else knowing my password, and whenever I have to be there when
someone's entering a new one, I perform the Traditional Sysadmin
Admiration of the Ceiling while they do it. I can't see any reason to have
to know someone's password. If I need to be them, then going in as root,
and su - username will do it.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Tom H]

On Thu, Jan 20, 2011 at 11:11 AM, Rudi Ahlers r...@softdux.com wrote:

 Sometimes you need to access a PC of a staff member who is busy with
 something right now. And I'm not talking about administrative access.
 Sure, I can access any PC via root login, and frankly for that matter
 I can also reset any user's password via root login.

 The message I'm trying to bring across is that users in the company
 shouldn't have passwords which admin doesn't know, or can't access.
 The PC's and data, well at least in our company, is the property of
 the company. Making it more difficult for an engineer to gain access
 to a user's PC automatically arises suspicion

You clearly work in an insecure environment.

No one should have access to anyone else's login. I have no admin
privileges over my desktop. If I need something installed or
uninstalled, I have to ask the Windows desktop support team who'll
access my box remotely after I accept their request to a access my box
in a popup on my screen. Of course, the Windows server support team
can access my roaming profile on their boxes but (I presume since this
is what we do and I don't know any of them to ask them) they'd have to
justify that acess.

There's absolutely no reason to access a PC of a staff member who is
busy, that's terrible practice; and there's absolutely no way that
anyone should know anyone else's password (a punishable violation of
IT policy in our environment).
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Rudi Ahlers]

On Thu, Jan 20, 2011 at 6:29 PM, Giles Coochey gi...@coochey.net wrote:
 On 20/01/2011 17:11, Rudi Ahlers wrote:

 The message I'm trying to bring across is that users in the company
 shouldn't have passwords which admin doesn't know, or can't access.
 The PC's and data, well at least in our company, is the property of
 the company. Making it more difficult for an engineer to gain access
 to a user's PC automatically arises suspicion


 Hi Rudi,

 Your stance on this is counter-intuitive to me, are you able to cite any
 good reference which recommends that administrators know user passwords?

 --

No, I can't. But I've been running a hosting  development company for
9 years now and this is the first problem I get out of the way right
on the first day of an employees job.

I'm personally involved in the accounts department (when I actually
get time) since I want to know what goes on in my company. I also work
close with the developers when needed. We trust everyone in the
office, and being it an open-plan office, it's easy to see if someone
is at someone else's desk when they're not supposed to be.
Staff logoff and shutdown every night, so that's not an issue.

But, it is a big issue when a staff member goes on leave, or even just
on lunch and switch-off their cellphones and I can't get hold of them
to get a password to login to a PC if I need to. The account PC, for
that matter is encrypted, with no network access so one needs to be in
front if it to access the data.

User accounts also doesn't mean much to me. I know how it sounds, but
I care more about the data than the user's account. As long as I can
access whatever I want, whenever I want.



-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Tom H]

On Thu, Jan 20, 2011 at 9:06 AM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
 On Thu, 20 Jan 2011, Tom H wrote:

 Yes but someone's posted a global gconftool-2 recipe.

 Run gconf-editor as root and you can edit the global mandatory rules too.

Very true, as long as you can run a GUI app as root.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Rudi Ahlers]

On Thu, Jan 20, 2011 at 6:44 PM, Tom H tomh0...@gmail.com wrote:



 You clearly work in an insecure environment.

By who's definition? The fact that you're PC is connected to the
internet place you in the same environment :)



 No one should have access to anyone else's login. I have no admin
 privileges over my desktop. If I need something installed or
 uninstalled, I have to ask the Windows desktop support team who'll
 access my box remotely after I accept their request to a access my box
 in a popup on my screen. Of course, the Windows server support team
 can access my roaming profile on their boxes but (I presume since this
 is what we do and I don't know any of them to ask them) they'd have to
 justify that acess.


Yes, IT staff on a Windows Domain can access everyone's accounts,
without their passwords or consent. Does it make it more secure? Yes.
And No. IT staff can go rouge as well, just bear that in mind. Reminds
me of a previous company I used to work for many years ago.

