This is beta software which means it may still have bugs. If you have any problems with it, please let me know.
Disclaimer: Although the Kiosk software (Kiosk, Kiosk Admin, Kiosk Launcher, etc.) seems to work fine, it is distributed "as is". Use at your own risk.
Kiosk is simple security software for the Macintosh, similar to Apple Computer's At Ease software. It provides basic security features, including multiple authentication methods (using plug-ins), three user levels (normal, guest, and admin), the ability to allow only specified applications to run, event logging, reauthentication (is that a word?) after a specified amount of idle time, etc. Note that although Kiosk provides some security, it is not the ultimate hard disk/file security package for the Mac, nor is it meant to be. At Baylor, we use Kiosk along with separate hard disk security software (Foolproof¬) on the information kiosks in the Baylor libraries. Actually, Kiosk was originally written for the library kiosks (lowercase-k) which is where it got its name.
Kiosk Basics
The Kiosk software system consists of:
Ñ Kiosk - the program itself
Ñ Kiosk Admin - a separate utility for setting Kiosk preferences
Ñ Kiosk Auth Plug-Ins - used for authenticating users
Ñ Auth Tester - a small utility for testing authentication plug-ins
Ñ Kiosk Launcher - an optional launcher program for running other applications
Ñ Log Out - a tiny app that sends a "log out" AppleEvent to Kiosk
Kiosk is not an extension, but runs at startup instead of the Finder, so it cannot be disabled by holding down the shift key. It opens up a dialog where a user enters his or her ID and password. Kiosk then calls a specified authentication plug-in which validates the user and returns an appropriate response to Kiosk. If the authentication succeeds, Kiosk launches a specified application, possibly the Finder. The user can log out from Kiosk which will quit all applications and display the login dialog. If the user is idle for a specified amount of time, e.g., walked away from the kiosk, Kiosk will automatically log out and return to the login dialog.
There are three Kiosk user levels: normal (most people), admins (specified in Kiosk Admin) and guests (if guest access is enabled). A user logs in as guest either by clicking the "Guest" button in the login dialog or by entering an ID that the authentication plug-in recognizes as a "guest account". If the Finder is already running when the user is authenticated, Kiosk will run in "admin mode" even if the user is not an admin.
At the login dialog, the user can enter "restart", "shutdown", or "update" and any password to restart, shut down, or update the hard disk (launch the hard disk updater application). Once logged in, there are menus for these as well. There is a "Log Out" menu that will quit all applications and return to the login dialog. The "Quit" menu also logs non-admin users out (instead of quitting).
Setting Up Kiosk
First, move/copy the Kiosk program into the System folder. Do not move or rename this program if Kiosk is set up as the startup program. Doing so will render your Mac unbootable and you will need to start from a floppy or CD-ROM to fix it. Copy the "Kiosk Auth Plug-Ins" folder into either the Application Support folder, the Extensions folder, or the System folder. (Don't rename the folder, either...) This folder contains the plug-ins that do the actual authentication. For testing purposes, you will want to use "Pick a Response" so make sure that that plug-in is in the folder.
Next, run Kiosk Admin. Kiosk Admin is the program that allows you to set preferences for Kiosk. It does this by editing the preferences file used by Kiosk. This file, called "Kiosk Preferences", must exist in the Preferences folder of the Kiosk startup disk, otherwise Kiosk will display an error message and then shut down the Mac. When Kiosk Admin first runs, it will look for the Kiosk Preferences file in the current Preferences folder, and if it exists, open it. If it doesn't exist, Kiosk will ask you for the preferences file to open. If you don't have a Kiosk Preferences file, i.e., this is the first time you have run Kiosk Admin, cancel the Open dialog, and select the New menu. Later, when you save the preferences, save it in the Preferences folder of the Kiosk startup disk, or be sure to move it to the Preferences folder later.
