[SunRay-Users] how to force logout when smartcard is removed and amgh override username

Mario Garcia Ortiz mariog at absi.be
Wed Sep 8 17:50:35 EEST 2010


  the setup so far is that each user has it's smartcard and can't login 
as another user...

do you have by any chance an workaround to force the session to log out 
using utaction when the smartcard is removed, i have read about dtaction 
ExitSession but this doesn't seem to exist in solaris.
is this part of AMGH the logging out of session or it's a feature that 
must be configured in the sunray server?

where the utaction command should be placed?
it's a mystery to know what exactly happens when the smartcard is removed..

thank you.

Mario G.
On 09/08/2010 02:33 PM, Bob Doolittle wrote:
>  On second thought, it is possible that if you comment these lines out 
> (losing NSCM and RHA), smartcard-based AMGH will work in a 
> non-intuitive, not-as-designed fashion. Which is what you are seeing 
> apparently. :-)
>
> -Bob
>
> On 09/08/10 08:29, Bob Doolittle wrote:
>>  On 09/08/10 07:35, alessio wrote:
>>> On 9/8/10 12:47 PM, Mario Garcia Ortiz wrote:
>>>> also i have remove the clearuser from pam.conf but the start over 
>>>> button
>>>> still clears the username... how can i override the reset session and
>>>> start over button in the login screen?
>>> I can answer only to the second question.
>>> Removing "clearuser" from pam.conf didn't worked for me.
>>> So I've also commented some other lines in pam.conf
>>>
>>> ...
>>> dtlogin-SunRay auth requisite /opt/SUNWkio/lib/pam_kiosk.so.1 log=user
>>> #dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
>>> #dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 
>>> prompt
>>> #dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
>>> dtlogin-SunRay auth requisite pam_authtok_get.so.1
>>> ...
>>>
>>> In this way "start over" button no more clear the username, in amgh.
>>> I don't know if it is right to comment such lines... by the way it 
>>> works.
>>
>> I presume you're not a kiosk user, or you wouldn't be using username. 
>> This will break the following functionality:
>> - NSCM (not important if you are a Linux user)
>> - RHA (are you using the -D option to utpolicy?)
>>
>> In both of the above cases, the user will have to authenticate a 
>> second time during login (NSCM only) or hotdesk due to lack of 
>> pam_sunray.so
>>
>> - smartcard-based AMGH (instead of username-based)
>>
>> If you don't care about any of these, it seems to me that you might 
>> be OK commenting out those lines (we don't test such a configuration, 
>> which is why I use the word "might").
>>
>> -Bob
>>
>


-- 
Mario GARCIA ORTIZ
System Engineer

Neerstalsestwg. 42 chée. de Neerstalle
B-1190 Brussels

Tel.: +32(0)2 333 40 00
mariog at absi.be
http://www.absi.be
The information contained in or attached to this email is confidential and
may be privileged. If you have received it by mistake,please notify the
sender by return e-mail and delete it from your system.



More information about the SunRay-Users mailing list