Some of the IT admin scanned all incoming mail, especially if they
contained any attachments. They casually copied whatever attachments
they wanted to their own desktops, which was more often move clips,
cracked games, music, pr0n, etc.
Do you think management knew about this? Nope.

Is it less safe than your environment? Really? Can you honestly tell
me this doesn't happen in your company?


 There's absolutely no reason to access a PC of a staff member who is
 busy, that's terrible practice; and there's absolutely no way that
 anyone should know anyone else's password (a punishable violation of
 IT policy in our environment).

True, and that's not what I said either.
Both the OP and I am trying to say that sometimes you need to get onto
a PC when the user is not actually there.

And it's quite clear that all company's policies differ. Probably for
a good reason since what works for one company doesn't work for
another company.


IF, on the other hand I worked at a financial institution or something
like that then the security would have been more strict. I don't see
the need for it in our office.




-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Lamar Owen]

On Thursday, January 20, 2011 09:36:09 am Ross Walker wrote:
 With Amazon's cloud services now I guess they'll have to cut it down to 7 
 days, or require finger print or retinal eye scans...

Fingerprints are too easily faked.  Mythbusters did it in a 'Crime and 
Mythdemeanors' episode a few years ago.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[m . roth]

Lamar Owen wrote:
 On Thursday, January 20, 2011 09:36:09 am Ross Walker wrote:
 With Amazon's cloud services now I guess they'll have to cut it down to
 7 days, or require finger print or retinal eye scans...

 Fingerprints are too easily faked.  Mythbusters did it in a 'Crime and
 Mythdemeanors' episode a few years ago.

I can beat that: I read, a month or so ago, how a bunch of elementary
school kids discovered that wet Gummi Bears would hold a fingerprint,
*and* (they didn't understand this) have more or less the same electrical
conductivity

  mark, who has to stare into the scanner when he goes into the
datacenter

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Giles Coochey]

And in those nine years you claim to have had at least one major security 
incident.
It beggars my belief
You now publicly declare that your company not just advocates the sharing of 
passwords, but certainly encourages it, if not make it compulsory.
If you were to have another security incident you would probably be hard 
pressed to be able to point the finger at anyone, especially as your lax 
security procedures are now public knowledge.

Troll?

Sorry for top posting

Sent from my HTC Smartphone

- Reply message -
From: Rudi Ahlers r...@softdux.com
Date: Thu, Jan 20, 2011 17:44
Subject: [CentOS] How to disable screen locking system-wide?
To: CentOS mailing list centos@centos.org

On Thu, Jan 20, 2011 at 6:29 PM, Giles Coochey gi...@coochey.net wrote:
 On 20/01/2011 17:11, Rudi Ahlers wrote:

 The message I'm trying to bring across is that users in the company
 shouldn't have passwords which admin doesn't know, or can't access.
 The PC's and data, well at least in our company, is the property of
 the company. Making it more difficult for an engineer to gain access
 to a user's PC automatically arises suspicion


 Hi Rudi,

 Your stance on this is counter-intuitive to me, are you able to cite any
 good reference which recommends that administrators know user passwords?

 --

No, I can't. But I've been running a hosting  development company for
9 years now and this is the first problem I get out of the way right
on the first day of an employees job.

I'm personally involved in the accounts department (when I actually
get time) since I want to know what goes on in my company. I also work
close with the developers when needed. We trust everyone in the
office, and being it an open-plan office, it's easy to see if someone
is at someone else's desk when they're not supposed to be.
Staff logoff and shutdown every night, so that's not an issue.

But, it is a big issue when a staff member goes on leave, or even just
on lunch and switch-off their cellphones and I can't get hold of them
to get a password to login to a PC if I need to. The account PC, for
that matter is encrypted, with no network access so one needs to be in
front if it to access the data.

User accounts also doesn't mean much to me. I know how it sounds, but
I care more about the data than the user's account. As long as I can
access whatever I want, whenever I want.



