I guess you use Linux. If you used Solaris, you'd have the benefit of
Non-SmartCard Mobility policy, which allows mobility based on your username
upon login. It's on our to-do list for Linux.
For your use scenario (smartcards for mobility only), you *could* use a
registered-card policy and the soft-client-id aliasing trick (utuser -ai)
that's been published to this list in the past, to bind one soft client to one
smartcard to access the same session. If you have a lot of platforms running
soft clients that can be management-intensive, unfortunately.
People actually using their smartcard for authentication with special PAM
modules can't do this, however, unless they have a way to cause their PAM
module to detect and ignore non-smartcard tokens, and there are the security
implications to consider.
-Bob
On 07/ 6/11 03:05 PM, Aaron Wilson wrote:
Our smart card use isn't really for security. It forces users to be
mobile. Not every user has their own dedicated DTU and they share.
If we didn't force smart card use then people would login, forget to
logout and then the screensaver would kick on and lock the screen and
I'd be killing sessions all day so the next person that needed to use
the DTU could.
If I'm somewhere in the building where there isn't a Sun Ray or
Ethernet and all I had was my MacBook and WiFi and wanted to pull up
my Sun Ray desktop then I could.
At least that's the use I see for it.
Seems like it could completely eliminate our need for SGD too, or is
that OGD now? :)
--
Aaron
On Wed, Jul 6, 2011 at 8:49 AM, Bob Doolittle<[email protected]> wrote:
On 07/ 6/11 11:18 AM, James Kissler wrote:
Aaron, I can understand where you are coming from. I have a good
number of Sunrays deployed. We require the use of smartcard and pin
for authentication on both PCs and Sunrays (used for terminal
services). This is a hard requirement for all users, with the
exception of admin personnel, the only people to use OVDC. It would
be nice to be able to enforce smartcard authentication for physical
clients while allowing a more liberal access policy for OVDC
connections.
How would you prevent a random person from running OVDC, and thus circumvent
your hard security policies regarding smartcard use?
There's always a tension between security and convenience, you need to
choose your comfortable balance point and pursue consistent and compatible
policies throughout your enterprise. The most convenient policy is to not
use passwords for users, but that's not very secure...
-Bob
P.S. 25 years ago I was a network admin (and developer :-) ) at a company
where the policy was "no root passwords", to make our job simpler when
dealing with unattended workstations which were causing problems (it only
took one misconfigured or broken machine to bring the entire corporate
network down). Ah, the halcyon days of innocent trust :-). Things are
certainly less convenient today.
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
