Mohamed Ali wrote:
Thanks Lars and Bender,
Bender, what about with my scenario, where the users used smart cards.
So, how can i restrict one david login at any of the sunray clients?
With Solaris you can use what we call "SC", which was designed for use
with smartcards that work with a PAM module during authentication (such
cards/PAM modules are provided by 3rd-party partners). However, there's
nothing to stop you from using a standard authentication stack and any
type of smartcard with SC. The benefit to you would be that with SC you
get an "auth.username" token, just as you do with NSCM, which means a
single session within a FOG.
To configure SC, you have to use the "utpolicy" command, with the "-S
<cardtype>" option. By default, the "other" PAM stack will be
utilized. If you want to provide a different stack, you can do so using
the "utsclogin-<cardtype>" service name. For example, if you are using
PayFlex cards, you might set "utpolicy -a -z card -S PayFlex -g -m", and
then you might provide your own authentication stack (assuming you
aren't happy with "other" - most folks will be fine with other) in
/etc/pam.conf as utsclogin-PayFlex. If you use more than one card type,
you can specify them all to utpolicy (comma-separated), and if you
need/want to you can provide PAM stacks for them all (which implies you
can have different types of authentication for different types of cards :).
If you have multiple FOGs, and need to restrict to a single session in
them all, then AMGH might be helpful. You can partition smartcard
tokens (use insert_token, not token) to FOGs so that users get directed
to their "home FOG", where they can get a single SC session. If you're
using AMGH, you can also preset the username based on the smartcard
token, which is convenient during login. Note, however, this doesn't
prevent users from running utswitch or utselect, and redirecting
themselves to a different FOG for another session. There's no supported
way to prevent that. If this is a requirement, we can talk about
unsupported ways of achieving it.
-Bob
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
