Date: Tue, 30 Mar 1999 16:42:17 +1000 (EST) From: Rowan Crowe <rowan@sensation.net.au> To: freebsd-isp@freebsd.org Subject: Re: Web Based Script Message-ID: <Pine.BSF.4.01.9903301624020.17311-100000@velvet.sensation.net.au> In-Reply-To: <Pine.LNX.4.10.9903292024350.26067-100000@rheingold>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Mar 1999, W. Reilly Cooley wrote: > > Me Too... > > What is this, AOL? I'm starting to wonder. > > >> Does anyone out there have a web based (cgi) script for a customer > > to check the time usage for their account. We use radius > > authentication/accounting. > > I've considered a web-based interface for users to modify their > configurations (mail forwarding, etc), but giving users access using their > UNIX passwords through a web interface is a /big/ security hole. See > http://www.apache.org/docs/misc/FAQ.html#passwdauth for an explanation. > This might be reasonable, if, for example, you only permit access from > within your net block. But even then it's sketchy... > > 'radiusContext' will generate web pages summarizing usage; but you > probably don't want to give everyone access to everyone else's usage > reports. > > You can pretty easily set up scripts to periodically mail text summaries > to each person; this seems like a more reasonable approach. Look at it from another direction: create a database of IP addresses that contain their account name. I do the login->pass thing so users are not authenticated by pppd only, so it's very simple for me to do, basically something like: # this is part of the login script before pppd is started allocated_ip=<your allocation algorithm here> echo ${allocated_ip} > /usr/accounting/dialup/ip/`whoami` For more recent versions of pppd you could use /etc/ppp/auth-up: # warning: UNTESTED! # # /etc/ppp/auth-up # A program or script which is executed after the # remote system successfully authenticates itself. # It is executed with the parameters # # interface-name peer-name user-name tty-device speed their_ip=`ifconfig $1 | grep "->" | awk '{print $4}'` their_name=`echo ${3}` echo ${their_name} > /wherever/you/want/${their_ip} This of course assumes you're using FreeBSD for the provision of PPP, if you're using a canned router then I'm sure there's still a way to get a list of online users and somehow match them to an IP address. On some routers 'finger @router' shows both usernames and IP addresses. Using these methods, users have no need to enter their account names or passwords, the web server magically knows who they are. There are some disadvantages of course... * anyone using that account can view the information, which may be a concern for some users * the user must be logged into local ISP (security bonus!) I haven't done any pages that allow updates yet, but when I do they will require (a) the user to be logged in locally to prevent clear text passwords being transferred via external links and (b) the account password to be supplied as verification to prevent little Johnny from messing around with Mum's account settings. Cheers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9903301624020.17311-100000>