1.2 RC

Author: henk717

.gitignore

@@ -0,0 +1,2 @@
+session.log
+*.vhd

Dockerfile

@@ -2,11 +2,11 @@ FROM debian:bookworm
 
 COPY tcfiles/debian.sources /etc/apt/sources.list.d/debian.sources
 
-RUN apt update && apt install sudo freerdp2-x11 yad fvwm xterm xinit mingetty polkitd wpasupplicant systemd-resolved nano udiskie mc mtr firmware-linux firmware-linux-nonfree firmware-iwlwifi firmware-realtek firmware-atheros firmware-brcm80211 firmware-b43-installer ffmpeg pipewire-audio pamixer -y
+RUN apt update && apt install sudo curl freerdp2-x11 yad fvwm xterm xinit mingetty polkitd wpasupplicant systemd-resolved nano udiskie mc mtr firmware-linux firmware-linux-nonfree firmware-iwlwifi firmware-realtek firmware-atheros firmware-brcm80211 firmware-b43-installer ffmpeg pipewire-audio pamixer -y
 COPY tcfiles/thinclient /usr/bin/thinclient
 COPY tcfiles/set-hostname /usr/bin/set-hostname
 COPY tcfiles/firstboot /usr/bin/firstboot
-COPY tcfiles/auto-maintainance.debian /usr/bin/auto-maintainance
+COPY tcfiles/auto-maintenance.debian /usr/bin/auto-maintenance
 COPY tcfiles/099_tc /etc/sudoers.d/099_tc
 RUN chmod +x /usr/bin/*
 

Readme.md

@@ -16,9 +16,10 @@ Super simple to setup, and easy for the end user.
 - Error messages that make sense and include your own helpdesk info, your users know exactly who to contact and what to say (Written by an experienced sysadmin who also does first line support).
 - Disk image that is not machine bound, you can capture it any time and redeploy your config on other machines. Hostnames change automatically based on the wired adapters mac address.
 - Optimized RDP defaults, rdp will just work out of the box with optimal quality. If you need to customize this further the option is available.
+- Based on the excellent xfreerdp project like most Linux based thinclients
 - Xanmod 6.12 Kernel for wide device compatibility
 - Docker as the build system making it easy to build your own custom image.
-- auto-maintainance command for system updates (Own risk especially on auto update mode, if a bad update releases and you enabled automatic updates you have to manually roll back your machines).
+- auto-maintenance command for system updates (Own risk especially on auto update mode, if a bad update releases and you enabled automatic updates you have to manually roll back your machines).
 - No external ports and minimal packages to reduce the attack surface even if the machine is outdated (The UI can be navigated easily over the phone, VNC is not neccesary. Instead if you need to assist users request remote access within the remote desktop.)
 
 ## Build your own image
@@ -55,13 +56,13 @@ Here is a template (Don't forget to change the country, I put china as the examp
 ```
 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
 update_config=1
-country=CNnetwork={
+country=CN
+network={
 	ssid="SSID GOES HERE"
 	psk="Password goes here"
 }
 ```
 
-
 ### Manual setup
 
 If the thinclient is not preconfigured on the boot partition it will automatically boot its configuration screen.
@@ -72,7 +73,7 @@ The helpdesk field will be used in the middle of error message sentences, for ex
 ### Automatic setup
 
 Just like the WiFi the settings for the thinclient software can also be preconfigured by placing a tcconfig file in the boot partition.
-The template for this file is as follows:
+The template for this file is as follows (pay attention to the line endings, they need to be linux compatible):
 
 ```
 server=
@@ -81,15 +82,31 @@ param=
 volume=
 adminpass=
 helpdesk=
+config_url=
 ```
 
+### Remote Setup (Own risk)
+
+If a config_url is defined the thinclient will automatically download its config file every time the login screen is shown.
+As a safety measure the config is only written on a succesful download and the previous working URL is backed up to a seperate file (If your new location is succesful the old URL is overwritten).
+Should the config become corrupt the backuped up config URL can be used to recover functionality, there are cases where the incorrect URL can become permanent such as migrating your production thinclients to the configuration of your development environment as this sets a working config_url . To help minimize this risk its recommended not to specify a config_url in configurations that are not meant for production (Do not leave it empty as this will disable remote setup, remove the line entirely).
+
+Because of this and the inherent dangers of remote configuration ensure the config file webserver is well secured and the configuration files are well tested before mass deployment.
+Even though this functionality was exploit tested it is a possible point of failure if a hacker finds a novel bash exploit or overwrites the RDP server with a malicious one.
+
+tc_hostname in the URL is automatically replaced with the hostname of the thinclient to enable per client configuration.
+
+You implement this functionality strictly on your own risk. If left blank this functionality is fully disabled.
+
 ### Root Account
 
