Joachim Schipper wrote:
On Fri, Sep 15, 2006 at 02:18:58PM -0500, Victor Camacho wrote:
Jeff Quast wrote:
On 9/15/06, Joachim Schipper <[EMAIL PROTECTED]> wrote:
It would probably be best to let a daemon or cronjob outside the chroot
read it; a socket or even a simple pipe in the chroot is sufficient to
signal a daemon, or even send the whole IP address.
Of course, this does result in a two-part script, but the seperation is
likely to be a good thing from a security standpoint.
This design is mentioned alot. I understand it, and it would probobly
be best solution.
Does anybody have a simple two-bin C app that communicates over a pipe
that functions for this purpose? I suppose I could pull out my richard
stevens AUP...
I see this recommended alot. So somebody had to actualy sat down and
do this at some point. Care to share?
I have two perl scripts that I used to implement wireless Internet access.
There are a few holes but it is a work in progress. My next step is to
change it to allow users that do not have ssh, access to our network.
Some, airports only allow port 80 so I need to deal with that.
The way the scripts work:
PF redirects all users that are not in the goodip table to a default web
page.
They are asked for a user name and password. When they hit enter, the
first script handles the input.
The perl script checks the user name and password and if it is correct
it sends the IP address over a socket to the access server script that
then adds the ip to the goodip table. If the user then enters a new web
page then they are directed because PF will now have them in the good ip
table.
Things that need to be fixed or considered.
Consider using authpf.
Not really necessary, is it?
I have not used authpf before and I was not sure if there was any
advantage to it.
I did not add perl to the Apache chroot. When this is done, will the
socket still work?
You do need perl (either /usr/bin/perl or mod_perl, plus supporting
files) in the chroot of Apache, or perl scripts won't work.
However, sockets work just fine across chroot.
Thanks for the information.
I have user name and password in the perl script. This is not secure.
Simple pass whatever the user entered to the second script, and validate
there.
Great idea.
I have to write a script to clean the goodip table every so often.
Well, and *this* is the reason I didn't try to write something last
night; a good solution to this problem would be much appreciated...
There are many half-assed solutions. A possible solution is just pinging
the host every five seconds and dropping the connection as soon as no
return packets are received; this is dependent on the security of the
underlying medium, but since the original design already is, that's no
biggy. (Of course, this consideration makes this solution much less
useful than it appears to be, but again, that's no news).
A solution that might actually works involves Java or some other
client-side scripting and authpf.
Joachim
For one application the usage expires at closing time.
For the other, the people access the network at all hours and your
client side scripting may be the answer.
Thank you very much for you input.
Victor