There are six topics in the Kiosk Admin window: Settings, Default Application, Authentication, Permitted Applications, Administrators, and Messages. There is also a menu that allows you set the startup application on a disk, i.e., Kiosk or Finder (see below).
Settings
Hard Disk Updater
If you have a utility that can update/fix the software on the hard disk, e.g., Rev-R-Dist or maybe an AppleScript, choose it here. If the user chooses the "Update Hard Disk" menu item in Kiosk, this application will be launched. You can enter "update" as the user ID (and any password) in the login dialog to launch the application as well. (This is so you can update TCP/IP prefs files, etc. that may be keeping Kiosk from running or authenticating.)
Allow Users to Update Hard Disk
Set this option if you want normal (and guest) users to be able to update the hard disk. If this option is not set, only admins will be able to do so. Note that anyone can update the hard disk by entering "update" as the ID in the login dialog.
Log File
Kiosk will maintain a log file in the Preferences folder. You can specify the types of entries to be logged: General Events (startup, hard disk updates, etc.), LogIns/LogOuts (who logged in and out and how), Application Launches (only if Kiosk launches the app), and Invalid Applications (if the user attempts to launch an app that is not permitted). Errors are also logged to the file. Kiosk does not remove old entries so you may want to check the log file periodically to make sure it isn't too big.
Auto Shut Down/Restart
If this option is enabled Kiosk will automatically shut down (or restart) the Mac at a specified time if there is nobody using the Mac, i.e., the login dialog is displayed. If someone is using the Mac when the shut down time is passed, the Mac will shut down after they log out.
Run Startup Items
Enable this option to have Kiosk run startup items (applications and documents in the Startup Items folder) when it is first launched. Make sure to add these applications to the list of permitted applications or they won't be launched.
Run Log In/Out Items
Enable this option to have Kiosk run items (applications and documents) whenever a user logs in our out. For example, you might want to run a small utility or AppleScript that cleans up the web browser's cache and history. These items need to be in folders called "Kiosk Log In Items" and "Kiosk Log Out Items" which should be located in either the Application Support folder, the Extensions folder, or the System folder. It's probably best to place the folders in the same folder that the Kiosk Auth Plug-ins folder is located (but not in the plug-ins folder itself). Make sure to add these applications to the list of permitted applications or they won't be launched. If this option is enabled, both of these folders must exist, even if they are empty.
Log In items are run after a user is authenticated but before the default or guest application is launched. Note that Kiosk does not wait until the log in items are finished before launching the default/guest application.
Log Out items are run after a user explicitly logs out, restarts, shuts down, or is logged out after being idle. Because Kiosk waits until the Log Out items have quit before bringing up the login dialog, these items should do their work very quickly and then quit. Similarly, they should not display a dialog box, because the user may have already left the workstation. Kiosk will wait for 1 minute waiting on Log Out items to quit, and if any programs are still running, Kiosk will force the workstation to restart.
Idle Timer
Here is where you set the number of minutes of idle time, i.e., the user has not typed a key or moved the mouse, that Kiosk will allow before automatically logging the user out. Usually the system is idle because the user has walked away without logging out. Kiosk will bring up a warning dialog and countdown for 60 seconds before resetting. Kiosk then quits other applications by sending them a "quit" AppleEvent. If, after a short time, any applications don't quit (because they don't support AE's or perhaps there is a "Save before quitting" alert on the screen) Kiosk will force the Mac to restart. To disable the idle timer, enter 0 minutes. The maximum value allowed is 60 minutes.
Default Application
Default Application
This is the application that gets launched after the user is authenticated. Typically, this is some sort of "launcher" program. You can use Kiosk Launcher if you want a simple launching program but any program, including the Finder, can be specified. Another alternative is to use a web browser (Netscape or Internet Explorer) and launch programs using the BULauncher plug-in. Both an alias (an internal alias, not an alias file on disk) to the application and the application's unique four character signature are saved. Kiosk will try to use the alias first and if it can't resolve it, it will use the signature to figure out which application to launch. The alias stored within the preferences file may not work correctly if the preference file is copied from another system. Kiosk Admin tries to be smart and ignore the alias preference if it does not seem correct, i.e., it can't resolve it or the signature of the resolved file doesn't match the actual signature.
