[Lancaster] Folly Terminals are go!

[Andy Baxter]

sent this just to Matthew by mistake - sending on to the list (plus an 
afterthought)

On Friday 28 May 2004 10:27, you wrote:
> On Thu, May 27, 2004 at 11:49:43PM +0100, Andy Baxter wrote:
> > also have a seperate root password for the terminals (but the same one
> > for each of these), so someone shoulder-surfing while we're working on it
> > can't get the server p/w.
>
> How about giving LUG people unlimited sudo on the terminals so if an
> account gets surfed nobody else needs to be notified about the password
> change?

Trouble with that is it means creating and managing half a dozen accounts on 
each of the terminals, when there's no need for more than one or two (root 
and maybe guest)

> > I reckon for the moment, just make a separate account for each terminal,
> > and have a note on the box saying which one to log in as. Some time we
> > might be able to figure a way to bring up a login screen which just has
> > one guest account which gets directed to separate accounts for each
> > machine, but this is going to be tricky I think.
>
> Hmm ... how about pam_ldap and give each terminal a different base DN to
> surf on, so 'guest' on each terminal maps to a different uid? (and on the
> server the guest uid for each terminal is in a single 'termguest' group so
> the permissions can be managed easily)

How would this work? The logins aren't done on the terminals at all, they're 
through the server's display manager using xdmcp, so I don't see how you 
could do this.

One way that would probably work, but would be quite inefficient, is to start 
3 separate display managers on different ports, with each machine logging in 
on a different port. Then have 3 separate kdm config files.

Another way would be to have a single guest-login account, but somehow put 
something in the XSession script which works out which client the session is 
being started from, and then su's to a guest account for that client before 
loading the session. Not at all sure how to do this though.

PS. - just found out that if you create a file containing the string 
SERVERHOST, then run this through xrdb -n, the string will be replaced by the 
hostname of the machine serving the display. So that bit is possible, but I'm 
not sure how to switch accounts during the Xsession script - su always wants 
a password to log in to a new account.

> - Matt
>
> PS: now in Bath working for Netcraft so it's unlikely I'll be able to make
> the meetings in the near future - more than happy to help hands-on with
> anything that can be done remotely, though.

-- 
Please don't send me html mail or un-notified attachments. These will be 
automatically filed under 'probable spam' unless I'm expecting an email which 
hasn't come.
If you do need to send an attachment or html mail, put [attachment] or [html] 
in the subject line.
Thanks, andy.