Solved

Restricting access via mgetty/AutoPPP

Posted on 1998-01-13
10
231 Views
Last Modified: 2010-03-18
We have a stable dial-in setup using recent mgetty and AutoPPP.  We wish to prevent users from connecting multiple times in parallel.  Any ideas?  (I really don't want to give up AutoPPP)
0
Comment
Question by:remsteve
  • 5
  • 4
10 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1587306
In /etc/csh.login (/etc/.profile or whatever your user's login shell is) check if allready logged in (with w, ps aux, or whatever) and if so, perform a logout.
0
 

Author Comment

by:remsteve
ID: 1587307
The whole point of AutoPPP is that a shell is not invoked, so this suggestion is not feasible.
0
 

Author Comment

by:remsteve
ID: 1587308
Adjusted points to 210
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1587309
see /etc/mgetty+sendfax/login.config, you can use your own login program instead of the default /bin/login
0
 

Author Comment

by:remsteve
ID: 1587310
Some missunderstanding here:
  > .. No /bin/login or shell is invoked ..
  > .. except for this multiple login problem.

Are they logged in? Or is your pppd-mashine just a router/gateway
handling dial-in sessions, then you must patch mgetty for your desires (I think).
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 1587311
Good point.  It all depends how you define 'logged-in' I suppose.  Entries are written to wtmp and utmp, but the connections are ppp routing only.
0
 

Author Comment

by:remsteve
ID: 1587312
How can say that /bin/login is *not* invoked?
mgetty definitely calls /bin/login (or what was defined as default at compile time) or the program specified in mgetty.conf.

So I suggest you need you private login. Rebuild it from the original login source.

Do you agree?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1587313
if I get it right, mgetty directly calls AutoPPP w/out any
/bin/login processing.

If you have a separate account for each user, you have the
chance to direct mgetty to first call a test program (you'll
have to write it, but it is simple), which looks for a file
/var/spool/uucp/LCK..<username> (or any other distinguishable
name), which contains the pid of the process for that user.
If the process exists (/procs/<pid>/) and is AutoPPP
(/proc/<pid>/cmdline), the user is online and test program
will exit. Else you have to create the lockfile new with
the actual pid and then do an exec to AutoPPP
(see: man 2 execve). This will preserve your actual pid,
so the next login test from the same user will see
AutoPPP running at the pid, which is stated in the users
lockfile.

This function won't work if either AutoPPP works on a
single account and manages the users itself or AutoPPP
exits while the connection keeps established, so the
check cannot check the presence/absence of the users
connection.

You may realize the test tool as a C program or even as
a simple shell script. For security reasons I would prefer
a C binary.

hope, that helps you

0
 
LVL 1

Accepted Solution

by:
smile earned 210 total points
ID: 1587314
OK - I give up on this one.  AutoPPP is an internal feature of mgetty, so it looks like I'll have to hack into mgetty (unless pppd offers any hooks?).

Thanks for the thoughts

0
 

Author Comment

by:remsteve
ID: 1587315
Hi remsteve, a little late, so you might not get this.  We had the same problem and after looking around for a bit, I ended up hacking _pppd_ itself.  In the pap authorization module (I believe) right before it assigns the IP I run a quick script that does an awk to see if anyone else is online, it also does some stuff like look for a static.username file with a static IP if the customer has one, etc.  

At anyrate, just thought I'd help confirm that it's a hack job required and that you should probably be looking in pppd rather than mgetty.
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
I search low cost dedicated server provider 4 29
E-mail settings for Fail2ban 7 116
how to configure multiple subnet in linux ddns server 2 76
FTP output from Wireshak 6 73
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now