-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[m . roth]

Giles Coochey wrote:
 And in those nine years you claim to have had at least one major security
 incident.
 It beggars my belief
 From: Rudi Ahlers r...@softdux.com
 On Thu, Jan 20, 2011 at 6:29 PM, Giles Coochey gi...@coochey.net wrote:
 On 20/01/2011 17:11, Rudi Ahlers wrote:
snip
 I'm personally involved in the accounts department (when I actually
 get time) since I want to know what goes on in my company. I also work
 close with the developers when needed. We trust everyone in the
 office, and being it an open-plan office, it's easy to see if someone
 is at someone else's desk when they're not supposed to be.
snip
Another reason I'd only work for you if I had no other options: I've
worked in a pretty-much open plan office, and *LOATHE* it. Not only
*zero* privacy, but *far* too much noise and distraction to concentrate.

I remember working at the Scummy Mortgage Co (name available upon request)
many years ago, with five desks, and the sr programmer and the analyst on
the phone 60% or 70% of the time. I had a tape player, to listen to some
training tapes; when I'd finished them, I put in some music. My boss came
by, asked if I was done the training, and I told him I had music on, to
make it easier to concentrate and increase my productivity. He told me to
take them off and increase my productivity.

Open-plan office, *crap*. Do the managers or execs work in them, too?

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Lamar Owen]

On Thursday, January 20, 2011 12:03:27 pm m.r...@5-cent.us wrote:
 Lamar Owen wrote:
  Fingerprints are too easily faked.  Mythbusters did it in a 'Crime and
  Mythdemeanors' episode a few years ago.
 
 I can beat that: I read, a month or so ago, how a bunch of elementary
 school kids discovered that wet Gummi Bears would hold a fingerprint,
 *and* (they didn't understand this) have more or less the same electrical
 conductivity

Gummi bears are a pretty good simulcrum for ballistics gel, which is what MB 
used.

MB did it differently, though, in that they lifted the fingerprint from an 
object the subject touched, that was not gel.  IIRC, it was a CD case.  It's a 
good episode; see 
https://secure.wikimedia.org/wikipedia/en/wiki/MythBusters_%282006_season%29#Fingerprint_Lock
 for a synopsis of that portion.  (If you're wondering why the link is to an 
https site well, I'm running HTTPSAnywhere. :-) )

Two-factor security should be standard, really.  Fingerprint plus ID card, or 
fingerprint plus keycode, etc.  One factor being something you uniquely have, 
and the other being either something you have or something you know.

Speaking of, with PAM being standard in CentOS, has anyone here done physical 
security (like datacenter doors and such) where the controller is open source 
and usable on CentOS?  I'd be interested in kitting such a setup for our 
datacenters here.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[m . roth]

Lamar Owen wrote:
 On Thursday, January 20, 2011 12:03:27 pm m.r...@5-cent.us wrote:
 Lamar Owen wrote:
  Fingerprints are too easily faked.  Mythbusters did it in a 'Crime and
  Mythdemeanors' episode a few years ago.

 I can beat that: I read, a month or so ago, how a bunch of elementary
 school kids discovered that wet Gummi Bears would hold a fingerprint,
 *and* (they didn't understand this) have more or less the same
 electrical conductivity
snip
 Two-factor security should be standard, really.  Fingerprint plus ID card,
 or fingerprint plus keycode, etc.  One factor being something you uniquely
 have, and the other being either something you have or something you know.
snip
We (the Feds) are using PIV cards, which have passkeys, and, of course,
the username. I prefer what I have from my employer: the RSA keyfobs. No
trouble at all, *and* you need the username, keyfob and a pin.

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Lamar Owen]

On Thursday, January 20, 2011 01:57:54 pm m.r...@5-cent.us wrote:
 We (the Feds) are using PIV cards, which have passkeys, and, of course,
 the username. I prefer what I have from my employer: the RSA keyfobs. No
 trouble at all, *and* you need the username, keyfob and a pin.

