From owner-freebsd-isp Sun Jun 1 08:42:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA24606 for isp-outgoing; Sun, 1 Jun 1997 08:42:15 -0700 (PDT) Received: from absinthe.i3inc.com (Absinthe.i3inc.com [208.218.26.194]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA24601 for ; Sun, 1 Jun 1997 08:42:10 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by absinthe.i3inc.com (8.7.2/8.7.2) with SMTP id LAA04945; Sun, 1 Jun 1997 11:40:16 -0400 (EDT) Message-Id: <199706011540.LAA04945@absinthe.i3inc.com> X-Authentication-Warning: absinthe.i3inc.com: Host localhost [127.0.0.1] didn't use HELO protocol To: rricci@ns1.theonlynet.com Cc: freebsd-isp@freebsd.org Subject: Re: Authenticating dial-ins In-Reply-To: Your message of "Fri, 30 May 1997 16:39:10 -0600 (MDT)" References: X-Mailer: Mew version 1.03 on Emacs 19.34.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 01 Jun 1997 11:40:14 -0400 From: Chris Shenton Sender: owner-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 30 May 1997 16:39:10 -0600 (MDT) "Robert P. Ricci" wrote: rricci> We've got two FreeBSD machines, and would like to use one as a rricci> terminal server and the other as mail/web/ftp sever (right rricci> now, everything's on the terminal server.) What would be the rricci> best way to keep identical password files on both machines, or rricci> use the web server's password file to authenticate users on rricci> the terminal server? The terminal server uses a cyclades rricci> card. Right now, we use mgetty to answer the modems, which rricci> then fires up pppd. We're also able to nfs mount between the rricci> two machines. The dial-in server can use RADIUS configured to look into the /etc/passwd file for authentication. I believe you use "Password = UNIX" or "Password = System" (Livingston RADIUS-2.0). So your dialin server can query a RADIUS daemon running on your www/ftp/email server where the accounts really live. I set up one site like this and it's real easy for them to manage cuz all they gotta do is "adduser". You can make the users shell something like /PPP-only or /bin/false if you want them to have PPP authentication but no shell access, but this *might* hose www/ftp/email (see /etc/shells and such). MERIT and Livingston's latest RADIUS support examining UNIX /etc/group file for PPP authentication. With this you could allow people shell/email/ftp/www access, but *not* PPP, if you set their group to be one RADIUS doesn't like.