Conference Kiosk Info

For conferences hosted at Informatics , I was asked to produce a machine configuration that would allow web and remote login access to conference delegates. What I came up with is an "rbash" solution, with various shell and window manager configuration changes.

All you need to do

To turn a standard DICE client desktop into a conference kiosk machine that allows anonymous web and remote login facilities, just add the lcfg header "inf/conf-kiosk.h" to the machines profile, ie

  #include <inf/conf-kiosk.h>

All machines (RH9 and FC3) now have the dice-conference-kiosk support RPM installed by default, it does nothing unless the header file is also used. This gets round some of the chicken and egg problems of support files not being there when GDM is reconfigured.

There is a confkiosk.homepage lcfg resource that can set to the URL of the page that you want as the homepage for mozilla. It is currently set in inf/conf-kiosk.h to the CAV2005 homepage.

Give it a few moment for the new profile to propagate, and the standard GDM login screen will disappear and should return with the following:

RH9 - straight into the Kiosk desktop. If it doesn't, the gdm screen should return saying "reboot to enable the kiosk", which you should then do.
FC3 - the gdm login screen, with a message about being "Auto logged in a few moments". Wait a few moments and the Kiosk desktop will appear. If not, perhaps a rebooted will fix it, but that shouldn't be necessary.

Minimal X Desktop

The minimal desktop has a "postit" style background offering some basic information about what is going on. It's always there, so people can't dismiss it.

There is also an "rbash" xterm started, listing the commands that will work, and a small button bar on the bottom right of the screen, which users can use to launch new "rbash" xterms, Mozilla or Quit their session.

When the user quits, they are logged out, but GDM automatically restarts the xsession, having first wiped all files, settings and changes the user may have made, ready for the next person to use. For RH9 this is instant, but for FC3 there is a 15 second delay so a real user could enter there username and password, but it will be missing most of the usual desktops.

Bits and Pieces

The "rbash" shell is very restrictive, see "man bash" and look for the "RESTRICTED SHELL" section. Only built in bash commands are supported, or any in the path /usr/rbin/, which the conf-kiosk.h populates. This, however, is by design, and what we want.

If it's decided that the auto login isn't a good idea, then the conf-kiosk.h needs to be changed, and the "autologin" and "timedlogin" resources need to be removed. Then delegates will need to know the username is "conf1" and what the password is. I won't say it here, but Chris, Alastair and Ken have had an email from my saying what it is. It could be changed by using:

/usr/kerberos/sbin/kadmin -q 'change_password conf1@inf.ed.ac.uk'

The user "conf1" only exists in kerberos and in the local password on the kiosk machines. Not in LDAP.

You can't easily change the username from "conf1" to something else. This would mean updating the header file, and the files that the RPM supplies. Likewise any environment change for the "conf1" user will need a new RPM shipped. The only exception being enabling more commands, which you may be able to do by just using the symlink component to add things to the /usr/rbin/ directory.

To stop a machine from being a kiosk. Remove the header file, wait for the profile to propagate (the original GDM login may appear) a reboot should not be necessary.

I think that covers it.

Neil