Regarding RHA security... Does anyone else on the list deploy Sun Rays in a Kerberos 5 and AFS setup? We seem to be stuck with forcing users to unlock twice since unfortunately we need the screensaver to refresh a user's tickets and tokens. Since the RHA dialog creates a temporary session, the tickets and tokens for the user's session aren't refreshed when it is used, so for the time being we use RHA and screensaver lock to achieve better security and still maintain the ability to refresh session creds. Any ideas?
William Yang > -----Original Message----- > From: [email protected] [mailto:sunray-users- > [email protected]] On Behalf Of Joerg Barfurth > Sent: Monday, February 02, 2009 6:39 AM > To: SunRay-Users mailing list > Subject: Re: [SunRay-Users] How to make JDS lock screen lock the screen > and not utdetach with NSCM > > You can do much of what you desire by editing /etc/pam.conf. But the > result is an unsupported configuration. > > David Markey schrieb: > > They could manually detach the session using shift+pause, its just > > complicated for our users and id like to disable it. i see its hard > > coded into xscreensaver. Any way to disable it even unsupported? > > > > You could remove or turn into a comment the > xscreensaver auth sufficient pam_sunray.so syncondisplay > line in /etc/pam.conf. > > The price you have to pay for that is that when hotdesking to a > different DTU with your NSCM session or after the session has been > detached in whatever other way (e.g. by rebooting the DTU), you'll have > to enter your password twice - first for NSCM, then for the screensaver. > > You also lower security for your session, as explained by Bob. > > > Also, when i do a utswitch -h <hostname> the previous user name gets > > entered into the new sunray servers login, any way to disable that also? > > > > For NSCM users: To get rid of the name you can use the startover button. > To never get that name in the first place, you could try to remove the > utgulogin auth requisite sunray_get_user.so property=username > line in /etc/pam.conf. > > To achieve the same effect for smartcard users, you'd need to also > remove the > dtlogin-SunRay auth requisite sunray_get_user.so property=username > line. Beware: This might be incompatible with NSCM (though I haven't > tried). In any case you enter unsupported territory here. > > Do not remove the analogous line for utsclogin! > > HTH > > - Jörg > > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
