Solved

Restricting access via mgetty/AutoPPP

Posted on 1998-01-13
10
237 Views
Last Modified: 2010-03-18
We have a stable dial-in setup using recent mgetty and AutoPPP.  We wish to prevent users from connecting multiple times in parallel.  Any ideas?  (I really don't want to give up AutoPPP)
0
Comment
Question by:remsteve
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1587306
In /etc/csh.login (/etc/.profile or whatever your user's login shell is) check if allready logged in (with w, ps aux, or whatever) and if so, perform a logout.
0
 

Author Comment

by:remsteve
ID: 1587307
The whole point of AutoPPP is that a shell is not invoked, so this suggestion is not feasible.
0
 

Author Comment

by:remsteve
ID: 1587308
Adjusted points to 210
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 51

Expert Comment

by:ahoffmann
ID: 1587309
see /etc/mgetty+sendfax/login.config, you can use your own login program instead of the default /bin/login
0
 

Author Comment

by:remsteve
ID: 1587310
Some missunderstanding here:
  > .. No /bin/login or shell is invoked ..
  > .. except for this multiple login problem.

Are they logged in? Or is your pppd-mashine just a router/gateway
handling dial-in sessions, then you must patch mgetty for your desires (I think).
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1587311
Good point.  It all depends how you define 'logged-in' I suppose.  Entries are written to wtmp and utmp, but the connections are ppp routing only.
0
 

Author Comment

by:remsteve
ID: 1587312
How can say that /bin/login is *not* invoked?
mgetty definitely calls /bin/login (or what was defined as default at compile time) or the program specified in mgetty.conf.

So I suggest you need you private login. Rebuild it from the original login source.

Do you agree?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1587313
if I get it right, mgetty directly calls AutoPPP w/out any
/bin/login processing.

If you have a separate account for each user, you have the
chance to direct mgetty to first call a test program (you'll
have to write it, but it is simple), which looks for a file
/var/spool/uucp/LCK..<username> (or any other distinguishable
name), which contains the pid of the process for that user.
If the process exists (/procs/<pid>/) and is AutoPPP
(/proc/<pid>/cmdline), the user is online and test program
will exit. Else you have to create the lockfile new with
the actual pid and then do an exec to AutoPPP
(see: man 2 execve). This will preserve your actual pid,
so the next login test from the same user will see
AutoPPP running at the pid, which is stated in the users
lockfile.

This function won't work if either AutoPPP works on a
single account and manages the users itself or AutoPPP
exits while the connection keeps established, so the
check cannot check the presence/absence of the users
connection.

You may realize the test tool as a C program or even as
a simple shell script. For security reasons I would prefer
a C binary.

hope, that helps you

0
 
LVL 1

Accepted Solution

by:
smile earned 210 total points
ID: 1587314
OK - I give up on this one.  AutoPPP is an internal feature of mgetty, so it looks like I'll have to hack into mgetty (unless pppd offers any hooks?).

Thanks for the thoughts

0
 

Author Comment

by:remsteve
ID: 1587315
Hi remsteve, a little late, so you might not get this.  We had the same problem and after looking around for a bit, I ended up hacking _pppd_ itself.  In the pap authorization module (I believe) right before it assigns the IP I run a quick script that does an awk to see if anyone else is online, it also does some stuff like look for a static.username file with a static IP if the customer has one, etc.  

At anyrate, just thought I'd help confirm that it's a hack job required and that you should probably be looking in pppd rather than mgetty.
0

Featured Post

Enroll in June's Course of the Month

June's Course of the Month is now available! Every 10 seconds, a consumer gets hit with ransomware. Refresh your knowledge of ransomware best practices by enrolling in this month's complimentary course for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question