From owner-freebsd-isp Mon Mar 29 22:42:57 1999 Delivered-To: freebsd-isp@freebsd.org Received: from velvet.sensation.net.au (serial0-velvet.Brunswick.sensation.net.au [203.20.114.195]) by hub.freebsd.org (Postfix) with ESMTP id 821A714D17 for ; Mon, 29 Mar 1999 22:42:45 -0800 (PST) (envelope-from rowan@sensation.net.au) Received: from localhost (rowan@localhost) by velvet.sensation.net.au (8.8.8/8.8.8) with SMTP id QAA17822 for ; Tue, 30 Mar 1999 16:42:19 +1000 (EST) (envelope-from rowan@sensation.net.au) X-Authentication-Warning: velvet.sensation.net.au: rowan owned process doing -bs Date: Tue, 30 Mar 1999 16:42:17 +1000 (EST) From: Rowan Crowe To: freebsd-isp@freebsd.org Subject: Re: Web Based Script In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 29 Mar 1999, W. Reilly Cooley wrote: > > Me Too... > > What is this, AOL? I'm starting to wonder. > > >> Does anyone out there have a web based (cgi) script for a customer > > to check the time usage for their account. We use radius > > authentication/accounting. > > I've considered a web-based interface for users to modify their > configurations (mail forwarding, etc), but giving users access using their > UNIX passwords through a web interface is a /big/ security hole. See > http://www.apache.org/docs/misc/FAQ.html#passwdauth for an explanation. > This might be reasonable, if, for example, you only permit access from > within your net block. But even then it's sketchy... > > 'radiusContext' will generate web pages summarizing usage; but you > probably don't want to give everyone access to everyone else's usage > reports. > > You can pretty easily set up scripts to periodically mail text summaries > to each person; this seems like a more reasonable approach. Look at it from another direction: create a database of IP addresses that contain their account name. I do the login->pass thing so users are not authenticated by pppd only, so it's very simple for me to do, basically something like: # this is part of the login script before pppd is started allocated_ip= echo ${allocated_ip} > /usr/accounting/dialup/ip/`whoami` For more recent versions of pppd you could use /etc/ppp/auth-up: # warning: UNTESTED! # # /etc/ppp/auth-up # A program or script which is executed after the # remote system successfully authenticates itself. # It is executed with the parameters # # interface-name peer-name user-name tty-device speed their_ip=`ifconfig $1 | grep "->" | awk '{print $4}'` their_name=`echo ${3}` echo ${their_name} > /wherever/you/want/${their_ip} This of course assumes you're using FreeBSD for the provision of PPP, if you're using a canned router then I'm sure there's still a way to get a list of online users and somehow match them to an IP address. On some routers 'finger @router' shows both usernames and IP addresses. Using these methods, users have no need to enter their account names or passwords, the web server magically knows who they are. There are some disadvantages of course... * anyone using that account can view the information, which may be a concern for some users * the user must be logged into local ISP (security bonus!) I haven't done any pages that allow updates yet, but when I do they will require (a) the user to be logged in locally to prevent clear text passwords being transferred via external links and (b) the account password to be supplied as verification to prevent little Johnny from messing around with Mum's account settings. Cheers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message