Note that if the Finder is not running, the Apple menu will be (mostly) empty and the user will not have access to the Apple Menu Items (desk accessories, the Chooser, control panels, etc.). Also, desktop printing/spooling and any other Finder dependent services will not be available. If you want to allow printing from the kiosk, be sure and disable background printing, i.e., within a Print dialog somewhere, set the printer to print in the foreground and save settings.
Default Document
This is an optional document that will be opened by the default application when it is launched.
Guest Application
This is the same as the default application except that it is launched instead if the user was authenticated as a Guest. If you want the default application to run for guests as well as normal users, you can leave this unspecified. But if you want the default application to open a different document for guest, you will need to specify the same application in both places.
Guest Document
This is an optional document that will be opened by the guest application when it is launched.
Authentication
Authentication Plug-In
This is the plug-in used to authenticate users. See below for information on individual plug-ins.
Click the "Choose" button to select the plug-in file. Although you can choose a plug-in file located anywhere on the hard disk, the plug-in file must exist in the "Kiosk Auth Plug-Ins" folder (mentioned above) on the Kiosk startup disk. Plug-ins should have an internal, unique, four character signature, but some older ones may not. Kiosk will first attempt to find the plug-in based on the signature but if missing, it will use the file name instead. In this case, you must make sure that the name is the same.
Click the "Clear" button to tell Kiosk to not bring up the login dialog, but instead assume a normal user with no username. The idle timer, permitted apps, etc. are all still enabled. You can force Kiosk to bring up the login dialog so that you can enter the bypass password (see below) by holding down the option key before Kiosk launches the default application. You may have to explicilty log out of Kiosk to get to this point, so the easiest way is to select the "Quit" or "Log Out" menus while pressing the option key, and continue to hold the key down until the dialog appears.
If, for some reason, the specified plug-in cannot be found, Kiosk will bring up an alert (only at startup) and will run as if no plug-in was chosen. You can still log in as an admin with the bypass password.
Bypass Password
This is an optional password that allows admins to log in when/if the auth plug-in is broken, can't contact server, etc. You will have to set the password both in the regular field and the confirmation field and they must match in order for preferences to be saved to disk. If you don't provide a bypass password and don't authenticate, i.e., have not chosen an auth plug-in you will have to boot from a floppy disk or CD-ROM to make any changes.
Auto-convert Spaces To Underscores
This is a convenience setting. If your IDs have underscores in them, e.g., Baylor's IDs are First_Last, then pressing the space bar will insert an underscore instead. Press option-space if you really want a space.
Allow Guest
If disabled, users will not be able to log in as guests. The "Guest" button will be disabled (grayed out) and if the auth plug-in returns a "guest" response, the user will get an alert stating that guest access is not permitted and the login dialog will reappear.
Reauthenticate When Last Application Quits
You can set Kiosk up so that if the user quits all applications, the user is automatically logged out. Often, users will simply quit the default application and walk away without explicitly logging out. This option is ignored if the user is an admin. There is a "Quit" menu in Kiosk that logs normal users out but actually quits Kiosk if the user is an admin.
Permitted Applications
Permitted Applications
Kiosk can restrict which applications users are allowed to run. If Kiosk is asked, i.e., from Kiosk Launcher or the BULauncher Netscape plug-in, to launch an application that is not permitted, it will inform the user that the application is not permitted and refuse to launch it. Because applications might be launched without Kiosk, Kiosk scans running applications and if it finds one that is not in the list, it will inform the user that the application is not permitted, send it a "quit" AppleEvent, and then wait for it to actually quit. If, for some reason, the application doesn't quit, Kiosk will alert the user and then force the Mac to restart. To add an application to the list, click the "Add" button and then choose the application from the list. Kiosk stores the 4 character signature and not an alias to the application. It is not necessary to include the default (and guest) application or the hard disk updater application to the list because they are implicitly included by Kiosk. Note that admins are allowed to run any application.
