Hi Alex,
Am 05.06.12 13:54, schrieb Wilkinson, Alex:
When smartcards have been configured to use a *regular* session and they are
inserted (after a user has an already existing session) I would always get a
dtlogin prompt for authentication.
Yes (well, s/dtlogin/Sun Ray Session Lock/)
Now that I have turned on kiosk mode this
behaviour seems to have disappeared and users are logged straight into their
session with being prompted for credentials any more.
Is this expected behaviour when using kiosk mode ?
Yes. Kiosk sessions are anonymous, unauthenticated sessions, so there is
noone to (re)authenticate upon disconnect/reconnect (at least at the Sun
Ray / Kiosk Mode level). The sessions run under a special UNIX user
account that is locked for ordinary login and has no password, so
running into a screen lock would be a problem.
If yes can i configure kiosk
mode to ask for authentication of existing sessions when a smartcard is
re-inserted ?
It depends on your kiosk session type.
- For all kiosk session types:
You can set the timeout for disconnected kiosk sessions to a low
value (down to one or even zero seconds). In that case removing the
smartcard will start the timeout. After the time has elapsed, the
kiosk-level session is terminated, so you will get a fresh session after
reinserting the card. If your session provides remote access to a
service which can keep its session running across disconnects and
reconnects of your client- for example SRWC access to a RDP (MS
Windows) desktop - then that will achieve the desired result.
If your session doesn't support reconnecting, then any unsaved work
is lost, but at least noone can get at any sensitive data in the session
any more.
- For your own kiosk session type (that presumably authenticates users
in some fashion):
In your session script, you can start a utaction(1) process in the
background, which can perform any action you choose upon disconnect or
reconnect (with or without a delay/timeout). That action can be used to
place your kiosk application in a locked state that requires
(re)authentication for regaining access.
- For a OVDI session:
The Oracle Virtual Desktop Infrastructure product already has such
mechanisms built in and offers you a choice of actions to take on
smartcard removal and of screenlocking mechanisms.
HTH
- Jörg
--
Jörg Barfurth http://blogs.oracle.com/joergb
Disclaimer: I am employed by Oracle. The statements and opinions
expressed here are my own and do not necessarily represent those
of Oracle Corporation.
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
