At 11:54 AM 7/8/97 -0700, Luther D. Keal wrote:
>I've got a subscriber that wants shell access. He's using a Linux
box
>with Minicom router as the dial-up media.
>
>He just wants shell access.
Umm, 'Just' and shell access don't go into the same sentance.
Couple of things:
1) Mincom is a terminal package, like windows terminal. You hook up
a modem to it, log in and go.
2) If he has a linux box he already has a shell account. If he has a
PPP connection from you, he's on the net. There's only really one
(honest) reason I can think of why he'd want to do a minicom
connection to you rather then a full blown PPP one and that's because
he doesn't have the knowlege. I'd invest in teaching him instead,
reasons follow.
Why I wouldn't (and YKnet does not) do this:
Think security. Sure Unix is multiuser and is supposed to prevent
any one user from getting access he's not intitled to. Unfortunatly
bugtraq (and if you don't follow this mailing list you should) is
full of examples of situations where unix system security can and has
been compromised. If we were to offer shell access here's how we'd
do it (and how I told our board that we would do it if we had to).
Unix box<--Internal Frame Relay Cloud-->Border Router<-->Inet
That minimizes the chance of someone on the Unix box gaining any
unauthorized access to internal traffic. An even better solution
would be to put an extra ethernet card in the border router and plug
the unix box into it, unfortunatly, due to co-location problems we
can't do that. Anything short of the configuration above is an
invitation to packer sniffers, etc. And even with that configuration
the box would have to ONLY do shell accounts and be completely
sacrficable. (Ie: users keep their own backups, because if there's a
security problem I'm gonna slash and burn the disk and reformat and
reinstall.)
I've seen too many ISPs just in my local small town environment have
big security problems to take this stuff lightly any more.
>I'm using PM-3 and a Linux box for authentication.
>
>How do I set up the PM-3 and/or the Radius to shut off PPP for his
session
>so he comes straight in thru the PM-3 and into the Unix shell
account.
Don't do it. Teach him how to configure PPP.
Dale Babiy,
Technical Manager,
YKnet
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBM8LMHcKQxEc3JjNXEQIfkgCglZAPMqVI5ejHn17HhpqlIqMfAv8AnAm4
jM0PwUUpWkpFEIQFQNj5PN7S
=YMAb
-----END PGP SIGNATURE-----
-----------------------------------------------------------------
Dale Babiy, | 'History does not always repeat
Technical Manager, | itself. Sometimes it just
YKnet, | yells, "Can't you remember
Whitehorse, Yukon | anything I told you?" and
(403) 668-8203 o-| lets fly with a club.'
ICQ UIN: 1362909 |
-----------------------------------------------------------------