Sun Ray Server Software 4.1 Administrator’s Guide for Solaris Table Of ContentsPrevious ChapterNext ChapterBook Index

C H A P T E R  10
Kiosk Mode

This chapter describes Kiosk Mode, which enables controlled, simplified access to anonymous users without compromising the security of the Sun Ray server. For a detailed explanation of Kiosk Mode functionality, see kiosk(5).

In earlier releases of Sun Ray Server Software, Kiosk Mode was known as Controlled Access Mode (CAM).

Topics include:

For additional information on preserving existing CAM data and migrating from CAM to Kiosk Mode, see the following sections of the Sun Ray Server Software 4.1 Installation and Configuration Guide:


caution icon Caution - Sun Ray Server Software and NIS (Network Information System) store user names and groups in the same system file (/etc/passwd). Be sure to use unique user names when setting up a Kiosk Mode application if the same physical server is used to host both the Sun Ray Server Software and the NIS software. If both systems use the same user names, then the utconfig -u command can overwrite the NIS entries.

Enabling Kiosk Mode

Kiosk Mode allows the administrator to specify what types of sessions are available to users, based on policy choices for different types of user and usage scenario. For instance, settings can differ for smart card users as opposed to non-smart card users, for those with registered as opposed to unregistered tokens, and for other characteristics.

Kiosk Mode functionality can be enabled and disabled from the System Policy section of the Advanced tab, and administered from the Kiosk Mode section, which provides check boxes to enable Kiosk Mode for smart card users, non-smart card users, or both. Enabling and disabling Kiosk Mode for individual tokens is described in Overriding Kiosk Mode Policy.


Note - Before enabling Kiosk Mode, you must configure it with the utconfig utility.

Enabling Kiosk Mode Using the CLI

As superuser, type the utpolicy command for your authentication policy with the addition of the -k argument. Some examples are suggested below.


Note - The following options determine access to the Sun Ray server:
-z both/pseudo/card
or
-r both/pseudo/card [-s both/pseudo/card]
The -k both/pseudo/card option determines whether some or all of the granted sessions are Kiosk sessions.


procedure icon  To Enable Kiosk Mode for All Users (Card and Non-card) 


 # /opt/SUNWut/sbin/utpolicy -a -M -s both -r both -k both

All users are directed to Kiosk sessions.


procedure icon  To Allow Only Card Sessions in Kiosk Mode 


 # /opt/SUNWut/sbin/utpolicy -z card -k card

All sessions are in Kiosk Mode and available only to card users unless you specify overrides.


procedure icon  To Enable Kiosk Mode for Card Users Only 


 # /opt/SUNWut/sbin/utpolicy -a -M -s both -r both -k card

Only card users are directed to Kiosk sessions.


procedure icon  To Enable Kiosk Mode for Non-card Users Only 


 # /opt/SUNWut/sbin/utpolicy -a -M -s both -r both -k pseudo

Only non-card users are directed to Kiosk sessions.


procedure icon  To Enable Regular Sessions for Card Users and Kiosk Sessions for Non-Card Users 


 # /opt/SUNWut/sbin/utpolicy -z both -k pseudo

Card sessions are non-Kiosk (ordinary login) sessions. Non-card sessions are Kiosk sessions.


procedure icon  To Enable Regular Sessions for Registered Cards and Kiosk Sessions for Non-Card Users 


 # /opt/SUNWut/sbin/utpolicy -r card -z pseudo -k pseudo

Non-Kiosk card sessions are allowed only for registered tokens. Non-card sessions are Kiosk sessions.


procedure icon  To Enable Kiosk Sessions for Registered Cards and Regular Sessions on Registered DTUs 


 # /opt/SUNWut/sbin/utpolicy -r both -s both -k card

Card sessions are Kiosk sessions, non-card sessions are non-Kiosk (ordinary login) sessions. Users can self-register card tokens and DTUs.


procedure icon  To Allow Only Card Sessions in Kiosk Mode 


 # /opt/SUNWut/sbin/utpolicy -z card -k card

All sessions are in Kiosk Mode and available only to card users unless you specify overrides.

