> Done it, working, so far. Except for the unfortunate users who had a
> differnet Livingston account name than e-mail account name. Now then,
> how do I go about preventing people with extra e-mail accounts from using
> those accounts for PPP as well? In other words say user bjoe has an
> extra e-mail only account djoe (they connect as bjoe and connect to the
> pop server as djoe), how do i prevent them from connect with PPP as djoe
> as both bjoe and djoe are in my /etc/passwd file?
Couple of ways. Someone suggested using the Merit version of radius,
which is pretty easy to do. The other way is to hack the radiusd.. there
are good and bad ways to do this. The easy way is to modify the
unix_pass(name, passwd) function in radiusd.c to return -1 if the users
shell is set to a nologin type shell. This will make the portmaster not
believe that the user is a real user -- pretty good, as far as an email
only account is concerned.
The better way to do it requires a second call to getpwnam() which
will slow things down a bit. In rad_authenticate(), have it grab the
shell again and see if it's valid. If not, set result to -1, and set
usr_msg = "This is an email-only account\r\n";
Doing this by the shell instead of the GID has the added advantage
(or disadvantage!) of preventing shell/ftp access for the email-only
accounts.
-Dave Andersen
--
angio@aros.net Complete virtual hosting and business-oriented
system administration Internet services. (WWW, FTP, email)
http://www.aros.net/ http://www.aros.net/about/virtual/
"She totally confused all the passing piranhas"