Our co-lo site is using fingerprint plus HID Corp cards.

I'm not familiar with the RSA keyfobs, though.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[m . roth]

Lamar Owen wrote:
 On Thursday, January 20, 2011 01:57:54 pm m.r...@5-cent.us wrote:
 We (the Feds) are using PIV cards, which have passkeys, and, of course,
 the username. I prefer what I have from my employer: the RSA keyfobs. No
 trouble at all, *and* you need the username, keyfob and a pin.

 Our co-lo site is using fingerprint plus HID Corp cards.

 I'm not familiar with the RSA keyfobs, though.

Oh. They have a six digit number that changes every single minute. It's
synchronized with the authentication server. To log onto my company
website, for example, so I can do my timesheet, I put in my username, then
a pin, followed by the current six digit code.

So, you need three pieces of information, and one constantly changes.

 mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Mike McCarty]

John Hodrien wrote:
 On Thu, 20 Jan 2011, Rudi Ahlers wrote:
 
 I don't know about you, but a user leaving his desk (for any purpose,
 other than going home) doesn't cause a security risk. I trust all our
 staff, and when Andrew goes on lunch I expect him to leave his PC
 unlocked.
 
 I think I see things differently.  Allowing others to access your account *is*
 a security risk.  It potentially opens confidential data open to other people,
 and leaves that specific user open to abuse through people using their
 machine.  You might as well just pin your passwords on the notice board and be
 done.  After all, you trust all your staff.

This is not a supposition, I've seen it happen. I worked at
a company where one guy disabled his keyboard locker. One day he
left for lunch. When he came back, Security escorted him to HR,
where he was asked to explain why he sent several racist e-mails
all over the company. He had a few days off while they investigated
the incident, and the culprit was found. The culprit thought it
was all just a prank, and that's what was intended, but both of them
got in lots of trouble. Official memos to everyone followed.

At home, I keep my keyboard locked the instant I leave it because
of potential security breaches, using the little lock screen (sic)
button on the pop up menu on the left. Just about the only GUI button
I use.

OTOH, I have cats :-)

Mike
-- 
p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Keith Keller]

On Thu, Jan 20, 2011 at 09:51:28AM -0500, Robert Spangler wrote:
 On Thursday 20 January 2011 09:14, Ross Walker wrote:
 
   KDE has a multi-user x login feature that allows another user to start a
  new session keeping the existing session active.
 
 And if that doesn't work you could always;
 
 Press CTRL+ALT+F2-6
 Logon
 Start a new X session with 'statrx -- :1'

There is (IIRC) a subtle difference between these two: the former will
attempt to execute ~/.xsession, whereas the latter will attempt to execute
~/.xinitrc.  If you have neither of these files it shouldn't make much
difference, but if you have one, or have both but are different, it
might not result in what the user expects.  (It's obviously an easy fix
if you know about it, but not at all obvious if you don't.)

--keith


-- 
kkel...@wombat.san-francisco.ca.us



pgp0q7GHUhm4y.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Mike McCarty]

Rudi Ahlers wrote:
 On Thu, Jan 20, 2011 at 12:00 PM, John Hodrien j.h.hodr...@leeds.ac.uk 
 wrote:
 
 
 
 I think I see things differently.  Allowing others to access your account 
 *is*
 a security risk.  It potentially opens confidential data open to other 
 people,
 and leaves that specific user open to abuse through people using their
 machine.  You might as well just pin your passwords on the notice board and 
 be
 done.  After all, you trust all your staff.
 
 I don't agree with that, sorry.
 
 A few years ago one of our staff members decided his salary isn't good
 enough so he started a side-line business, on our company time. He
 stole some of our client's data (contact details, emails, and even
 contracts) and sold it to 3rd parties. This went on for about 6 months
 before we actually realized what was going on.

The computer belongs to the company, and the information on
it _should_ belong to the company (though what people put on
computers can't be completely monitored), but keeping one
employee out of another's accounts is important for a variety
of reasons.

