Remote access with ThinLinc 4.12

Timeless Classic

Implementing Single App Access

ThinLinc offers various possibilities that are not all recognizable at first glance. Instead of a complete desktop, you can limit the user environment to a single application – a very interesting option from a security perspective. In practice, you can limit access, for example, to a web browser. Only web-based access with Firefox is then available to employees.

For this purpose, changes are needed to the ThinLinc configuration file opt/thinlinc/etc/conf.d. To do so, generate a new profile by editing the profiles.hconf file, which could look as follows in an instance where Firefox is the only permitted application:

name=Firefox only
description=Example configuration of single app access to ThinLinc
cmdline=${TLPREFIX}/bin/tl-single-app firefox
testcmd=type firefox

You must also add the new profile to the order parameter:


After saving and restarting the ThinLinc server, the new profile is available from the profile selection.

Adapting to Windows

The option of accessing Active Directory and a Windows file server is important for integration in a heterogeneous network environment. First, you must install various components on the ThinLinc clients:

yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools krb5-workstation

The next step is to activate collaboration with the Windows DNS service so that the AD domain can be recorded correctly. Listing 1 shows what this must look like. To join the domain and provide the admin password for access and verify the user resolution in Active Directory, use the commands:

Listing 1

Windows Integration

[localhost]# realm discover <Domain>
    type: kerberos
    realm-name: <Domain>
    domain-name: <Domain>
    configured: no
    server-software: active-directory
    client-software: sssd
    required-package: oddjob
    required-package: oddjob-mkhomedir
    required-package: sssd
    required-package: adcli
    required-package: samba-common-tools
realm join <domain>
id testuser@<domain>

Additionally, the system security services daemon (SSSD) configuration sssd.conf must be adapted to make ThinLinc recognizable as a service. To do this, edit the file /etc/sssd/sssd.conf and add the line:

ad_gpo_map_remote_interactive = +thinlinc

The changes take effect after entering

systemctl restart sssd

to restart SSSD.

Enhancing Access Security

When accessing the ThinLinc server, you have the option of using two-factor authentication, a one-time password (OTP), or a standard password for authentication. The procedure for enabling OTP authentication for accessing ThinLinc starts with installing the Google Authenticator:

sudo dnf install google-authenticator

Next, configure SSHD so that the daemon permits authentication by editing the file /etc/ssh/sshd_config and activating the ChallengeResponseAuthentication option:

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

This system modification also takes effect after a restart. The next step involves configuring the interaction between PAM and Google Authenticator. To do this, edit the file /etc/pam.d/thinlinc and make the changes shown in Listing 2.

Listing 2


#%PAM-1.0 e
Auth               required e
Auth               substack        password-auth e
Auth               required nullok e
Auth               include         postlogin e
account            required e
account            required e

After installing Google Authenticator on the terminal, the user still needs to activate OTP functionality on the ThinLinc server. To do this, execute the google-authenticator program, which opens an interactive dialog. During configuration, a QR code is output that the user scans with the terminal device to activate the functionality.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=