Date: Mon, 4 Nov 1996 08:13:58 -0600 (CST) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: jkh@time.cdrom.com (Jordan K. Hubbard) Cc: hackers@freebsd.org, isp@freebsd.org Subject: Re: pppgetty Message-ID: <199611041413.IAA04882@brasil.moneng.mei.com> In-Reply-To: <1664.847114329@time.cdrom.com> from "Jordan K. Hubbard" at Nov 4, 96 05:32:09 am
next in thread | previous in thread | raw e-mail | index | archive | help
> Whatever happened with this? Were we going to integrate it? If not, > why not? It seems a perfectly useful feature, and a great way of > making a more annex-like solution out of a FreeBSD box. Having now > learned and lived with the horror that is radiusd, I have to say that > there's a certain attractiveness to making a single box do your > dialup-ppp services *and* your interactive logins. Accounting sure > becomes a lot easier, and if you're using external modems anyway... Jordan, I am not particularly thrilled about the idea of modems on the same box as interactive logins, as it can be a security risk (think of what could happen if someone exploited a security hole to gain access to a cua* device, all sorts of havoc could follow). I guess this also dates back to my SunOS days, because my old Suns were not fast enough to handle even two 14.4K modems. I much preferred offloading the modems onto a system with a 386DX/25 and a few 16550's. Anyways... I still have my patches to do the pppgetty thing. As a matter of fact, I just recently integrated those patches with my "network login router" software... this was the original local hack that ran on the 386DX/25 :-) A modified getty and login presents a "normal" banner and login: prompt and then waits for input. A central server is then contacted, and returns a reply based on local policy as to what to do with the user (local login, remote login, etc)... all very transparently. This is really cool because it provides much of the core functionality needed for ISP "terminal server" environments. Let's say you have a "shell account" machine and a "terminal server" machine. You set logins that have a passwd entry on the "shell account" machine to be rlogin'ed over to the shell account machine, logins that begin with a 'P' to log in on the terminal server via passwd authentication, and PAP style logins of course log in on the terminal server too. Now when the ISP gets a little bigger, assuming everything else was also engineered for growth (usually isn't, common ISP mistake)... you get half a dozen more terminal servers. Each one is drop and go. When you need another shell account machine, you have a little fun.. you set up local "NLR" policy so that logins starting with the letters 'A-M' are on one machine and 'N-Z' on the other. You put the home file systems on appropriate disks, etc. The users are automagically logged in on the right machine.... nifty cool. I am not willing to release this code as it sits, but if there is some particularly enterprising small ISP with a good C hacker that would like to work with me to whip it into better shape, I would consider providing it under BSD style copyright after it was whipped into shape. ... JG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611041413.IAA04882>