 In the release the root account is disabled with two exceptions that do not require a password:
-auto-maintainance (Own risk), this tool can be used to manually update the system or can be used to enable automatic updates.
+auto-maintenance (Own risk), this tool can be used to manually update the system or can be used to enable automatic updates.
 set-hostname , this tool changes the hostname of the thinclient. If the dynamic_hostname file is present in the user account hostnames will be set according to the macaddress of the wired adapter.
 (Likewise the thinclient account has no default password)
 
+When self building you can pass a -p parameter to enable the root password.
+
 ### Password commands
 
 config : Re-open the config dialogue
@@ -98,8 +115,8 @@ terminal: Open the terminal
 
 ping (without your admin password in front): Ping the RDP server with a full traceroute, users can change this to any required destination if needed.
 
-
 ## Terms of Use
+
 - I currently don't know which formal license is the best fit, when using this software please respect the following:
 - I am not responsible for what happens with your deployment, its designed to be as robust as I could make it. But should unforseen consequences, bugs or updates happen I am not liable as you accept you use and deploy this on your own risk especially if you enabled automatic updates and your company is now offline due to a bad/incompatible debian update.
 - The software is free for both personal and business use and may not be resold. Preinstallation on physical hardware is allowed as long as it is made clear that it runs software based on this free repository.

UFTC Thin Client Troubleshooting.docx

@@ -3,14 +3,14 @@
 if [[ $1 = "gui" ]]; then
     MENU=$(
         zenity --list \
-        --title="Automatic Maintainance (Updates / Cleaning)" \
+        --title="Automatic Maintenance (Updates / Cleaning)" \
         --text="This program is a quick and easy way to automatically update your system." \
         --column="Option" --column="Description" \
         --width="570" \
         --height="220" \
         "Run" "Runs the updates and cleanup once" \
-        "Enable" "Enables Auto-Maintainance to keep your system up to date automatically" \
-        "Disable" "Disables Auto-Maintainance for manual updates" \
+        "Enable" "Enables Auto-Maintenance to keep your system up to date automatically" \
+        "Disable" "Disables Auto-Maintenance for manual updates" \
         "Exit" "Goodbye!"
     )
 
@@ -31,40 +31,40 @@ if [[ "$(id -u)" != 0 ]]; then
 fi
 
 if [[ $1 = "enable" ]]; then
-if [[ ! -f /usr/bin/auto-maintainance ]]; then
-    echo auto-maintainance is not installed in the system, copying self to /usr/bin
-    cp $0 /usr/bin/auto-maintainance
+if [[ ! -f /usr/bin/auto-maintenance ]]; then
+    echo auto-maintenance is not installed in the system, copying self to /usr/bin
+    cp $0 /usr/bin/auto-maintenance
 fi
 echo '[Unit]
-Description=Automatic Maintainance
+Description=Automatic Maintenance
 
 [Service]
 User=root
 Restart=always
 RestartSec=1800s
-ExecStart=/usr/bin/auto-maintainance
+ExecStart=/usr/bin/auto-maintenance
 
 [Install]
-WantedBy=multi-user.target' > /etc/systemd/system/auto-maintainance.service
-systemctl enable auto-maintainance
-echo Automatic Auto Maintainance will be enabled upon reboot.
-echo Use systemctl start auto-maintainance to start the service immediately.
+WantedBy=multi-user.target' > /etc/systemd/system/auto-maintenance.service
+systemctl enable auto-maintenance
+echo Automatic Auto Maintenance will be enabled upon reboot.
+echo Use systemctl start auto-maintenance to start the service immediately.
 read -p "Press a key to continue"
 exit 0
 fi
 
 if [[ $1 = "disable" ]]; then
-systemctl stop auto-maintainance
-systemctl disable auto-maintainance
-rm /etc/systemd/system/auto-maintainance.service
-echo Automatic Auto Maintainance is now disabled.
+systemctl stop auto-maintenance
+systemctl disable auto-maintenance
+rm /etc/systemd/system/auto-maintenance.service
+echo Automatic Auto Maintenance is now disabled.
 read -p "Press a key to continue"
 exit 0
 fi
 
 # Ensure we are not running in a Live Environment (That could make us run out of RAM on old ISO's).
 if grep -q "Live session" /etc/passwd; then
-	echo Auto Maintainance should not be performed on a Live Environment.
+	echo Auto Maintenance should not be performed on a Live Environment.
 	echo If you wish to manually install or update programs use Apt .
 	exit 1
 fi