Context:
I am looking for a way to start a graphical session under a different
user context for a remote user. So, in other words, VNC and FreeNX are not solutions since I don't want to start a session for myself, but for a different user who will not have a password. The hypothetical user needs access but cannot know the password. It's for a library Internet Cafe. We need to be able to log in guests who don't have library cards and are not part of our system jurisdiction.

Setup:
OS: Ubu 9.04 & 8.04. Multiple branches.
We have guest accounts already enabled but require us to locally input the password at the physical box. I would like to be able to start a session from my La-Z-boy whilst logged in via SSH.

I do not necessarily need a complete solution, but if you have an idea of where to look or start, I would be much obliged.

Thanks for reading!

Bub

First, I am not sure I can help with a solution. But I have a similar situation.

I have a server that I ssh into for maintainance and what-not, but there are times I would like to launch the whole gui from a remote locale. So far I have not discovered how to to launch it through ssh. I have to go to the server and login to the gui then start the x11vnc-server. Then I can go back to a remote locale and login to the gui on the server.

It does occur to me that you may be able to launch your xsessions and leave them running with the x11vnc-server running. Then you can login to them from a remote local and enter the password and activate the session for the user. This happens with my linux boxes, but I have to use x11vnc because it actually shares the :0 (default/current) session where as the other vnc servers won't actually share :0.

There are some security issues with this approach that you would want to address.

A solution involving VNC or FreeNX and related would not be practical in my situation due to the number of locations/stations and the privacy issues involved. I cannot be allowed to see the display ( by choice/law/ethics/practicality ) and they cannot be allowed possession of the password. It sounds like you're looking for an ssh -X forwarding type scenario.

I'm looking for a sort of reverse command to pkill/skill for starting user sessions through SSH. A way to start a logged in gnome-session on display:0 without seeing what the patron sees. I can end sessions with pkill but need a way to start graphical sessions for other users from afar.

As I mentioned above, I imagine it would involve invoking a gnome-session on display:0 and somehow passing it different user credentials. I'm going to do a bit of the ol' RTFM and will update the post if I come across anything.

It's not something likely to be of any use to most people unless you run something like a school computer lab. Edubuntu allows you to do this through it's thin client system I believe.

Thanks for the input ...I appreciate the response.

Bub

Something occured to me this morning that might be a work around for you. What about single-use passwords? Let me explain.

With a very strict password aging policy set up and an automatic password generating and changing script the user could be given the password. It may be adviseable to not hide the password so the user can see it as entered because it would mean that if they entered it wrong they would have to come back to the desk to get a new one.

Not a perfect solution but it may be a work around.

That would work, but, "Devil's in the Details" as they say. Distribution
of the password to numerous locations might be an issue. Then again ...maybe not.

We would have to distribute these passwords daily/weekly to numerous
branches for 130 stations. I suppose you could generate a new /etc/passwd daily and rsync it from a central box then set your script to auto-mail the password to each location.

...I'll consider that, am still thinking of other details.

I'm still curious as to how one would go about opening a gnome-session
on display:0 for a remote user, but thanks for the suggestion. I will look into it further.

Bub

Bub,
What exactly are you trying to do?? Allow users to login without a password? Will each remote user be on a sperate computer? Will the remotes be a 'thin client'?

Things that come to mind are:

• ssh using RSA keys
• use DISPLAY to point to remote clients.
• use multiple X servers

You are going to need a super powerful server.

Need more specs.

The scenario is:
To use a public computer you must:

1. Have a library card
2. input barcode
3. input PIN

The issue is then dealing with tourists who do not have library cards. The last system we had allowed you to log on a tourist from the desk. I am wondering how to reproduce this. The effect would be that the machine would log them in to a generic guest account without them doing anything.

They are not thin clients. So as I see it, you'd have to start a gnome-session on the current display ( :0 ) from an ssh session. Additionally, you'd have to give it the credentials or context of a generic guest user.
Or, you might create a script on the computers themselves that would initiate the login sequence, then just start the script from an SSH session.

Thanks for reading -

Bub

This seems simple to me. Just start an X-manager on each PC, let gdm handle the validation. The 'nocard user' will enter something like 'guest' for the username and run with that profile. No password is required. Any other username will require the library card and pin.

I am assuming that you are running linux on these PCs and your load is just http traffic?

Don't confuse the X manager with the session manager. They are two separate things. You can use Gnome, KDE, Fluxbox or anyone of many other Desktop Managers. I would recommend Fluxbox for this application. It is lightweight and will do what you want without the heavy overhead of say Gnome.

You could in fact setup the remote PCs to boot from a live CD to limit hacking and reduce the power requirements and costs.

What apps do you wish to support?

Bottom line, Yes it can be done very easily.

The "nocard" idea will not work. We already have a catalog-only account that works this way. The SIP authentication we use checks accounts for blocks before authenticating. A patron with blocks ( lost items etc. ) could then easily subvert the system by using the "nocard" account.

A guest account with daily or weekly generated passwords as suggested above looks like the most feasible.

At this point it's primarily curiosity as I've seen this feature on our last system and am wondering how to duplicate it. It allowed staff to log on guests remotely from their desks without dealing with barcodes and passwords or accounts. So the guest would sit at the computer, and the station would log on automatically ( hands-free ), having been started from the front desk. I am wondering what the session manager is doing behind the scenes that could be initiated from an SSH session.

These are all Linux stations. Using Windows on public machines is pure masochism. We did this ( Windows ) for seven years and while Windows is decent for home and business use ( though obviously, I prefer penguins ), it is sheer insanity to use for public computers.

GDM is already running, with Gnome set as the default WM. While I like Fluxbox, for those used to menus and start buttons etc. Gnome is preferred.

Thanks for your input --

Bubnoff