On 29 March 1999, Gary Piercey <[EMAIL PROTECTED]> wrote:
> Liviu Daia wrote:
> > I'm trying to setup user accounting for a dialin service that I
> > inherited at work.
[...]
> I am in the process of doing something similar. Your configuration
> seems very similar to the one I am using. I chose to use auth-up
> to start the logging process. The problem is you have to force PAP
> or CHAP authentication and deny logins via /bin/login unless you
> want to modify /bin/login to log the same information as auth-up and
> auth-down.
As I pointed out in a previous message, recompiling the kernel
with the option CONFIG_BINFMT_MISC solved the problem for me, I can
now use ip-up and ip-down. I suppose auth-up and auth-down could do
the job too, but as you say, they only work if you force PAP or CHAP
authentication, and this is something I want to avoid.
> auth-up is executed by pppd immediately after the user is
> authenticated and auth-down when user logs out. Both are called with
> the following arguments:
[...]
Yes, all this is well documented in the man page.
> The peer-name will give you the username (because with PAP and CHAP
> pppd is executed as root so the user-name argument will give you the
> user that owns the pppd process; ie. root).
The peer name will give you the authenticated name, which is not
necessarily the same as the login name. You probably want getuid() or
"id -ur".
> If you write the script or the program to log the date and time you
> can do all kinds of wonderful things, including the user accounting
> that you want to do. You can log the login and logout times or
> communicate with an accounting server. I am using this to restrict
> specific groups to the use of certain modems, since we have modems
> reserved for specific groups. After looking at it I realized that if
> we want to restrict the time that the user spends online we can do
> that quite easily as well.
>
> If you know of a better way to do this, I am all ears! :)
Well, the Acua package can already do that, and much more. The only
drawbacks I can see to this approach are:
(1) The flow between the various scripts is necessarily hairy, due to
the flexibility of the package;
(2) If pppd gets killed for some reasons before it has a chance to call
ip-down, you get unbalanced entries in the logs.
Another solution is to write a wrapper around pppd which forks a
child that execs pppd, set the wrapper as the login shell for dialin
users, and set the "nodetach" option in /etc/ppp/options. You can then
do the accounting, online time limiting and so on from the wrapper. If
you update the (external) accounting data only when pppd exits, you can
also avoid unbalanced entries.
The first solution is probably more flexible. The second one is
more efficient, and lends itself well to things like administration
through the web and keeping accounting data and user flags in an
SQL database. For my particular problem, where I don't expect the
requirements to change over time, I'll go with the second solution.
Regards,
Liviu Daia
--
Dr. Liviu Daia e-mail: [EMAIL PROTECTED]
Institute of Mathematics web page: http://www.imar.ro/~daia
of the Romanian Academy PGP key: http://www.imar.ro/~daia/daia.asc
-
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to [EMAIL PROTECTED]
