Sending passwords using the Sun Ray Connector for Windows


When we were designing the Sun Ray Connector for Windows, we made a conscious decision not to allow users to send the password via the command line.

Why you may ask?  Perhaps this will shed some light.

$ ps -ef |grep rdesktop
craig 20344 20334 0 20:16:48 ? 0:00 /opt/SUNWrdp/bin/rdesktop -a 24 -f -u craig -p SunRay123 margaritaville

steve 20123 20111 0 20:16:45 ? 0:00 /opt/SUNWrdp/bin/rdesktop -a 24 -f -u steve -p T3mecu!a margaritaville

For those that don't understand the above concern, it means that anyone who has access to run "ps" can read the password should someone choose to pass it on the command line.  That pretty much means anyone who is logged on to the \*nix server.

If you want to safely pass the password to the Sun Ray Windows Connector (or RDesktop for that matter) from the command line, you can do so with expect.

#!/opt/sfw/bin/expect
spawn /opt/SUNWuttsc/bin/uttsc -m -A 24 -u craig -p Margaritaville
sleep 1
expect "Password: "
send "SunRay123\\r\\n"
wait -i $spawn_id
#end of script

This will allow you to safely send the password via a script and not worry about snoopy people out there.

Hope that helps!

Comments:

That's a nice self-contained example but in a real deployment you probably don't want every user to have to create and manage their own individual copy, or copies, of that script. If you do that then it's practically certain that some (perhaps many, most or even all) of your users will end up making their scripts readable and thereby giving away their passwords. Instead you want to have one central copy of a script that knows how to obtain the password from a properly-managed per-user password store. That's a capability that I very much hope will be delivered in a future release of the Connector. The Connector could also reasonably be enhanced to accept a password from its standard input, doing away with the need for 'expect'.

OttoM.

Posted by ottomeister on June 07, 2006 at 12:19 PM PDT #

True. Should have stated it was more for a CAM type deployment. Folks that want to do the same under Solaris should check out the JDS Integrator that stores your windows password in the Gnome Keyring. It can be found under the Supplemental directory of the Sun Ray Connector zip file.

Posted by ThinGuy on June 07, 2006 at 03:16 PM PDT #

Is it possible to intercept a password used to login to Sunray environment (Gnome desktop) so it can be later passed to uttsc via -i cli option or using your example and -p option.
I'd like to be able to intercept user password and keep it for the duration of the session.
Thanks,
D.

Posted by DK on July 24, 2008 at 04:37 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

Think Thin is a collection of bloggers that work with Oracle's Virtual Desktop portfolio of products.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today