If you access a Sun Ray session without a smart card, the session is bound to that client and it cannot be hotdesked to another client. However, the non-smart card mobility (NSCM) feature makes the session mobile, which binds the session to the authenticated user name that started it and enables the user to hotdesk to another client. You can enable the NSCM feature through the utpolicy command or the System Policy page of the Admin GUI.

When the NSCM feature is enabled, the NSCM login greeter also provides access to an underlying stationary session through the Exit option of the Options menu. The Exit option is intended to allow users who don't have a user account on the Sun Ray server to initiate a remote X login to another server and gain access to a user account. The Exit option is enabled by default, but you can disable it by using the -d option of the utpolicy command or the System Policy page of the Admin GUI.

For detailed information about the NSCM feature, see Hotdesking in the Administration Guide.

Sun Ray Software automatically provides smart card services, such as smart card authentication, through the PC/SC-lite API. Smart card services include interoperability with the integrated smart card readers on Sun Ray Clients and the client computers running Oracle Virtual Desktop Clients. External USB readers connected to Sun Ray Clients and Oracle Virtual Desktop Clients are supported through the CCID handler, which can be downloaded separately.

For details about the smart card services provided with Sun Ray Software and the CCID IFD Handler, see Smart Card Services in the Administration Guide.

For details about additional smart card configuration when using the Windows connector, see Smart Cards in the Administration Guide.

This section describes the security considerations for authenticated sessions.

User Authentication

User authentication for Sun Ray sessions is controlled by a dedicated Authentication Manager. The Authentication Manager implements site-wide access policies for identifying and authenticating users on the desktop clients. An important piece of this process includes tokens, which are authentication keys used to identify what type of session is provided to a user based on the configured policy and consequently what login scheme is presented to the user. The Authentication Manager also provides an audit trail of the actions of users who have been granted administrative privileges for Sun Ray services.

You can use the Security page of the Admin GUI to change the policy for session authentication, including what type of sessions users are presented. And, you can use the Tokens page of the Admin GUI to manage and register tokens. See Sessions Overview in the Administration Guide for details.

Sun Ray Software uses the site's existing User Directory for user identification and authentication, which is configured through the Sun Ray server's available PAM modules and Name Service Switch file (/etc/nsswitch.conf). The PAM configuration used for user authentication is based on the type of session being requested:

Desktop Screen Locking

Most desktop operating systems provide their own screen locking mechanism, which the user can invoke manually or it will occur automatically after a certain period of inactivity. When a desktop screen is locked either manually or automatically, the Sun Ray session is disconnected and it requires authentication to re-access the session again.

When unlocking a smart card session or a non-mobile session, the PAM configuration used for user authentication depends on whether or not the Remote Hotdesk Authentication (RHA) feature is enabled (described in Section 4.5.3, “ Remote Hotdesk Authentication (RHA) ”).

When unlocking an NSCM session, authentication is performed by a pair of NSCM login greeter sessions. By default, the NSCM PAM configuration is copied from the authentication rules for the X display manager when the Sun Ray server is activated during the installation. If you modify the X display manager's PAM configuration after the Sun Ray server is installed and activated, you must also make the same modifications to the NSCM PAM configuration. The NSCM PAM configuration is located in the utgulogin ('get username' service) and the utnsclogin (authentication service) sections of the PAM configuration file.

Remote Hotdesk Authentication (RHA)

One of the unique aspects of Sun Ray Software is the ability to "hotdesk" from one client to another. Hotdesking, or session mobility, is the ability for a user to remove a smart card, insert it into any other client within a failover group, and have the user's session "follow" the user, enabling the user to have instantaneous access to the user's windowing environment and current applications from multiple clients.

By default, when a user hotdesks, the desktop's screen lock is activated and the user is forced to authenticate again. However, screen locks are inherently insecure in a number of ways. Remote Hotdesk Authentication (RHA) is designed to provide a more secure hotdesk environment instead of the authentication performed by a desktop screen lock in the user's existing session. The "Remote" in RHA refers to the fact that the hotdesk authentication step takes place outside the user's existing session and applications cannot interfere with the authentication. From a user's perspective, there is minimal change if Remote Hotdesk Authentication is enabled.

When RHA is enabled and a reconnection is attempted, the Sun Ray Software creates a temporary new session for the client and uses that session to present an authentication login greeter to the user. This RHA greeter looks very similar to the non-smart card mobile (NSCM) login greeter. After the user successfully authenticates through the greeter, the temporary session is dismissed and the user's existing session is connected to the client.

For environments where the in-session screen lock provides acceptable security or where no hotdesk authentication is desired, you can configure Sun Ray Software to disable the RHA security feature.

RHA is enabled for smart cards by default, and non-smart card mobility (NSCM) automatically provides similar protection as RHA. Authentication does not apply to anonymous Kiosk Mode.

See Remote Hotdesk Authentication (RHA) in the Administration Guide on how to disable or enable remote hotdesk authentication for smart cards.

By default, kiosk mode is disabled. If you enable kiosk mode, be aware that kiosk mode bypasses the system login mechanism, so you must consider the security of the applications added to the user environment. Many custom applications provide built-in security, but applications that do not are not suitable for kiosk mode.

For example, adding an application such as xterm provides users with access to a command-line interface from a kiosk mode session. This access is not desirable in a public environment and is not advised. However, using a custom application for a call center is perfectly acceptable.

Kiosk User Accounts

All computer applications must run under some type of user account and kiosk sessions are no different. To enable real users to access applications without requiring the need to authenticate to the underlying operating system of the Sun Ray Software, kiosk mode manages a pool of local user accounts. If the kiosk service determines that an administrator has configured the system policy or the current token ID to run a kiosk session, unauthenticated access to the system is granted.

While kiosk user accounts do not correspond to a real user, their role in kiosk mode allows a real user to use the applications defined by the administrator in an unauthenticated manner. Without a kiosk user account, a kiosk session cannot run.

See Kiosk User Accounts in the Administration Guide for details, including ways to limit the impact a kiosk user can have on the system and prevent unauthenticated access from becoming uncontrolled access.

Sun Ray Software provides the ability for users to access external peripherals connected to a Sun Ray Client or Oracle Virtual Desktop Client, either by using the device mapping feature with an Oracle Solaris or Oracle Linux desktop or by using the USB device redirection feature with Windows desktop sessions. Connecting external peripherals presents an inherent security risk, which may include unintended access to data. For example, when using USB device redirection with Windows Server 2003 R2 or Windows Server 2008 R2 platforms, USB devices to a Sun Ray Client client are accessible and visible to all desktops running on the Windows system.

For details about the security implications with external peripherals, see Peripherals Overview for device mapping or USB Device Redirection in the Administration Guide.

By default, access to external devices are enabled. You can disable access to external devices with the utdevadm command or from the Security page of the Admin GUI. For details, see Enabling and Disabling Device Services in the Administration Guide.

For additional details about accessing external peripherals connected to a client computer running Oracle Virtual Desktop Client, see the Oracle Virtual Desktop Client User's Guide.