Import/Export
Because it can get tedious to have to add a lot of applications, you can import/export the list of applications from/to text files.
Permit All Applications
If you don't care what applications normal users run, enable this option.
Permit All Applications (Guests)
If you don't care what applications guests run, enable this option. Yes, it is possible to allow guests to run any application while normal users cannot, but I don't know of a reason for this.
Administrators
Administrators
Admins can run Kiosk with a few more privileges that normal users, e.g., they are permitted to run any application. Kiosk adds a "Finder" menu which will launch the Finder. The "Quit" menu actually quits Kiosk (as opposed to logging out for normal users) if the Finder is running. Admins can also enter the bypass password (see above) to bypass the auth plug-in. Because an admin might need to run as a normal user, e.g., for testing things, the admin status can be ignored by holding down the option key immediately after authenticating until the default application launches. (If you don't have a Finder menu item, then you aren't an admin.) You must add at least one admin otherwise Kiosk will always run in admin mode.
Messages
These are messages that Kiosk sometimes displays to the user. If you leave them blank, Kiosk will use its default messages. You may want to change them, e.g., add a message like "Contact extension HELP for assistance." to the error messages, etc. The maximum length of each is 255 characters.
Log In Prompt
"You must enter a valid ID and password to use this workstation."
The prompt that is displayed on the login dialog. Note that if an auth plug-in uses its own dialog, this prompt is ignored.
Auth: Failed (Bad ID or Password)
"ID and/or password were not correct. Please try again."
The message that is displayed when the auth plug-in returns a "failed" response, i.e., the ID or password were incorrect.
Auth: Entered "Guest" ID
"Anonymous access is not permitted on this workstation."
The message that is displayed when the auth plug-in returns a "guest" response but guest access is not permitted.
Auth: ID/Password never initialized
"Your ID and password have never been activated."
The message that is displayed when the auth plug-in returns an "initial" response, i.e., the user's ID or password have never been activated.
Auth: Access Denied
"Access for this account is denied."
The message that is displayed when the auth plug-in returns a "restricted", "no access", or "unauthorized" response.
Auth: Minor Error
"A minor error occurred. Please try again."
The message that is displayed when the auth plug-in returns a "system error" response. These are system configuration errors, e.g., no MacTCP, missing plug-ins, etc.
Auth: Server Error
"A server error occurred. Please try again."
The message that is displayed when the auth plug-in returns a "server error" response, i.e., the server returned an error message.
Auth: Network Error
"A network error occurred. Please try again."
The message that is displayed when the auth plug-in returns a "network error" response, e.g., couldn't contact the server.
Auth: Program Error
"A program error occurred. Please try again."
The message that is displayed when the auth plug-in returns a "program error" response, usually caused by a bug in Kiosk or the plug-in.
Logging In As Guest
"You are logging in as a guest. Some services may not be available."
The message that is displayed when the user logs in as a guest.
Guest Not Permitted
"Guest access is not permitted on this workstation."
The message that is displayed when the user clicks the Guest button in the login dialog but guest access is not permitted. The button should be disabled so this message should really never be seen.
Application Not Permitted
"This application is not permitted and will not be launched."
The message that is displayed when Kiosk is asked to launch an application that is not permitted. If the invalid application is launched without Kiosk, Kiosk will display the message, "The application [name] is not permitted and will quit." This message cannot be customized.
Kiosk Auth Plug-Ins
The Kiosk auth plug-ins are called by Kiosk to authenticate users. A plug-in may or may not use its own dialog to get the ID and password from the user. If it does use its own dialog, some features may not be available, e.g., no Guest button, or the ability to restart, shutdown, update hard disk, from the dialog.