That does not preclude access to the machine's content. Anyone
with root access should be able to do that. You shouldn't
have to log in AS THAT USER in order to access the computer's
content.

Mike
-- 
p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Mike McCarty]

Giles Coochey wrote:

[...]

 A user account should belong to the person who has been assigned that 
 account. They are the only person who should be able to use that 

You are conflating access and ownership. The company should
own the machine and the data. Only persons authorized by the
company should have access. That should include the user to whom
the account is assigned, and a limited number of trusted persons
with administration priviledges. Ultimately, the company must
have access to all information on an as needed basis, which
should be rare.

The rest of your argument stands.

[...]

 Data and Accounts are distinct, and the policies regarding their use 
 should be distinct  too.

Well stated.

Mike
-- 
p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Mike McCarty]

Giles Coochey wrote:

[...]

 I can't speak for HIPPA, SOX etc... but automatic locking is part of  IT 
 best practice.

I can. I did a contract job a few years ago to achieve HIPPA compliance
with some pharmacy software. I inserted time limits with logout, screen
information blanking, and RAM data overwriting in order to comply.

SOX I don't know about.

Mike
-- 
p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[m . roth]

Mike McCarty wrote:
 John Hodrien wrote:
 On Thu, 20 Jan 2011, Rudi Ahlers wrote:
snip
 At home, I keep my keyboard locked the instant I leave it because
 of potential security breaches, using the little lock screen (sic)
 button on the pop up menu on the left. Just about the only GUI button
 I use.

 OTOH, I have cats :-)

Danger, Will Robinson! Cat typing detected!

   mark what, you don't want $23,524.07 charged to your credit card
at catsactuallyruletheworld.org?

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[m . roth]

Mike McCarty wrote:
 Giles Coochey wrote:

 [...]

 I can't speak for HIPPA, SOX etc... but automatic locking is part of  IT
 best practice.

 I can. I did a contract job a few years ago to achieve HIPPA compliance
 with some pharmacy software. I inserted time limits with logout, screen
 information blanking, and RAM data overwriting in order to comply.

Yup. We've had training, both from the gov't and from the company on
protecting PII data, including making sure that your monitor isn't visible
by anyone in the hall, etc.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Mike McCarty]

Rudi Ahlers wrote:

[...]

 User accounts also doesn't mean much to me. I know how it sounds, but
 I care more about the data than the user's account. As long as I can
 access whatever I want, whenever I want.

ISTM that you have control issues. Access to data is what counts,
and you've got that by your own statement. Since that's the case,
I suggest that there isn't going to be any change in your stance,
no matter what arguments get presented. You have an emotional attachment
to this issue, and rational argument isn't going to make progress.

What might make a difference would be addressing the emotional content
of your statements. That's something better done in another venue, I
think.

The bottom line with you seems to be because I _want_ it that way.

I suspect that no rational argument is going to change the desire
to feel the degree of control over your machines and employees that
you have.

That's not necessarily a criticism, BTW. In this particular case,
it seems excessive to me. However, you are you, and you (your
company) have paid for something, and you want a certain degree
of control.

I like to control what's on my machine, too, as another thread
reveals.

Mike
-- 
p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Mike McCarty]

Sorin Srbu wrote:
 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf Of Tom H
 Sent: Thursday, January 20, 2011 1:03 PM
 To: CentOS mailing list
 Subject: Re: [CentOS] How to disable screen locking system-wide?


 In our environment, leaving your desk without locking your
 computer/screen is punished with a disciplinary hearing and three such
 hearings result in dismissal. Having one person using another's
 account is considered a security risk.
 
 Sounds kinda' harsh. May I ask what industry this is in?

Sounds pretty normal to me. I've worked for a variety of
companies over a period of over twenty years, and similar
policies were in effect in each one. At one company where
I worked, possesion of another person's password was
immediate dismissal grounds, though not automatic.

