Restrict login through callback, not dial-in by mgetty?

• Messages sorted by:[ date ][ thread ][ subject ][ author ]

Hi,

On Thu, Feb 25, 1999 at 10:40:11AM +0800, Pang Wai Man Raymond wrote:
> Thanks for your positive advise. No comment on that as we are in different 
> world and on different position. 

Are we?  I am one of the responsible persons for a stackload of FreeBSD
and Linux machines at a large german ISP, and those machines are under
heavy fire all day.  I know pretty well how important security is - but
from experience, I know as well when it turns into paranoia that hurts
only users, not hackers.

> We have rules/guidelines to follow and 
> cannot do just what we want to do. Just treat my wording as "there is 
> somebody may concern about this" though you don't agree. 

Hmmm.  Rules and guidelines are good, but especially in the security area,
it's very important to check and recheck them regularily.  Some may be too
weak, others unneccessarily strong.

> Finally, some comments after few trials on the callback feature, my
> approach is now using the phone no. as the callback user, I feel frustrated 
> when I got logoff because of typos. It would be better if it is
> configurable to give user the number of trials before log them off. 

This is very hard to implement right now in the mgetty context.

You could do this by calling an external program that will query for the
phone number, user name and password, and if all matches, call "callback",
otherwise prompt again.  Mgetty is by design only asking once, and I don't
think it is a good idea to change that (as you can handle it by external
programs).

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@greenie.muc.de
fax: +49-89-35655025                        gert.doering@physik.tu-muenchen.de