Re: [seul-edu] youngsters logging in

[Harry McGregor <micros@azstarnet.com>]

Ok, sorry I am getting into this thread late...

On Wed, 9 May 2001, Jim Thomas wrote:

> Hi,
>
> I'm the volunteer sysadmin of a 20-PC linux lab in a small K12 private
> school.  The school would like to get the younger students into the lab
> on a regular basis, and I'm starting to worry about the logistics of
> having the younger ones log in.  Since they can't type very well (if at
> all), correctly typing in a username/passwd pair will be monumentally
> difficult for them.  I'm sure the teacher would spend the first 20
> minutes of lab time getting them logged in, and I doubt that she'd be
> very happy about that.

We have a lab (linux based, of course) for use by K-5 students at Corbett
Elementary School.

Here is the process we use.  Kinder students get a "kxxx" number for login
(teacher have writen the numbers on little cards, and pass them out at the
beging of the lab time.  All other students have a user name of
"firstnamelastname" full first and last name, no capital letters, no
spaces.  Even the first graders can usualy get the hang of it after the
first three weeks of the year (they all vist the lab once/week).

Now here is the big thing:  No passwords.  We set our PAM config to permit
null passwords for local GDM login, but not for SSH, (or if it was their,
telnet), or even text console login.

> I posted my quandary to comp.os.linux.security with two proposals and
> solicited comments and/or alternate proposals.  I'd liketo summarize for
> SEUL/Edu.
>
> 1) Write an app that the teacher runs from the server.  This app logs
> the students into their assigned machines.
>
> 2) Use null passwords for the younger students, but lock their
> accounts.  The teacher runs an app that unlocks one account per machine
> for a five-minute period.  Optionally, the student's .bashrc could
> launch an suid app which re-locks the euid's account and close the
> window a little earlier.
>
> These proposals were fairly well received, with option two being the
> favored one.  Then someone else proposed a third option:
>
> 3) Print ID cards with username/passwd's encoded for a bar code
> scanner.  Install bar code scanners on all the machines.  Radio Shack is
> giving away FREE bar code scanners (do a web search on Cue:Cat).  These
> come with Windows software which will launch a web browser and connect a
> user to a manufacturer's web site when a product's UPC is scanned (or to
> Amazon when a book's ISBN number is scanned).  Each bar code reader
> comes with a unique serial number, so the privacy implications here are
> horrific, but that's an aside.  Several people have developed code to
> read the output of the Cue:Cat, including a PAM module, but AFAIK, no
> one has put together a complete package for login authentication.
>
> I'd like to extend this scheme so that the ID cards can also be used as
> library cards with Koha, and I'd ALSO like to use them for logging into
> the few Winders boxen we have (using a samba server).
>
> Has anyone tried this?  Does anyone want to help work on this?
> This could be very sweet!

The ideas that we have looked at are Smart Card based, or Dallas
Semiconductor iButton based, unfortunatly they are rather costly when you
think we are dealing with over 650 users, and 35% of our users change over
the course of a year.  The null passwords have not been an issue, since
most of the users have a hard time typing in their own name, let alone a
friends name.

			Harry


> --
> Jim Thomas                            E-mail:     jthomas@bittware.com
> Senior Applications Engineer          Web:     http://www.bittware.com
> Bittware, Inc                         Tel:              (703) 779-7770
> Reality continues to ruin my life. - Calvin
>

--
Harry McGregor, CEO, Co-Founder
Hmcgregor@osef.org, (520) 661-7875 (CELL)
Open Source Education Foundation, http://www.osef.org