Any company which doesn't exercise due diligence to protect
its trade secrets will lose when trying to recover from
an industrial espionage incident. I know from personal
experience, since I was at a company which went after another
for theft of IP, and nearly wound up having to testify in
court. A friend of mine did have to.

All employees were required to attend a seminar presented
by the full time legal staff, explaining what IP is, and
how it is protected. One thing we were told very forcefully
was that we were to have good passwords (and what that meant),
and that we were never to divulge our passwords to anyone
else.

IANAL, but I suggest that anyone who has any intellectual
property (patents, trade secrets, trade marks) get a lawyer
to explain what they are, what the differences are, and
how to protect them. They need different kinds of protection,
and trade secrets, especially, are hard to protect without
good, secret passwords.

Mike
-- 
p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Mike McCarty]

Mike McCarty wrote:

[...]

 IANAL, but I suggest that anyone who has any intellectual
 property (patents, trade secrets, trade marks) get a lawyer

Oops! Forgot copyright. Those are the ones in the USA.
There may be others in other countries. I don't know.

Anyway, trade secrets are very hard to protect, and due
diligence is very important, so I'm told.

Mike
-- 
p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Lamar Owen]

On Thursday, January 20, 2011 03:11:00 pm Mike McCarty wrote:
 That does not preclude access to the machine's content. Anyone
 with root access should be able to do that. You shouldn't
 have to log in AS THAT USER in order to access the computer's
 content.

Although I have seen in the case of Windows, installed to NTFS, and set with 
'make your files private' when you first set up a password, that if even if you 
log in as Administrator you can't necessarily see all users' files, at least 
not through file sharing.  It has been a long time since I've put that to the 
test on the local console.

Makes it a pain to do whole machine virus scans from the Administrator account, 
and makes it a bigger pain to do backups using the semi-documented $ shares 
when file sharing is enabled in the firewall.

I've never experienced that on Linux, but it is possible to set up the SELinux 
policy in a way that 'ordinary' root can't do everything, that you have to be 
in a different context.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Bob Eastbrook]

On Wed, Jan 19, 2011 at 12:18 PM,  m.r...@5-cent.us wrote:

 But the locked screensaver wants the *same* password that you log in with.
 I'm having trouble understanding the problem... or is it that many of the
 users *never* log out?


Yes, users will sign onto a workstation, and then disappear somewhere
in the building.  They usually forget that they're logged on, which
means the workstation is unusable by anyone else for several days.

Restarting the X server is one solution, but it will kill any running jobs.

If user Bob sees that Alice is logged on, but not doing anything, then
Bob could safely log Alice out.

Bob
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Ross Walker]

On Thu, Jan 20, 2011 at 12:03 PM,  m.r...@5-cent.us wrote:
 Lamar Owen wrote:
 On Thursday, January 20, 2011 09:36:09 am Ross Walker wrote:
 With Amazon's cloud services now I guess they'll have to cut it down to
 7 days, or require finger print or retinal eye scans...

 Fingerprints are too easily faked.  Mythbusters did it in a 'Crime and
 Mythdemeanors' episode a few years ago.

 I can beat that: I read, a month or so ago, how a bunch of elementary
 school kids discovered that wet Gummi Bears would hold a fingerprint,
 *and* (they didn't understand this) have more or less the same electrical
 conductivity

Fortunately I don't go sticking my fingers in wet gummy bears, so that
risk is mitigated!

While finger prints can be faked, it often requires access to the
finger to fake. I haven't heard of someone lifting a latent oil print
and creating a fake out of that. I'm sure with enough ingenuity it can
be done. Then again if someone is that intent on accessing your data,
well I'm sure they could figure another way as well...

-Ross
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[JohnS]

On Thu, 2011-01-20 at 14:18 -0600, Mike McCarty wrote:
 Giles Coochey wrote:
 
 [...]
 
  I can't speak for HIPPA, SOX etc... but automatic locking is part of  IT 
  best practice.
 
 I can. I did a contract job a few years ago to achieve HIPPA compliance
 with some pharmacy software. I inserted time limits with logout, screen
 information blanking, and RAM data overwriting in order to comply.

