Rick Schryvers
System Admin - HomeTown Online
Stolen Tagline: If its tourist season, why can't I shoot one???
On Mon, 21 Apr 1997, Sverre Hjelm wrote:
> >alot of sense, EXCEPT the problem of a user running something other than
> >slip/ppp sessions (we offer unix shell too, and those are the guys i need
> >to catch more often than not for abuse of our multiple login sessions).
>
> Ok, then. Do something like this: Modify a rlogin-deamon so that it
> send some kind of message (syslog, whatever) to the server running radiusd
> whenever a user loggs in/out. Modify the radius entries so that this
> special rlogin-deamon is used on a special port. On the other server (the
> one running radius), recieve these messages and save them in a dbm-file.
> Now, whenever a user tries to log in to a terminal session, check with the
> file if he's allready logged in. Not 100%, but fairly close. The important
> thing here is to make sure the message-part works.
>
> Offcourse, this sollution only works with terminal-users. A combination
> of this one and an accounting sollution w/ping would catch almost any case,
> but it's a kinda 'fishy' sollution with several possibilities for
> malfunction.
>
> >the radius deamon DROP the 'duplicate' auth request though while the other
> >auth request is in session? According to the RFC im not entirely sure.
>
> The rfc doesn't mention this (unless I've overlooked it) - it's
> implementation-specific. We used a merit version, which did this
> (compared the incomming packet with pending packets, and dropped it if
> found). My guess is that most servers do this, among other good reasons
> in order to avoid duplicate accounting packets (at least to some extent).
>
> Sverre Hjelm, EUnet Norway
>
>