Locking Down Thin Clients

Gavin McCullagh gmccullagh at gmail.com
Tue Jul 17 09:16:07 BST 2007


On Mon, 16 Jul 2007, Steve Wu wrote:

> I'm tinkering and have a basic Edubuntu LTSP server setup. Client PCs can
> connect and login using a generic ID/PWD we setup. 

This is probably not a good idea to start off with.  If multiple users
log in from different locations to a single account, you will have issues.
Immediately visible problems will include evolution-calendar crashing and
firefox needing you to create extra profiles.

Usually the best way to set things up is to create an account for each
user.  I presume you don't want to do that to avoid the admin work involved
but I would encourage you to reconsider.  There are lots of benefits to
this approach in that everyone gets to have and keep all of their own files
and settings whatever machine they sit down at and backing it all up is
relatively straightforward.

As an alternative, you could create a different username and password for
each machine and paste it on the front of the machine.  It's not pretty,
but people do it.

> How do I go about locking down the desktops so when a user logs in, they
> see the same desktop no matter what someone did beforehand? 

As Daniel said, you can probably wipe out and restore the settings at each
logout or login.  However, if you're doing this, you can't have others
users concurrently using that profile or their applications may not react

> Is there a built in tool to use? If not, what tools do you recommend? 

KDE has a kiosk mode which allows you to restrict what a given user may do.
I don't know a lot about it but for locking down a single account, it may
be useful (though you have to use KDE not GNOME).

GNOME has pessulus and sabayon for similar stuff, though I must admit I've
had rather limited success with them.

A final option which involves no account creation is the ltsp web kiosk.
You can run:
	sudo ltsp-build-client --kiosk --base /opt/ltsp-kiosk/i386/

which you can then point your thin clients at (in /etc/ltsp/dhcpd.conf) as
a root-path.  This will give you an independent kiosk account on each of
your thin clients.  All applications run locally on the thin client in this
usage, the profile is volatile and gets recreated automatically on boot and
only a web browser is available so this may or may not suit your clients or
users.  If your thin clients are up to it (ie 400MHz; 192MB RAM) you could
maybe try using this route and install a few more applications into the


More information about the edubuntu-users mailing list