There is a small utility, Auth Tester, that can be used to test an auth plug-in. It is mainly used for developing a plug-in, but is also useful if you want to test authentication and make sure it works before you actually install Kiosk.
When authenticating, a plug-in will return one of several possible responses to Kiosk:
Ñ Cancel - user canceled (only if plug-in uses its own dialog)
Ñ OK - user authenticated and permitted to use workstation
Ñ Failed - user not authenticated (incorrect ID or password)
Ñ Initial - user's ID or password has never been activated
Ñ Guest - ID is a "guest" account
Ñ Restricted - user authenticated but has restricted (NetAccess property) access
Ñ No Access - user authenticated but is not permitted to use workstation (LabAccess property)
Ñ Unauthorized - user authenticated but not permitted to use this workstation (Stu/Emp only)
Ñ System Error - system config error, e.g., no MacTCP, missing plugin, etc.
Ñ Server Error - server returned an error message
Ñ Network Error - could not contact server(s)
Ñ Program Error - ack! a bug!
Ñ ShutDown - pseudo auth response (shut down)
Ñ Restart - pseudo auth response (restart)
Ñ Update - pseudo auth response (update hard disk)
The Restricted, No Access, and Unauthorized responses are based on responses from Baylor's "lablog" authentication/authorization server, but other plug-ins may have similar responses that can translate to these.
Don't Authenticate
This really isn't a plug-in, but you can tell Kiosk not to authenticate by clicking the "Clear" button in Kiosk Admin. When cleared, users aren't authenticated at all, i.e., the login dialog is never displayed. Kiosk still quits invalid applications and resets the workstation after idle time. Log ins and idle log outs are not written to the log file when this is used.
Anonymous
Always returns OK. Useful if you want to log logins (although users can enter whatever they want) but don't really want to actually authenticate.
AuthMan
Use the University of Michigan's "Authentication Manager" (kerberos). This has only been tested with AuthMan 1.2 but should work with older versions. Before authentication, the plug-in expires all tickets and clears out the default "unique name" (user ID).
Bypass Only
Always returns Failed. When using this plug-in, only admin users who enter the correct bypass password will be allowed to continue. This is an easy way to password protect your own Mac, i.e., set yourself as an admin and always use the bypass password.
KClientKiosk
Use KClient for kerberos authentication. This was written by Everette Allen <Everette Allen@ncsu.edu> and the plug-in's official distribution is <ftp://ftp.ncsu.edu/pub/unity/lockers/project/netatalk/public/>.
Lablog AUTH
Use Baylor's lablog server to authenticate/authorize users. This uses the "AUTH" lablog command which will log the login on the server. The primary lablog server's IP address is stored in a STR resource (ID 128). The secondary lablog server's (if available) IP address is stored in STR 129. The UDP port is stored in STR 130. [This is mainly for folks at Baylor since it is doubtful that anyone outside of Baylor is running lablog.]
Lablog VERI
Use Baylor's lablog server to authenticate/authorize users. This uses the "VERI" lablog command which will only verify the password and not log the login on the server. The primary lablog server's IP address is stored in a STR resource (ID 128). The secondary lablog server's (if available) IP address is stored in STR 129. The UDP port is stored in STR 130. [This is mainly for folks at Baylor since it is doubtful that anyone outside of Baylor is running lablog.]
Pick A Response
Displays a dialog that allows the user to choose the response to return to Kiosk. This should only be installed and used while testing Kiosk.
Users & Groups
Uses the local Users & Groups (FileSharing) accounts and passwords for authentication. Note that if guest access is allowed in Kiosk Admin, but the Guest user is disabled in FileSharing, users will still be able to log in as a guest, i.e., Kiosk Admin's setting overrides FileSharing's setting.
