Student Terminal Access(Higher Education)

deckert
New Contributor

Just wanting to get a feel for what other Universities and colleges are doing in regards to terminal access. We have a faculty member that would like his students to have terminal access. Our department views terminal as an administrative tool and something that regular users should not have access to.

So the question is this. Do you allow students(or staff members for that matter) to have access to terminal? Or do you block the application from launching like we do?

Thanks for any replies.

8 REPLIES 8

blackholemac
Valued Contributor III

I'm not a university, but I work in a large K-12 so I'll attempt to say how I would respond.

For starters, I would focus on the academic reasons for wanting it. I'm assuming the guy is trying to teach some form of computer science. One question is also...are the wanting administrative access to the machine as well?

If I was presented with valid academic reasons for it, then I'd be inclined to grant, but I wouldn't just out and out grand administrative rights without someone formally asking for it. Without having admin rights, that means know 'sudo' command which means the worst they could do is hose their own system or try to ssh into another system that is more locked down. There are plenty of drag and drop apps which would also help with that anyway.

Finally if they needed admin rights for curriculum, again, I'd probably have to grant, but the big answer is in how you grant...on my own given network, I would put them on a web filtered connection that is zero access to our production VLAN. Worst they could do is hose their own labs at that point. If they truly wanted admin rights though, they would also be signing a waiver saying that we as the IT department would provide very minimal support software wise, other than wiping and loading our standard setup. Hardware wise I would still be stuck.

jkaigler
Contributor II

I work in higher ed, we allow terminal. Actually we are not blocking anything built in apps.

jared_f
Valued Contributor

I block terminal on all enrolled machines and exclude administrator AD groups and have email notifications on. Anyways, the key reason is why this educator and his/her students need access to terminal. As @blackholemac mentioned, I would segregate the lab computers on their own network.

erowan
New Contributor III

I don't block Terminal, but I think i'd restrict admin rights/sudo access to a non-persistent virtual machine.

Gennaro
New Contributor III

We don't block terminal on our campus, but obviously without the administrative credentials, you can't really do a whole lot that you wouldn't be able to do already.

Id say if you're not wanting to give give them terminal access suggest using openbox and a linux vm, they can do whatever they want on those without breaking anything, unless this HAS to be on MacOS for whatever reason.

Chris_Hafner
Valued Contributor II

K-12 here. Terminal is A-OK, but no student admin (Faculty are). I can create anything they need for disto via Self-Service or some other policy method. At the higher ed level, I guess it depends. On student/faculty machines, sure! On lab computers... perhaps if they get cleared nightly, etc. It's all about functionality.

sharriston
Contributor III

We also have been getting more and more requests for this for computer science classes and what I am in the process of setting up is creating a VM that they can either ssh into or remote into and basically do whatever they want and then I would just reset it if they break something crazy with a snapshot. This way they wouldn't have admin access to their own machines and the VM wouldn't create any crazy obstacles to manage or reset should they break something.

ljcacioppo
Contributor III

We don't block terminal from being used, however, student accounts do not have administrative or sudo access