What happened to SSL (Encryption)? Gee the MPI just hit the world.


John

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Bob Eastbrook]

On Thu, Jan 20, 2011 at 2:00 AM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:

 For gnome how about something like:

 gconftool-2 --direct \
 --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool \
 --set /apps/gnome-screensaver/lock_enabled false

Many thanks.  That did the trick.

Bob
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Gordon Messmer]

On 01/20/2011 02:53 PM, Ross Walker wrote:
 Fortunately I don't go sticking my fingers in wet gummy bears, so that
 risk is mitigated!

 While finger prints can be faked, it often requires access to the
 finger to fake. I haven't heard of someone lifting a latent oil print
 and creating a fake out of that.

http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/

Now you have.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Mike McCarty]

JohnS wrote:
 On Thu, 2011-01-20 at 14:18 -0600, Mike McCarty wrote:
 Giles Coochey wrote:

 [...]

 I can't speak for HIPPA, SOX etc... but automatic locking is part of  IT 
 best practice.
 I can. I did a contract job a few years ago to achieve HIPPA compliance
 with some pharmacy software. I inserted time limits with logout, screen
 information blanking, and RAM data overwriting in order to comply.
 
 What happened to SSL (Encryption)? Gee the MPI just hit the world.

This is on software which ran as POS stuff.

Mike
-- 
p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[JohnS]

On Thu, 2011-01-20 at 20:13 -0600, Mike McCarty wrote:

 
 This is on software which ran as POS stuff.

Yea but the catch is it is left up to YOU being responsible for what
happens on that network.  Very candid HIPPA states only `data at rest`
does not have to be.  In my state I live in I am the responsible party
and could be held liable.   OK we getting OT now.

John

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Joshua Baker-LePain]

On Wed, 19 Jan 2011 at 11:44am, Bob Eastbrook wrote

 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.

Ctrl-Alt-Bksp will fix that right up.  I'm not a big fan of users leaving 
workstations unsecured when they walk away.

-- 
Joshua Baker-LePain
QB3 Shared Cluster Sysadmin
UCSF
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Rudi Ahlers]

On Wed, Jan 19, 2011 at 9:46 PM, Joshua Baker-LePain jl...@duke.edu wrote:
 On Wed, 19 Jan 2011 at 11:44am, Bob Eastbrook wrote

 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.

 Ctrl-Alt-Bksp will fix that right up.  I'm not a big fan of users leaving
 workstations unsecured when they walk away.

 --


Don't you mean CTRL+ALT+DEL?

I don't think the OP wanted a plaster, he wants a solution :)


-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Joshua Baker-LePain]

On Wed, 19 Jan 2011 at 9:49pm, Rudi Ahlers wrote


On Wed, Jan 19, 2011 at 9:46 PM, Joshua Baker-LePain jl...@duke.edu wrote:

On Wed, 19 Jan 2011 at 11:44am, Bob Eastbrook wrote


By default, CentOS v5 requires a user's password when the system wakes
up from the screensaver.  This can be disabled by each user, but how
can I disable this system-wide?  Many of my users forget to do this,
which results in workstations being locked up.


Ctrl-Alt-Bksp will fix that right up.  I'm not a big fan of users leaving
workstations unsecured when they walk away.



Don't you mean CTRL+ALT+DEL?


That'd work too, but the reboot is unnecessary.  Ctrl-Alt-Bksp will just 
kill the X server (and thus the user's session).  X will then respawn 
itself and restart GDM.



I don't think the OP wanted a plaster, he wants a solution :)


One person's solution is another's giant gaping security hole.

--
Joshua Baker-LePain
QB3 Shared Cluster Sysadmin
UCSF___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Sean Hart]

On 1/19/11 11:49 AM, Rudi Ahlers wrote:
 On Wed, Jan 19, 2011 at 9:46 PM, Joshua Baker-LePain jl...@duke.edu wrote:
 On Wed, 19 Jan 2011 at 11:44am, Bob Eastbrook wrote

 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.
 Ctrl-Alt-Bksp will fix that right up.  I'm not a big fan of users leaving
 workstations unsecured when they walk away.

