----------
From: russell@australiagate.com.au
Sent: Thursday, August 22, 1996 06:12
To: portmaster-users@livingston.com
Subject: Logging in.
I'm running Radius 1.6 for Linux and a PM2er.
I would like to be able to give my customers a choice of Shell or PPP =
session=20
by how they log in. I've tried one idea from a reader here who suggested =
making=20
all radius accounts terminal ones and then ask the users to add .ppp to =
the=20
ends of their login names, this doesnt work !
Any ideas ?
-----------
that idea wouldn't work- too many brain-dead people out there who think =
PPP and TTY are the same thing because they've both got three letters...
what i've done is this- our users who want to access their shell =
accounts directly dial into the portmaster as "userid$" with their =
regular password. they get authenticated using their regular id (without =
the $ sign) and the radiusd returns a special profile that looks like =
this:
SHELL Password =3D "!fN0Rd!" , Expiration =3D "Dec 31 1980"
User-Service-Type =3D Login-User,
Login-Host =3D shell.blah.com,
Login-Service =3D Telnet
this way, the portmaster opens a telnet connection rather than their =
regular PPP connection. however, they *do* have to log into the shell =
machine with their normal userid and password, which involves typing =
their userid and password a second time... i haven't gotten around to =
hacking the rlogind to strip $ signs from user id's yet, but that's =
coming, and once that's done, the users will be rlogin'd directly to =
their own accounts on the shell machine.
i'm not allowed to post the customized code but how it works is this- =
the authentication function of radiusd checks for the $ sign, and if =
found, sets a flag and replaces the $ with a zero byte. authentication =
happens as normal (with the person's real user id,) and once the packet =
has been approved, the flag is checked. if found, skip ahead to the end =
of the file and find a profile with the userid 'SHELL' (all caps- our =
userid's here are all lowercase.) at this point we return to the =
original code, which starts reading pairs (from wherever the file =
pointer happens to be) and shoving the pairs into the authentication =
response packet.
we installed this about a month and a half ago, and it's worked really =
well- we've been catching a lot of users who were formerly abusing their =
shell accounts by using portmaster user-table entry that was set up to =
access shell accounts- originally for staff but the word got out, since =
the portmaster user-table name was the same as the name of our shell =
account machine... (this wasn't my decision, it was in place before i =
started here.)
take care all
-------------------------------------------------------------------------=
------
John Simpson, Software Engineering | The Internet Access Group, =
Inc.
http://www.depeche.mode.net/~jms1/ | PO Box 162625
Personal: <jms1@depeche.mode.net> | Altamonte Springs, FL =
32716-2625
Business: <jms1@iag.net> | (407) 786-1145
-------------------------------------------------------------------------=
------