Mount AppleShare
This is a kludgy plug-in that attempts to mount a remote AppleShare volume using the entered username and ID. If the volume is mounted successfully, the user is considered authenticated and the volume is then unmounted. This gives you the ability to maintain IDs and passwords on a central remote AppleShare or FileSharing system. The volume to mount is stored in STR resource (ID 1000) inside the plug-in itself and by default is set to a shared volume on my Mac. (Sorry, no interface for modifying this other than ResEdit...) The format is "volume:server@zone". If there is a method of using AppleShare to just verify a password, without actually mounting a volume, please let me know.
Others
Some other auth plug-ins that I have considered writing, but haven't (yet) include using IMAP's (and/or POP's) plain text authentication, and LDAP. If you have a suggestion for a authentication plug-in, or are interested in writing your own, contact me at the address below.
Kiosk Launcher
Kiosk Launcher is a simple application launcher, similar to the Mac OS "Launcher" control panel. Actually, the original intent was to use Launcher, until I realized that it was a true control panel and not an application. Kiosk Launcher has a window that contains up to 15 buttons, one for each application or document (or alias to the actual file) in the Launcher Items folder which is located in the System folder. (This is the same folder that the Launcher control panel uses.) You can add up to 6 tab panels (each of which contains up to 15 buttons) by creating folders inside the Launcher Items folder. As with the Launcher control panel, the names of these folders must begin with a bullet character (option-8). Unlike the Launcher control panel, folders without bullets are ignored. If there are any files in the Launcher Items folder, the first tab will be called "Main" and will contain those files. If there are no files in the Launcher Items folder, but only folders, then no "Main" tab will be created.
Clicking a button will launch the application or will open the document with its application. If the application is already running, Kiosk Launcher will bring it to the front. If Kiosk is running, Kiosk Launcher will tell Kiosk to open it, otherwise Kiosk Launcher will launch it itself.
There is a small program called Log Out that will tell Kiosk to log out. This is useful if you have users who tend to walk away after quitting applications but not Kiosk Launcher itself, and so stay logged in. If users see the big "LOG OUT" button, they might be more likely to click it when finished.
Compatibility Notes:
Ñ Kiosk is not compatible with At Ease. You must remove At Ease (with the original installer) before setting Kiosk as the startup program. Simply "turning off" At Ease in the At Ease Setup utility is not enough.
Ñ Kiosk will work with Mac OS 9, but only if "Multiple User Accounts" is disabled. Otherwise at startup, the System will launch Login instead of Kiosk. Mac OS 9's Multiple Users feature provides most of Kiosk's functionality, so for most people, there is no reason to run Kiosk instead of Multiple Users.
Ñ Although it is possible to specify the Mac OS 9 files "Login" and "Panels" as Kiosk's default/guest applications, you should not do so.
Ñ Pressing the power button does not bring up the normal "shut down now?" alert because apparently the Finder is what handles this. I may simulate this within Kiosk in a future version.
To-do List
Ñ Handle power button
Ñ Shut Down Items?
Ñ Control Panels? DAs?
Contact Info
If you have any questions, comments, (constructive) criticism, or bug reports, you can contact me at the address(es) below.
-cb
Carl_Bell@baylor.edu
Carl Bell's Web Page <http://www.baylor.edu/~Carl_Bell/>
Stuff I've Written <http://www.baylor.edu/~Carl_Bell/stuff.html>
Snail Mail:
Carl W. Bell
Information Technology Center
Baylor University
P.O. Box 97268
Waco, TX 76798-7268
Phone:
(254) 710-4065
The Fine Print
This software, data and/or documentation contain trade secrets and confidential information which are proprietary to Baylor University. Their use or disclosure in whole or in part without the express written permission of Baylor University is prohibited.
This software, data and/or documentation are also unpublished works protected under the copyright laws of the United States of America. If these works become published, the following notice shall apply:
Copyright ⌐ 1998-2000 Baylor University
All Rights Reserved
The name of Baylor University may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE, DATA AND/OR DOCUMENTATION ARE PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
When permission has been granted to make copies of this software, data and/or documentation, the above notices must be retained on all copies.
Permission is hereby granted for non-commercial use and distribution of Kiosk.