Flexible dialin.config settings

Hi,

Post by Christopher Nelson
I've over 20 years experience with networking in all sorts of weird and
wonderful systems but PPP and mgetty are new to me. Please forgive a
possibily stupid question. I've read the man page and looked at the
template dialin.config file and I'm not sure how to do what I want.
Let's say I have three users that may dial into my system and I want to
set security policy by user, not for the whole system.
- When Ted's system tries to establish a PPP connection, if the number
he's calling from matches a preconfigured value, he can connect.
- When Jen's system tries to connect, I don't get a valid caller ID so
I get a password and if it matches, I call her back.
- When Alex's system tries to connect, I get a valid caller ID but Alex
is afraid of caller ID spoofing and asked me to set it up so the system
calls him back anyway.

There is nothing inside mgetty you can do to achieve this.

Dialin.config will prevent your modem from even picking up if there is
an "unwanted" Caller ID (like "none"), so you won't know whether it's
Ted or someone else.

So you'll need to pick up the phone, get a login prompt, and then
(from login.config) run a wrapper script before pppd or login that will
check your local Caller ID rules.

The caller ID is handed to the script/program called in the environment
variable $CALLER_ID

gert

--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Christopher Nelson

2006-04-19 18:51:53 UTC

Post by Christopher Nelson
...
Let's say I have three users that may dial into my system and I want to
set security policy by user, not for the whole system.
- When Ted's system tries to establish a PPP connection, if the number
he's calling from matches a preconfigured value, he can connect.
- When Jen's system tries to connect, I don't get a valid caller ID so
I get a password and if it matches, I call her back.
- When Alex's system tries to connect, I get a valid caller ID but Alex
is afraid of caller ID spoofing and asked me to set it up so the system
calls him back anyway.

Are you saying that if dialin.config exists, all incoming calls must
have a valid caller ID to be answered at all?

Post by Gert Doering
So you'll need to pick up the phone,

mgetty will do that, right?

Post by Gert Doering
get a login prompt, and then (from login.config) run a wrapper script
before pppd or login that will check your local Caller ID rules. ...

But once I've answered, isn't the caller ID data lost? Does mgetty
store it somewhere I can get to from my wrapper script?

If my Caller ID rules are per-user, don't I also have to prompt for the
user name somehow? If so, haven't I then eaten the user name? After
I've checked the caller ID and user against my rules and decide to let
the user in, how do I invoke pppd to let it do pap or chap or whatever.

I'm sorry for the barrage of questions but I don't seem to be able to
find a lot of information on the customary way to use mgetty w/ pppd.

Gert Doering

2006-04-19 22:18:35 UTC

Hi,

Post by Christopher Nelson
- When Alex's system tries to connect, I get a valid caller ID but Alex
is afraid of caller ID spoofing and asked me to set it up so the system
calls him back anyway.

Are you saying that if dialin.config exists, all incoming calls must
have a valid caller ID to be answered at all?

If you use dialin.config, it will decide (depending on the rules in
there) whether or not to pick the call - but only based on CallerID, not
based on user name, because the user name cannot be known at that time.

Post by Gert Doering
So you'll need to pick up the phone,

mgetty will do that, right?

Sure.

Post by Gert Doering
get a login prompt, and then (from login.config) run a wrapper script
before pppd or login that will check your local Caller ID rules. ...

But once I've answered, isn't the caller ID data lost? Does mgetty
store it somewhere I can get to from my wrapper script?

That's what I said. "In the environment variable $CALLER_ID".

Post by Christopher Nelson
If my Caller ID rules are per-user, don't I also have to prompt for the
user name somehow?

The user name (entered at the login: prompt) is passed as "@" to the program
specified in login.config.

Post by Christopher Nelson
If so, haven't I then eaten the user name? After
I've checked the caller ID and user against my rules and decide to let
the user in, how do I invoke pppd to let it do pap or chap or whatever.

If you want to do PPP pap/chap authentication to identify the user, you'll
need to add logic to the pppd to match pap/chap user vs. CallerID. Nobody
else will know the user name.

If you can live with the clients sending a user name to mgetty's "login:"
prompt *first*, and then run PPP pap/chap later on, sending the user name
again (in the PPP handshake), then you can do it with a wrapper script
called before pppd.

Post by Christopher Nelson
I'm sorry for the barrage of questions but I don't seem to be able to
find a lot of information on the customary way to use mgetty w/ pppd.

I can't answer any pppd questions. How mgetty works is described in
great detail in the mgetty manual (http://mgetty.greenie.net/), and you
can learn a lot if you run mgetty with high debug level ("-x6") and
study the log file.

gert

Christopher Nelson

2006-04-19 22:44:50 UTC

Post by Christopher Nelson
- When Alex's system tries to connect, I get a valid caller ID but Alex
is afraid of caller ID spoofing and asked me to set it up so the system
calls him back anyway.

Are you saying that if dialin.config exists, all incoming calls must
have a valid caller ID to be answered at all?

Of course.

So, if I want logic based on callerID _and_ user name, I can ignore
dialin.config, mgetty will set $CALLER_ID, and my script can act
accordingly, right?

Post by Gert Doering
...

Post by Gert Doering
get a login prompt, and then (from login.config) run a wrapper script
before pppd or login that will check your local Caller ID rules. ...

But once I've answered, isn't the caller ID data lost? Does mgetty
store it somewhere I can get to from my wrapper script?

That's what I said. "In the environment variable $CALLER_ID".

Sorry. I thought you meant that the name of the script to handle the
caller ID was in that variable. I see what you meant now. Thanks.

Post by Christopher Nelson
If my Caller ID rules are per-user, don't I also have to prompt for the
user name somehow?

specified in login.config.

OK.

If you want to do PPP pap/chap authentication to identify the user, you'll
need to add logic to the pppd to match pap/chap user vs. CallerID. Nobody
else will know the user name.

OK.

Post by Gert Doering
If you can live with the clients sending a user name to mgetty's "login:"
prompt *first*, and then run PPP pap/chap later on, sending the user name
again (in the PPP handshake), then you can do it with a wrapper script
called before pppd.

I'd hope to not but I'll see what I can work out.