 --

 Don't you mean CTRL+ALT+DEL?

 I don't think the OP wanted a plaster, he wants a solution :)


I believe that CTRL-ALT-Bksp will restart X, not the computer.  On
restart of X you should be welcomed with the login screen.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[m . roth]

Sean Hart wrote:
 On 1/19/11 11:49 AM, Rudi Ahlers wrote:
 On Wed, Jan 19, 2011 at 9:46 PM, Joshua Baker-LePain jl...@duke.edu
 wrote:
 On Wed, 19 Jan 2011 at 11:44am, Bob Eastbrook wrote

 By default, CentOS v5 requires a user's password when the system wakes
 up from the screensaver.  This can be disabled by each user, but how
 can I disable this system-wide?  Many of my users forget to do this,
 which results in workstations being locked up.
 Ctrl-Alt-Bksp will fix that right up.  I'm not a big fan of users
 leaving workstations unsecured when they walk away.

 Don't you mean CTRL+ALT+DEL?

 I don't think the OP wanted a plaster, he wants a solution :)

 I believe that CTRL-ALT-Bksp will restart X, not the computer.  On
 restart of X you should be welcomed with the login screen.

But the locked screensaver wants the *same* password that you log in with.
I'm having trouble understanding the problem... or is it that many of the
users *never* log out?

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Scott Robbins]

On Wed, Jan 19, 2011 at 03:18:37PM -0500, m.r...@5-cent.us wrote:
 Sean Hart wrote:
  On 1/19/11 11:49 AM, Rudi Ahlers wrote:



  I believe that CTRL-ALT-Bksp will restart X, not the computer.  On
  restart of X you should be welcomed with the login screen.


Note that in later versions of X, this is disabled by default--this was
an xorg decisions, apparently, they felt too many were typing it by
mistake.  


It can be enabled with an entry in /etc/X11/xorg.conf  
(It can, apparently, also be enabled with a Gnome GUI, but not using
Gnome, I've forgotten what it is.)


I suspect that in CentOS 6, it will no longer work, not sure about 5.x
at this point. 



-- 
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[Keith Keller]

On Wed, Jan 19, 2011 at 03:18:37PM -0500, m.r...@5-cent.us wrote:
 
 But the locked screensaver wants the *same* password that you log in with.
 I'm having trouble understanding the problem... or is it that many of the
 users *never* log out?

The locked screensaver will be killed along with the rest of the X
session with ctrl-alt-backspace.  When [kgx]dm restarts it will present
a fresh login window.

Are the screensavers not smart enough to intercept ctrl-alt-bksp?

For the OP: what's the goal behind preventing an X session from locking?
Perhaps there is a more elegant solution than simply disabling it.

--keith

-- 
kkel...@wombat.san-francisco.ca.us



pgppDr5WBRS6t.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to disable screen locking system-wide?

[b.j. mcclure]

On Wed, 2011-01-19 at 15:29 -0500, Scott Robbins wrote:
 On Wed, Jan 19, 2011 at 03:18:37PM -0500, m.r...@5-cent.us wrote:
  Sean Hart wrote:
   On 1/19/11 11:49 AM, Rudi Ahlers wrote:
 
 
 
   I believe that CTRL-ALT-Bksp will restart X, not the computer.  On
   restart of X you should be welcomed with the login screen.
 
 
 Note that in later versions of X, this is disabled by default--this was
 an xorg decisions, apparently, they felt too many were typing it by
 mistake.  
 
 
 It can be enabled with an entry in /etc/X11/xorg.conf  
 (It can, apparently, also be enabled with a Gnome GUI, but not using
 Gnome, I've forgotten what it is.)
 
 
 I suspect that in CentOS 6, it will no longer work, not sure about 5.x
 at this point. 
 
I can confirm it does not work on RHEL 6 Workstation.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos