Implementing Single App Access

ThinLinc offers various possibilities that are not all recognizable at first glance. Instead of a complete desktop, you can limit the user environment to a single application – a very interesting option from a security perspective. In practice, you can limit access, for example, to a web browser. Only web-based access with Firefox is then available to employees.

For this purpose, changes are needed to the ThinLinc configuration file opt/thinlinc/etc/conf.d. To do so, generate a new profile by editing the profiles.hconf file, which could look as follows in an instance where Firefox is the only permitted application:

[/profiles/firefox]
name=Firefox only
description=Example configuration of single app access to ThinLinc
cmdline=${TLPREFIX}/bin/tl-single-app firefox
testcmd=type firefox

You must also add the new profile to the order parameter:

order=firefox

After saving and restarting the ThinLinc server, the new profile is available from the profile selection.

Adapting to Windows

The option of accessing Active Directory and a Windows file server is important for integration in a heterogeneous network environment. First, you must install various components on the ThinLinc clients:

yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools krb5-workstation

The next step is to activate collaboration with the Windows DNS service so that the AD domain can be recorded correctly. Listing 1 shows what this must look like. To join the domain and provide the admin password for access and verify the user resolution in Active Directory, use the commands:

[localhost]# realm discover <Domain>
  DOMAIN
    type: kerberos
    realm-name: <Domain>
    domain-name: <Domain>
    configured: no
    server-software: active-directory
    client-software: sssd
    required-package: oddjob
    required-package: oddjob-mkhomedir
    required-package: sssd
    required-package: adcli
    required-package: samba-common-tools

realm join <domain>
id testuser@<domain>

Additionally, the system security services daemon (SSSD) configuration sssd.conf must be adapted to make ThinLinc recognizable as a service. To do this, edit the file /etc/sssd/sssd.conf and add the line:

ad_gpo_map_remote_interactive = +thinlinc

The changes take effect after entering

systemctl restart sssd

to restart SSSD.

Enhancing Access Security

When accessing the ThinLinc server, you have the option of using two-factor authentication, a one-time password (OTP), or a standard password for authentication. The procedure for enabling OTP authentication for accessing ThinLinc starts with installing the Google Authenticator:

sudo dnf install google-authenticator

Next, configure SSHD so that the daemon permits authentication by editing the file /etc/ssh/sshd_config and activating the ChallengeResponseAuthentication option:

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

This system modification also takes effect after a restart. The next step involves configuring the interaction between PAM and Google Authenticator. To do this, edit the file /etc/pam.d/thinlinc and make the changes shown in Listing 2.

#%PAM-1.0 e
Auth               required        pam_sepermit.so e
Auth               substack        password-auth e
Auth               required        pam_google_authenticator.so nullok e
Auth               include         postlogin e
account            required        pam_sepermit.so e
account            required        pam_nologin.so e

After installing Google Authenticator on the terminal, the user still needs to activate OTP functionality on the ThinLinc server. To do this, execute the google-authenticator program, which opens an interactive dialog. During configuration, a QR code is output that the user scans with the terminal device to activate the functionality.