PDA

View Full Version : Auto Lock




Appletvgk
Oct 5, 2012, 02:15 PM
Is there any way to set a timer on 10.8 Server to lock the machine/go to the login screen? I'm trying to cover all bases, security-wise, and if I remote into the server and forget to return to the login screen, the server will be wide open. Thanks.



switon
Oct 5, 2012, 04:25 PM
Hi,

Yes, this is a potential problem (but someone else trying to screen share must still be authenticated -- however, once authenticated then they would be able to share your login account). So, to avoid this, make sure that you set your screensaver for your account on your server to start fairly quickly, say after 5 minutes, and then check your System Preferences -> Security & Privacy -> General pane's "Require password" either "immediately" or "1 minute" after sleep or screen saver begins. Then even if you leave without going back to the login screen, your server will automatically start a password protected screen saver.

I'm sure there is probably some better way to set the graphic login window (I know how to do this under Linux and X11 but not under Mac OS X), but I don't know it. I've just become accustomed to clicking the "Login window..." menu item before leaving the screen sharing app, and when I forget then the password protected screen saver clicks on after 5 minutes.

Switon

Appletvgk
Oct 5, 2012, 04:33 PM
Thanks, I have my screen saver set to 1 minute and to lock immediately. For some reason, the screensaver isn't activating. I run a database server, but I don't think that should interfere (it hasn't interfered on other computers I set up).

switon
Oct 5, 2012, 04:41 PM
Hi,

With your screen saver set to 1 minute, what happens if you quit your screen sharing app, wait over a minute, say 2 minutes, and then start your screen sharing app again? Is the server not on your screen saver? Mine is...

Switon

Appletvgk
Oct 5, 2012, 04:53 PM
I'm at a remote location now. Is there any way to check the status of the screensaver? Maybe via ssh?

switon
Oct 5, 2012, 05:13 PM
Hi,

Yes, you should check your screen saver from your remote location. So, screen share to your home server from your remote location. Login to your account on your server, set the screen saver to start after one minute and set the security to require a password after starting the screen saver. Do not logout of your account on your home server, rather just quit your screen sharing app running on your computer at your remote location. Wait a couple minutes (past the times you specified for your server account's screen saver and password). Then from your remote location screen share once again with your home server. When I do this, my home server, as shown in my screen sharing window, is running my password protected screen saver. What happens when you try this?

And yes, you can check whether the screen saver is running on your home server from your remote location, assuming that you have also setup SSH. You ssh into your account on your home server: (in a Terminal window on your computer)

ssh username@homeserver.hostname.or.IPaddress

and then run the following command:

ps aux | grep -i saver

If your screen saver is running, then the above command will return a line something like: (don't worry about all of the numbers, the only important part is the pathname at the end of the line indicating that ScreenSaverEngine is running)

username 9899 8.9 1.4 2912584 235964 ?? S 4:05PM 0:11.72 /System/Library/Frameworks/ScreenSaver.framework/Versions/A/Resources/ScreenSaverEngine.app/Contents/MacOS/ScreenSaverEngine

If your screen saver is not running, then the only line returned will be a line ending with "grep -i saver".


Switon

Appletvgk
Oct 5, 2012, 05:28 PM
Yep, I SSH into my server and it returned "......grep -i saver"
This is driving me nuts , I waited 7 minutes, it was set for 1 minute.

switon
Oct 5, 2012, 05:52 PM
Hi,

Only thing I can think of now is that something must be keeping your screen saver from starting. If you screen share from your remote computer to your home server, and just stay in the screen sharing but don't type anything or execute any programs, but wait...will the screen saver then start on your remote server? (Actually, I'm not certain that mine will under these conditions, since I think screen sharing itself prevents the server from running its screen saver -- I'll check this.)

Switon

Appletvgk
Oct 5, 2012, 06:50 PM
No it will not start when I'm using screen sharing. Maybe there's a setting in Mountain Lion Server that I overlooked causing the problem? Strange

switon
Oct 5, 2012, 07:55 PM
Hi,

When I'm screen sharing with the server, the server's screen saver will not start. But if I quit screen sharing, wait 5 minutes, and then reconnect to the server using screen sharing, the server's screen saver will be running and I have to enter a password to gain access to the server.

Switon

Appletvgk
Oct 5, 2012, 08:02 PM
I'm not doubting you, but login with screen sharing, and then login with another device and see what happens. For me, I log in with a VNC app on my iphone, and if I open the VNC app on my ipad and connect, I am greeted with the login screen, while I'm still looking at the servers desktop on the iPhone. Point I'm trying to make is that I think screen sharing/VNC makes a login screen (select user screen) appear on the remote side, but that doesn't necessarily mean that your seeing the current screen on the server.

switon
Oct 5, 2012, 09:51 PM
True, I agree, you can login with two different VNCs to two different window servers. Each VNC gets its own server, and they don't have to be for the same account either. On the other hand, the VNC, if from a user different than the user logged in to the account on the server machine, will be given the opportunity to either connect to the server's login account's window server, or may login to a different account and a new window server.

Switon

mwhities
Oct 5, 2012, 10:03 PM
Do this.

Use Spotlight to pull up "Keychain Access". Go to Preferences, and select "Show Keychain status in menu bar".

Then click on the lock in the menu bar and select "Lock Screen". That will start whatever screensaver you have selected. Works with remote or local. I use it everyday on my headless 09 mac mini server and my 2010 Macbook.

