> I really don't think that has to do with anyone going through the file..
> because it is very extrange to me that I have this huge file (yes! I
> should move it to the DB format) :).. a
What about creating a default entry? Our users file has 4 entries, 3 are
specialized (2 with different time limits and one telnet) and the fourth
covers every one else. I would think that just by having a default entry
you would save some time and disk space.
A bit off topic here but a question you should consider...
If you're using linux you have perl utilities which can be used in the
following hypothetical situation. You may also have the expect toolkit
which can things a lot easier.
Given:
You have a thief that has obtained root access in some manner or
form. Could be friend of his works for you. Could be he saw you enter in
your login info. Maybe he's created a sniffer. Dosn't matter how for now.
You imposed a 5 hour session limit on your system.
Your session time outs keep dissappearing and reappearing.
Your thief has a bit of programming experience.
hypothesis:
Thief creates a script that runs as root to go in and remove
the session time outs. The easiest would be a shell script that switches
files Not wanting to leave a clue as to identity all session time outs are
removed. To keep from discovery some mechanism exists to flip the old
file back.
Method of execution/ Method of detection:
1> The thief manually executes a script. Most linux servers are set to
give a csh to a newuser by default. Audit the last and lastcomm files
daily. If they don't exist then you know something's up. They get created
when the system is installed.
2> The script process is started from cron. Check out the tabs directory.
Also check out /etc/crontab. Manually go thru each and every script.
3> A script aliased to a username can be set to swap files upon recieving
of email. Check out the /etc/aliases file manually.
NOTE: Check the date stamp on the file. Under certain circumstances the
datestamp won't be altered. Depends on if the thief used mv or cp in the
statement. Hopefully he (or she) won't be that clever.
Conclusion:
By not having session limits defined in your user file you are
experiencing theft of services. I would hazzard you've got a gamer
playing an internet game online and the 5 hour sessions aren't long
enuff. I would also hazzard a guess this person either works for you, has
worked for you or knows someone quite well who does work for you.
Either way, RADIUS does no alteration of the users file. What happens is
the portmaster recieves a request, the portmaster send the request to the
authentication server, the server either acceptes or denies, if accept the
server sends some data back from the users file. The file is opened but
never written to, then closed.
I've attached a copy of our users file. It may be helpful. But if yuou
can streamline your users file you may be able to prove you have thief.
#
# This file contains security and configuration information
# for each user. The first field is the user's name and
# can be up to 8 characters in length. This is followed (on
# the same line) with the list of authentication requirements
# for that user. This can include password, comm server name,
# comm server port number, and an expiration date of the user's
# password. When an authentication request is receive from
# the comm server, these values are tested. A special user named
# "DEFAULT" can be created (and should be placed at the end of
# the user file) to specify what to do with users not contained
# in the user file. A special password of "UNIX" can be specified
# to notify the authentication server to use UNIX password (/etc/passwd)
# authentication for this user.
#
# Indented (with the tab character) lines following the first
# line indicate the configuration values to be passed back to
# the comm server to allow the initiation of a user session.
# This can include things like the PPP configuration values
# or the host to log the user onto.
#
DEFAULT Password = "UNIX"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.0,
Framed-Routing = None,
Framed-Compression = Van-Jacobsen-TCP-IP,
Framed-MTU = 1500,
Idle-Timeout = 1800,
Session-Timeout = 18000,
Port-Limit = 1,
Rob
Robert Hiltibidal Tek Frontiers
Tek Frontiers "Explore the possibilities.."
System Admin <http://www.tekfront.com>
morgan@tekfront.com (217)-241-5112
"People justify their computer for
business and education, but they
use their computer for FUN. " - Alex St John