El Cheapo Graphical Terminals


This is part of some write-ups on experiments to use Linux as a kiosk system. 'Kiosk system' can mean a couple of things, but here we assume that it's a computer that runs just one application - in this case an rdp-client that allows it to connect to a remote Terminal Server (Microsoft Terminal Services) or a remote desktop.

Such a setup could be used for easy management of dedicated workstations (no local configuration, everything server-based), or, in combination with an openVPN tunnel, to provide rich client)server applications to branch offices and remote users behind low bandwidth WAN links.


Concept

We'll use an ordinary PC, possibly an old, decommisioned one, run a minimal Linux system on it with a custom fluxbox desktop to provide a small handful of menus when needed, and an rdp-client preconfigured to connect to our Terminal Server.

We'll show how to (optionally) add an OpenVPN client that automatically connects to the HQ's VPN gateway.

Overall, we keep this simple and reproducable, so you can turn out many of these "thin" clients to easily provide any application (by way of your Terminal Server) to remote users, or as a poor man's way to Desktop Virualization.

Hardware, Operating system

We're mimicking thin clients here, using regular PC's. Hardware requirements are minimal, a 5 year old PC will do fine.

Start with a minimal Linux install - I usually do Debian (net installer) or Ubuntu (mini cd). Ubuntu gives you slightly better support for some proprietary hard- or software and overall user-friendliness and smoother look-and-feel, although most of that ends up in Debian sooner or later as well. Ubuntu may have the downside that it's evolving towards a highly integrated operating system, so custom pick-and-choose spins like these might get more difficult in the future.

Refer to Debian minimal system.
Consider automatic installations if you need to do a lot of these.

Fluxbox

Although you can run GUI apps without a Window manager or a Desktop environmant, I usually add Fluxbox window manager to provide some Windows management, menus, etc. which sometimes comes in handy for troubleshooting, and to keep the user away from the shell (both for userfriendliness and as a security measure).

Fluxbox is easily configurable, so you can provide a simple menu to let the user restart a hung application or shutdown or restart the system, and you can autostart an application on login. Or set screensaver preferences.

Fluxbox Kiosk configuration

Here are some of the config files for fluxbox, with appropriate settings for the 'thin client' we're building :

file keys defines actions on mouse clicks and control keys
[begin]
# click on the desktop to get menus
OnDesktop Mouse1 :HideMenus
OnDesktop Mouse3 :RootMenu

# current window commands
Mod1 F4 :Close
Mod1 F9 :Minimize
Mod1 F10 :Maximize
Mod1 F11 :Fullscreen


# shutdown by Ctrl-Alt-Del
Control Mod1 Delete :ExecCommand sudo /sbin/shutdown -hP now
[end]

apps definieert toepassingen en autostarts

[startup]{xscreensaver}
[startup]{numlockx on}
[startup]{tsclient}
#[startup]{tsclient -x .tsclient/mytsserver.rdp}

[startup]{tsclient} : see further

menu provides a menu to access user applications, a shutdown mechanism, and some troubleshooting :

[begin] (fluxbox menu)
    [exec] (Connect to Terminal Server) {/usr/bin/tsclient -x ~/.tsclient/mytsserver.rdp } 

    [nop]
    [exec] (Terminal Server Client) {/usr/bin/tsclient -f} </usr/share/pixmaps/tsclient.xpm>
    [exec] (Screensavers settings) {xscreensaver-demo}

    [nop]
    [exec] (Shutdown the computer) {sudo /sbin/shutdown -hP now }	
[end]

user account

Since you don't want any of this to run as root, you need to create a user account, with a password.

	useradd -m -s /bin/false sillyuseraccount

At this point, you also need to consider the use of a display manager.

Install and configure rdp client

install tsclient

apt-get install tsclient

Next, you might run tsclient and configure a session. These settings will be saved to a file, that can be reused for later sessions. This is how you let your users connect to your terminal server(s).

Settings : you probably want to run this fullscreen.

When you're re-using an rdp settings file, you need to copy it into the kiosk user's home. Since you're most likely doing this as root, you need to take care of the file permissions :

 mkdir .tsclient
 touch .tsclient/mytsserver.rdp
 chown kiosk:kiosk .tsclient

partial sample of a settings file :


attach to console:i:0
audiomode:i:0
auto connect:i:0
diskmapping:i:0
bitmapcachepersistenable:i:1

disable themes:i:0
disable wallpaper:i:0
displayconnectionbar:i:0

enable wm keys:i:0
full address:s:mytsserver.example.com
hide wm decorations:i:0

redirectcomports:i:0
redirectdrives:i:0
redirectprinters:i:0
redirectsmartcards:i:0
screen mode id:i:2

Auto start the TS session

Note the entry #[startup]{tsclient -x .tsclient/mytesserver.rdp} in the fluxbox apps file. This is meant to start tsclient with the settings saved in .tsclient/mytesserver.rdp, but that didn't seem to work as planned. Workaroud : we use [startup]{tsclient} instead, but copy the settings into tsclient's 'most recently used config' file so that the settings are reused when we call tsclient without further parameters.
cp -p mytsserver.rdp last.tsc

Note that the tsclient -x .tsclient/mytesserver.rdp entry in the fluxbox menu does seem to work as expected.

Allow users to shutdown the computer

Because this is more of a "thin client" system than an actual kiosk, we want to allow the users to shut down the computer. We've provided a menu item for shutdown, and we've also mapped Ctrl-Alt-Del to shutdown, but those will fail because regular users are not allowed to shutdown a linux system. Only root can do that.

Of course, we can allow users to shut down the system, by means of sudo.

Make sure you have 'sudo' installed, then run visudo and add this line that will allows the useraccount 'kiosk' to execute '/sbin/shutdown -hP now' with root privileges, without being prompted for a password

kiosk 	ALL=(root)      NOPASSWD: /sbin/shutdown -hP now

(Optionally) install and configure openvpn client

VPN intro

Install openvpn client :

apt-get install openvpn

Obviously, this also requires a vpn-server on the other end, and a client config that matches the server config. That's beyond the scope of this howto.

(Optionally) install other apps

Xscreensaver might be a good idea. Not only it offers an impressively large collection of impressive screen savers, you can also use it to lock your screen after a given inactivity time-out (offers some security), or for configuring energy-saving standby.

Lockdown

Seriously consider hardening the system.

More


Koen Noens
April 2012