Solved

Restricting access via mgetty/AutoPPP

Posted on 1998-01-13
10
229 Views
Last Modified: 2010-03-18
We have a stable dial-in setup using recent mgetty and AutoPPP.  We wish to prevent users from connecting multiple times in parallel.  Any ideas?  (I really don't want to give up AutoPPP)
0
Comment
Question by:remsteve
  • 5
  • 4
10 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1587306
In /etc/csh.login (/etc/.profile or whatever your user's login shell is) check if allready logged in (with w, ps aux, or whatever) and if so, perform a logout.
0
 

Author Comment

by:remsteve
ID: 1587307
The whole point of AutoPPP is that a shell is not invoked, so this suggestion is not feasible.
0
 

Author Comment

by:remsteve
ID: 1587308
Adjusted points to 210
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1587309
see /etc/mgetty+sendfax/login.config, you can use your own login program instead of the default /bin/login
0
 

Author Comment

by:remsteve
ID: 1587310
Some missunderstanding here:
  > .. No /bin/login or shell is invoked ..
  > .. except for this multiple login problem.

Are they logged in? Or is your pppd-mashine just a router/gateway
handling dial-in sessions, then you must patch mgetty for your desires (I think).
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 51

Expert Comment

by:ahoffmann
ID: 1587311
Good point.  It all depends how you define 'logged-in' I suppose.  Entries are written to wtmp and utmp, but the connections are ppp routing only.
0
 

Author Comment

by:remsteve
ID: 1587312
How can say that /bin/login is *not* invoked?
mgetty definitely calls /bin/login (or what was defined as default at compile time) or the program specified in mgetty.conf.

So I suggest you need you private login. Rebuild it from the original login source.

Do you agree?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1587313
if I get it right, mgetty directly calls AutoPPP w/out any
/bin/login processing.

If you have a separate account for each user, you have the
chance to direct mgetty to first call a test program (you'll
have to write it, but it is simple), which looks for a file
/var/spool/uucp/LCK..<username> (or any other distinguishable
name), which contains the pid of the process for that user.
If the process exists (/procs/<pid>/) and is AutoPPP
(/proc/<pid>/cmdline), the user is online and test program
will exit. Else you have to create the lockfile new with
the actual pid and then do an exec to AutoPPP
(see: man 2 execve). This will preserve your actual pid,
so the next login test from the same user will see
AutoPPP running at the pid, which is stated in the users
lockfile.

This function won't work if either AutoPPP works on a
single account and manages the users itself or AutoPPP
exits while the connection keeps established, so the
check cannot check the presence/absence of the users
connection.

You may realize the test tool as a C program or even as
a simple shell script. For security reasons I would prefer
a C binary.

hope, that helps you

0
 
LVL 1

Accepted Solution

by:
smile earned 210 total points
ID: 1587314
OK - I give up on this one.  AutoPPP is an internal feature of mgetty, so it looks like I'll have to hack into mgetty (unless pppd offers any hooks?).

Thanks for the thoughts

0
 

Author Comment

by:remsteve
ID: 1587315
Hi remsteve, a little late, so you might not get this.  We had the same problem and after looking around for a bit, I ended up hacking _pppd_ itself.  In the pap authorization module (I believe) right before it assigns the IP I run a quick script that does an awk to see if anyone else is online, it also does some stuff like look for a static.username file with a static IP if the customer has one, etc.  

At anyrate, just thought I'd help confirm that it's a hack job required and that you should probably be looking in pppd rather than mgetty.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now