Re: limiting access thru pptp

["Andrei D. Caraman" <adc@floater.org>]

On Wed, Oct 29, 2003 at 11:40:36PM +0100, stephan beirer wrote:

> [some stuff deleted, -adc]

> So I came up with the second idea of using the pptp on the
> firewall, create an account for the database guys there and
> somehow restrict their access to the ip of their w3k machine
> (while my account still has access to the whole network). i
> think that could easily be implemented as a fw rule if i could
> force pptpd or pppd to assign a static ip to their user login.
> but scanning the docs of pptpd and pppd i couldn't find a way
> to assign a static ip to a special login name.
>
> am i missing something or am i completely wrong with the
> concepts of pppd?  does anybody know if this can be done with
> pptpd/pppd or can anyone suggest a different solution?

A closer scan of pppd manuals would reveal that you can, in
fact, assign per-user IP addresses.  The trick is to have the
lines in /etc/ppp/{pap,chap}-secrets in the format:

username	server	secret	IP_address

for example:

stephan		*	beirer	192.168.168.192

Then make sure your /etc/pptpd.conf file correctly states the
intended range for remote ip addresses, as in

remoteip	192.168.168.190-220

That should be all.


> cheers from berlin, germany: stephan.

great city!  i've been there once :)


hope this helps,
adc
-- 
Text Only Email!  No Word Attachments!
See http://expita.com/nomime.html and
http://www.gnu.org/philosophy/no-word-attachments.html