Enabling Kiosk Mode Using the Admin GUI

The Admin GUI presents a set of choices that may be more convenient to use than the CLI.


procedure icon  To Enable Kiosk Mode Using the Admin GUI

1. Start the Admin GUI.

2. Select the Advanced tab.

3. Select the System Policy tab (see FIGURE 10-1).

4. Select the Kiosk Mode checkbox in the Card Users section, the Non-Card Users section, or both, depending on whether you wish to enable Kiosk Mode for card users, non-card users, or both.

5. Click the Save button.

6. Select the Servers tab

7. Select the relevant server(s) from the list of servers.

8. Click the Cold Restart button.

FIGURE 10-1 Kiosk Mode Enabled for Non-Card Users


Screen indicates that Kiosk mode has been enabled for non-card users.

Overriding Kiosk Mode Policy

It may be desirable to use a different authentication policy setting or kiosk session configuration for a particular smart card or DTU, or subset of smart cards or DTUs, than for other smart cards or DTUs. You can override Kiosk Mode policy with utkioskoverride or with the GUI. You can override the default Kiosk session selection with utkioskoverride.

For more detailed information on overriding Kiosk Mode policy and Kiosk session selection, see the utkioskoverride(1m) man page.


Note - Overriding the Kiosk session selection and administration of non-default Kiosk session configurations are not supported by the Admin GUI in this release. Use the utkioskoverride and utkiosk commands to access these features.


procedure icon  To Override Kiosk Mode Policy Using the CLI

Use the utkioskoverride command to override Kiosk Mode policy or assign a non-default kiosk session for a user’s smart card token or for a DTU’s pseudo-token. Several usage examples are listed below.


Note - Only registered tokens--those that have already been registered--can be assigned policy overrides.

single-step bullet  To enable Kiosk sessions regardless of Kiosk Mode policy for the registered smart card MicroPayFlex.12345678: 


# /opt/SUNWut/sbin/utkioskoverride -s kiosk -r \ MicroPayFlex.12345678

single-step bullet  To disable Kiosk sessions regardless of Kiosk Mode policy for the registered smart card MicroPayFlex.12345678: 


# /opt/SUNWut/sbin/utkioskoverride -s regular -r \ MicroPayFlex.12345678

single-step bullet  To disable Kiosk sessions regardless of Kiosk Mode policy for the logical token user.12345678: 


# /opt/SUNWut/sbin/utkioskoverride -s regular -t user.12345678

single-step bullet  To assign and enable the non-default kiosk session MySession2, stored using utkiosk, to the logical token user.12345678, regardless of Kiosk Mode policy: 


# /opt/SUNWut/sbin/utkioskoverride -s kiosk -c MySession2 \
   -t user.123456-78


procedure icon  To Override Kiosk Mode Policy Using the Admin GUI

1. Select the Tokens tab.

2. Select the token of interest from the list of tokens.

This token can be a card owner’s smart card token or a pseudo-token associated with a DTU’s MAC address. However, only tokens that have been registered in the Sun Ray Data Store can be overridden. To register a smart card token, see To Register a Token. To register a pseudo-token, see To Register a Pseudo-Token.

3. Click the Edit button.

4. Select the desired Session Type from the list of available session types.

The available session types are Default, Kiosk, and Regular.

a. Select Default to prevent Kiosk Mode policy from being overridden for this token.

or

b. Select Kiosk to use a Kiosk session for this token regardless of Kiosk Mode policy.

or

c. Select Regular to ensure that a Kiosk session is not used for this token, regardless of Kiosk Mode policy.

5. Click the OK button.

FIGURE 10-2 Edit Token Properties


Edit Kiosk mode tab showing a Sun Ray Connector session.


Note - The Edit Token Properties page does not show whether a non-default Kiosk session has been assigned to a token. If you use the Admin GUI to assign a Kiosk session type to a token, the default Kiosk session configuration is used for this token.

Building the Kiosk Mode Environment

Once you have selected a Kiosk session, that session is launched by default to provide basic Kiosk Mode functionality. Some Kiosk sessions will support the addition of applications to extend this basic functionality.


