From owner-freebsd-questions Wed Sep 3 10:44:08 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA25984 for questions-outgoing; Wed, 3 Sep 1997 10:44:08 -0700 (PDT) Received: from d2si.com (macbeth.d2si.com [206.8.31.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA25950 for ; Wed, 3 Sep 1997 10:43:58 -0700 (PDT) Received: (from alec@localhost) by d2si.com (8.8.5/8.8.5) id MAA10397; Wed, 3 Sep 1997 12:43:15 -0500 (CDT) From: Alec Kloss Message-Id: <199709031743.MAA10397@d2si.com> Subject: Re: exiting shell and PPP security, authentication In-Reply-To: from Antonio Bemfica at "Sep 3, 97 01:57:07 pm" To: bemfica@militzer.me.tuns.ca (Antonio Bemfica) Date: Wed, 3 Sep 1997 12:43:15 -0500 (CDT) Cc: freebsd-questions@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Antonio Bemfica said: > Hello. > > My setup: > > 1. I have user PPP setup on my servers to handle incoming calls. > 2. I want to authenticate users via the password file (enable passwauth) > and PAP - it seems the cleanest way - no plain text ppp.secret, etc. > 3. My users dial in and log on using their normal accounts and password. > Once they get a prompt, ppp can be started with a script: > > #!/bin/sh > # > # PPP Server DIAL-UP (/usr/sbin/ppplogin) > # > # -> find out which line is trying to connect and use different > # labels for each line > # > tt=`tty` > # > # > if [ $tt = "/dev/ttyd1" ]; then > exec /usr/sbin/ppp -direct ttyd1 > elif [ $tt = "/dev/ttyd2" ]; then > exec /usr/sbin/ppp -direct ttyd2 > fi > # > exit > > 4. Client scripts can handle the authentication procedure above quite > easily, and users don't get confused about when to enter which password, > etc. - entering their name and password once is enough (the Win95 client > will save this information, for example) > > My problem: > > 1. Users get a connection established without problems, but: > > 2. When a connection is closed the shell stays open (somehow the shell > does not seem to exit properly when the ppp process dies). In any case, > the tty is tyed up, and the modem will not answer the line anymore - or > even worse, will allow a user to get a ppp connection without any > authentication! > > 3. I would prefer not to have to create duplicate accounts for every one > of my users who wishes to connect via ppp (and set the shell of their > ppp accounts to be the script above - this setup never hangs...) and > neither would I like to use the ppp.secret method. > > Is there any possible solution to my problem? What am I doing wrong? > > Thanks in advance for any help. > > Antonio > -- -------------------------------------------------------------------------- > Antonio Bemfica, DalTech, Dalhousie U. | Hay épocas hechas para diezmar los > => Support free software, use FreeBSD | rebaños, confundir las lenguas > => http://www.FreeBSD.org | y dispersar las tribus. A.C. > I'd guess that the script you're using to start up ppp is the problem---the users shell probably forks and then execs /bin/sh to run the script. The script then executes ppp without forking to /bin/sh is gone, but the original shell is not. Hmm. If you could get your users to exec your script you'd probably be okay, either by explaining it to them or by using a shell alias or you could get the script to kill their shell for you (you'll need to use a pretty stiff signal) after ppp exits.