See the attached image.

EDIT: Read the OP again... this might not help but, it's quick and easy.

EDIT again: Are you the only one that should access it remotely? Set the option so only you have screenshare access. (Second SS.)

Appletvgk
Oct 5, 2012, 10:12 PM
I already added the keychain lock icon to the toolbar. I also disabled spotlight (wonder if that has anything to do with it). I'm looking for a way to lock my server in the event I forget to. Guess I will do some more poking around to see what's keeping it from activating the screensaver.

FYI: I'm more concerned with someone gaining physical access to my server, plugging in a monitor, KB and mouse. That's why I'm trying to get it to auto lock.

switon
Oct 6, 2012, 09:50 AM
Hi Appletvgk,

Oh, sorry, I didn't understand that you were worried about physical access and not VNC access to an already logged in account.

On the System Preferences -> Security & Privacy -> Advanced... pane, check the "Log out after XX minutes of inactivity" and check the "Require an administrator password to access locked preferences".

In order to prevent someone with physical access the ability to boot your server from a USB drive or DVD, then you must also set and enable the Firmware Password. (Assuming the "intruder" with physical access is incapable of removing and replacing the RAM in your server, the Firmware Password should keep the intruder from booting your server from their own drive.)

Switon

Appletvgk
Oct 6, 2012, 10:46 AM
I set the logout timer to 5 min and 20 min later the server is still logged in. I really need to figure out what's keeping it awake. All I have is a database server and OS X server running.

switon
Oct 6, 2012, 01:20 PM
Hi Appletvgk,

My server is set never to go to sleep, is your's set likewise?

How are you interact with your server? Do you have a bluetooth keyboard/trackpad/mouse? You might switch these off and even switch off Blutooth altogether from the Bluetooth preference pane, just to check if they are keeping you logged in and/or not allowing the screen saver to start. Stop your Screen Sharing/VNC to your server, and wait for all of the timeouts to occur (logout, screen saver). Reconnect using Screen Sharing and see if your server is screen saving. You might also switch the System Preferences -> Sharing from Screen Sharing (uncheck it) to Remote Management (check it and setup for only your account to have access), and then retest.

Do you have "wake for wifi network access" set?

I notice that my MBP has a tough time going to sleep if this is set -- perhaps it also interferes with the logout? You might also switch off Power Nap (on your server, it's probably not on) so that it doesn't do any Time Machine backups, just as a test. And finally, as I'm sure you have already thought of this, but switch off your web server (and/or database server) to test if the machine will then logout your account or screen save.

Switon

P.S. ...really, I'm just fishing for any cause that might hinder your auto logout or keep your screen saver from starting...if you are connected via VNC/Screen Sharing, this will do it, but you have this problem even when not attached...

Appletvgk
Oct 6, 2012, 01:46 PM
Hi Appletvgk,

My server is set never to go to sleep, is your's set likewise? Yes

How are you interact with your server?

I set it up using USB connected peripherals. Now it's headless without anything connected.

Do you have a bluetooth keyboard/trackpad/mouse?

I didn't set anything up, BUT I didn't disable the feature that turns on BT if no KB is plugged in. I will turn this off and see what happens.

Stop your Screen Sharing/VNC to your server, and wait for all of the timeouts to occur (logout, screen saver). Reconnect using Screen Sharing and see if your server is screen saving. You might also switch the System Preferences -> Sharing from Screen Sharing (uncheck it) to Remote Management (check it and setup for only your account to have access), and then retest.

I will try this but I'm at a remote location. I take it there is a way to SSH in and turn screen sharing back on? Otherwise I can't get back in.

Do you have "wake for wifi network access" set?

I think it says "wake for network access" on mine, I have it turned on. Maybe I should turn it off since I have sleep set to "Never"?

I notice that my MBP has a tough time going to sleep if this is set -- perhaps it also interferes with the logout? You might also switch off Power Nap (on your server, it's probably not on) so that it doesn't do any Time Machine backups, just as a test.

Time machine is disabled, because it would interfere with my databases (back up open databases and you get corrupt backups).

And finally, as I'm sure you have already thought of this, but switch off your web server (and/or database server) to test if the machine will then logout your account or screen save.

Actually I didn't try turning off my database server because I'm trying to keep it "up" for people to access, but I also don't "think" it's that because I ran the same server on my home mac without these symptoms.
Switon

P.S. ...really, I'm just fishing for any cause that might hinder your auto logout or keep your screen saver from starting...if you are connected via VNC/Screen Sharing, this will do it, but you have this problem even when not attached...

Please see my responses in the quoted text. I appreciate your help, I'm going to disable BT first and then SS.

switon
Oct 6, 2012, 01:55 PM
Hi,

Remote Management substitutes for Screen Sharing...so you can still attach using Screen Sharing/VNC when the Sharing pane's Screen Sharing is unchecked as long as Remote Management is checked and setup properly...

Switon

Appletvgk
Oct 6, 2012, 02:02 PM
Hi,

Remote Management substitutes for Screen Sharing...so you can still attach using Screen Sharing/VNC when the Sharing pane's Screen Sharing is unchecked as long as Remote Management is checked and setup properly...

Switon

Just checked in this. Screen sharing isnt selectable in the preferences app because it says remote management includes this. The server app has 1 setting for both "allow screen sharing and remote management"
I think I'll just have to be diligent in logging out