Note - Kiosk session and application configuration data created with the Admin GUI is stored as the default Kiosk session under the name session. To store non-default Kiosk session configurations, use the utkiosk command.


procedure icon  To Configure Kiosk Mode Settings

1. Select the Advanced tab.

2. Select the Kiosk Mode tab.

3. Click the Edit button.

FIGURE 10-3 Edit Kiosk Mode


4. Select your preferred Kiosk Session from the drop-down list, as shown in FIGURE 10-3.

5. Provide appropriate values for the remaining settings. See TABLE 10-1 for descriptions of individual settings.

6. Click the OK button.

Changes to Kiosk Mode Settings are applied automatically to Kiosk sessions that start after the changes have been saved. Thus, there is no need to restart Sun Ray services for changes to take effect.


TABLE 10-1 Kiosk Mode Settings

Setting

Description

Timeout

Indicates the number of seconds after which a disconnected session will be terminated.
If you provide no value for this setting, termination of disconnected sessions will be disabled.

Maximum CPU Time

Indicates the maximum number of CPU seconds per process for Kiosk sessions. By default, the system default is applied to all Kiosk sessions. For more information see ulimit(1).

Maximum VM Size

Indicates the maximum Virtual Memory size per process for Kiosk sessions. By default, the system default is applied to all Kiosk sessions. For more information see ulimit(1).

Maximum Number of Files

Indicates the maximum number of open files per process for Kiosk sessions. By default, the system default is applied to all Kiosk sessions. For more information see ulimit(1).

Maximum File Size

Indicates the maximum file size per process for Kiosk sessions. By default, the system default is applied to all Kiosk sessions. For more information see ulimit(1).

Locale

Indicates the locale to be used by the Kiosk session. By default, the system default is applied to all Kiosk sessions.

Arguments

Indicates a list of arguments that should be passed to Kiosk sessions as they start. This is a Kiosk session-specific setting. For more information on supported arguments, consult the session-specific documentation for your selected session.



caution icon Caution - Choosing unsuitable values for ulimit(1)settings may cause Kiosk sessions to start incorrectly or to crash due to lack of resources.


procedure icon  To Add an Application

1. Select the Advanced tab.

2. Select the Kiosk Mode tab.

If the currently selected Kiosk session supports the addition of applications, there is an Applications setting at the bottom of the page.

3. Click the New button.

a. To use one of the predefined Kiosk application descriptors:

i. Select Predefined Descriptor.

ii. Choose the relevant descriptor from the drop-down menu.

b. To define a custom Kiosk application descriptor:

i. Select Custom Path to use your own custom Kiosk application descriptor or a system application.

ii. Enter the path to your custom Kiosk application descriptor or executable.

If you choose Custom Path, indicate whether the path refers to a custom Kiosk application descriptor or an executable by choosing either Descriptor or Executable.

4. Select your preferred Start Mode for the application.

a. Choose USER to allow users to start the application themselves, for instance from a menu or launcher item.

b. Choose AUTO to make the application start automatically when the Kiosk session starts.

c. Choose CRITICAL to make the application start automatically when the Kiosk session starts, to allow users to start the application themselves, and to force the Kiosk session to restart if the application terminates.

5. Enter any application specific arguments.


Note - Individual Kiosk sessions may handle the various application start modes and arguments differently. For precise details on these, consult the session-specific documentation of your selected Kiosk session.

Security and Failover Considerations

Since Kiosk Mode bypasses the system login mechanism, you must consider the security of the applications added to the user environment. Many custom applications provide built-in security, but other applications do not and are therefore not suitable for Kiosk Mode.

For example, adding an application such as xterm provides users with access to a command-line interface from a Kiosk Mode session. This is not desirable in a public environment and is not advised. However, using a custom application for a call center would be perfectly acceptable.

In a failover environment, the Kiosk Mode administrative settings are copied from the primary server to the secondary (i.e., failover) servers. Be sure that all application descriptors and executable paths added to the Kiosk Mode sessions are copied across the servers in the failover group. For example, if the Mozilla application is added to the sessions with the executable path /usr/sfw/bin/mozilla, make sure that the path to the binary is available to all servers in the failover group. One way to ensure that sessions and applications are available on all servers in a failover group is to put them into a shared network directory, which is available on all hosts in the failover group.

 



Sun Ray Server Software 4.1 Administrator’s Guide for Solaris 820-3768 Table Of ContentsPrevious ChapterNext ChapterBook Index

Copyright © 2008 Sun Microsystems, Inc. All Rights Reserved.