current-users: Re: PPP authentication

Subject: Re: PPP authentication
To: Jukka Marin <jmarin@pyy.jmp.fi>
From: David Leonard <leonard@csee.uq.edu.au>
List: current-users
Date: 09/30/1998 21:12:15
On Tue, 29 Sep 1998, Jukka Marin wrote:

> Let's say there are some 30 NetBSD boxes with 4 to 8 dial-in lines on
> each.  What's the easiest way of configuring PPP on all lines and boxes
> to authenticate the users using a shared user database?  Also, is there
> any way of limiting user on-line time to some number of minutes per day?

You can use the 'login auth require-pap' options and YP to do authentication;
maybe modifying pppd/auth.c to chown the tty in plogin() and plogout() 
would help, although the logins will show up in wtmp anyway and you could
modify your daemon to watch that file instead of the ttys.

Adding the pp=/usr/sbin/pppd capability to the default entry 
in /etc/gettytab means that you can run getty instead of pppd on the serial 
lines; make sure you set your users' shells to /nonexistent if you don't
want to give them shell access though. getty will understand the ppp
linkup sequence at the login: prompt and run pppd automatically.

I notice that pppd can use PAM.. maybe that could help? (i'm not a PAM expert)

> I wrote a daemon which monitors given terminal lines and kicks off the
> users who have used up all their time, but this system only works if the
> TTY line is owned by the dial-in user.  However, if I start pppd on all
> lines and let it do the authentication (this is required, so no special
> scripts are needed on the dial-in users' machines), my daemon no longer
> knows who's using the TTY lines.  Is it possible to get the user ID out
> of pppd after authentication somehow?
> 
> I'd like to set this system up and replace lots of m$ stuff, but first
> I need to find a way for implementing the shared user database and time
> limits..
> 
> Thanks,
> 
>   -jm
> 

--
David Leonard                           David.Leonard@csee.uq.edu.au
Dept of Comp. Sci. and Elec. Engg   _   Room:78-624  Ph:+61 7 336 52447
The University of Queensland       |+|  http://www.csee.uq.edu.au/~leonard/
QLD 4072  AUSTRALIA               ~` '~ E2A24DC6446E5779D7AFC41AA04E6401

Public media should not contain explicit or implied descriptions of sex acts.
Our society should be purged of the perverts who provide the media with
pornographic material while pretending it has some redeeming social value
under the public's 'right to know'.  -- Kenneth Starr (`60 Minutes', 1987)