<!--startcut  ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<META NAME="generator" CONTENT="lgazmail v1.4G.h">
<TITLE>The Answer Gang 91: Hey MAC, sign in before you login</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<!--endcut  ==============================================-->
<!-- begin 3 -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif" 
	height="50" width="60" alt="(?) " border="0"
	>Hey MAC, sign in before you login</H3>
<H4 ALIGN="center">Allowing only known ethernet cards to use the NAT</H4>


<p><strong>From Carl Pender 
</strong></p> 
<p></strong></p>

<p align="right"><strong>Answered By  Yann Vernier, Faber Fedor, Jay R. Ashworth, Ben Okopnik, Thomas Adam,
 Heather Stern
</strong></p>
<!-- ::
Hey MAC, sign in before you login
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Allowing only known ethernet cards to use the NAT
:: -->
<blockQuote>
Hi, I have a Suse7.3 Linux PC acting as a gateway with
an <A HREF="http://www.apache.org/">Apache</A> server running. I have a web site set up and
what I want to do is allow only certain MAC addresses
onto the network as I choose. I have a script that
adds certain MAC addresses onto the network which
works perfectly if I type the MAC address in manually
but I need to automate it. I'll nearly there I think
but I need a little help.
</blockQuote>
<blockQuote>
Here's the question I asked someone on
www.allexperts.com but unfortunately the person could
[not] help me. Would you mind having a quick look at it and
if anything jumps to your mind you might let me know.
</blockQuote>
<blockQuote>
Here goes.... I have a acript that matches an IP
address with it's respective MAC address via the
'arp' command. The script is as follows:
</blockQuote>

<blockquote><pre>#!/bin/bash

sudo arp &gt; /usr/local/apache/logs/users.txt

sudo awk '{if ($1 =="157.190.66.1" print $3}'
/usr/local/apache/logs/users.txt |
/usr/local/apache/cgi-bin/add
</pre></blockquote>
<blockQuote>
Here is a typical output from the arp command:
</blockQuote>

<blockquote><pre>Address HWtype HWaddress Flags Mask Iface
157.190.66.13 ether 00:10:5A:B0:30:ED C eth0
157.190.66.218 ether 00:10:5A:5B:6A:11 C eth0
157.190.66.1 ether 00:60:5C:2F:5E:00 C eth0
</pre></blockquote>
<blockQuote>
As you can see I send this to a text file from which I
capture the MAC address for the respective IP address
("157.190.66.1") and then send this MAC address to
another script, called "add", which allows this MAC
address onto the network. This works perfectly when I
do it from a shell with the ip address typed in
maually.
</blockQuote>
<blockQuote>
My problem is that instead of actually typing in the
IP address (e.g "157.190.66.1"), I want to be able to
pipe the remote IP address of the user that is
accessing my web page at the time to this script as an
input.
</blockQuote>
<blockQuote>
In order to do this, I tried:
</blockQuote>

<blockquote><pre>#!/bin/bash

read ip_address

sudo arp &gt; /usr/local/apache/logs/users.txt
sudo awk '{if ($1 ==$ip_address) print $3}'
/usr/local/apache/logs/users.txt |
/usr/local/apache/cgi-bin/add
</pre></blockquote>
<blockQuote>
But I'm afraid this doesn't work. I'm wondering where
I'm going wrong. I also tried putting quotations
around the variable $ip_address but that doesn't work
either. On my CGI script I have the line 'echo
"$RENOTE_ADDR" | <TT>/usr/local/apache/cgi/bin/change</TT>' to
pipe the ip address of the user. I know this is
working because if I include the line 'echo
"$ip_address"' in my script then the ip address is
echoed to the screen
</blockQuote>
<blockQuote>
I hope that I have made myself clear.
</blockQuote>
<blockQuote>
Thanks
Carl
</blockQuote>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	> [Yann] 
This is a rather simple case of quoting the wrong things. What you want
is probably something like '{if ($1 =3D=3D"'"$ip_address"'") print $3}'
</blockQuote>
<blockQuote>
That is, first a &quot; (two apostrophes) quote block making sure $1 and a " is passed on to
awk unchanged, then a "" (two doublequotes) quote block keeping any spaces in $ip_address
(not needed with your data, but good practice), then another &quot; (two
apostrophes) block
with the rest of the line. The primary difference between &quot; and "" as
far as the shell is concerned is that $variable and such are expanded
within "" but not within &quot;.
</blockQuote>
<blockQuote>
Also, your script could be a lot more efficient, and doesn't need
superuser privileges:
</blockQuote>

<blockquote><pre>/usr/sbin/arp -n $ip_address|awk "/^$ip_address/ {print \$3}"
</pre></blockquote>
<blockQuote>
This isn't the most elegant solution either, but somewhat tighter.
'$1 =3D=3D "'$ip_address'" {print $3}' works the same.
</blockQuote>
<blockQuote>
By the way, it's quite possible you don't need to write your own tools
for a job like this, although it is a good way to learn. Have you
examined arpwatch?  (<A HREF="http://www-nrg.ee.lbl.gov"
	>http://www-nrg.ee.lbl.gov</A> and scroll down the
page a bit)
</blockQuote>
<HR width="10%" align="left">
<blockquote><em><font color="#000066">Same fellow, slightly changed situation.
 -- Heather</font></em></blockquote>
<P><STRONG>
<IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	> 
Hi I have a Suse 7.3 Linux PC acting as a gateway for
a wireless network. I have a script to allows users
onto the network depending on their MAC addresses and
another to stop them having access to the network.
</STRONG></P>
<P><STRONG>
What I want to do is let them onto to the network and
then 5 hours later, log them off again. I was told to
use something like this:
</STRONG></P>

<pre><strong>#!/bin/bash

/usr/local/apache/cgi-bin/add

sleep 18000

/usr/local/apache/cgi-bin/remove
</strong></pre>
<P><STRONG>
This is no good to me because if I put the program to
sleep it will lock up. I cant have it locking up
because then if another user logs on the program wll
be locked up so they wont be able to access the net.
</STRONG></P>
<P><STRONG>
Do you habe any suggestions how to do this?
</STRONG></P>
<P><STRONG>
Thanking you in advance
Carl Pender
</STRONG></P>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	> [Faber] 
You don't say whether you want them to be logged off after five
continuous hours of being logged in or to restrict them from being able
to logon outside of a five hour period.
</blockQuote>
<blockQuote>
Either way, why not use the at command?  In their ~/.profile, place a
line that says something like
</blockQuote>

<blockquote><pre>at +5 hours &lt; /usr/local/apache/cgi-bin/remove this_mac_address
</pre></blockquote>
<blockQuote>
(RTFM To get exact syntax, your script may need a wrapper, etc.)
</blockQuote>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	> [Ben] 
It sounds a bit more complex than that, Faber (actually, the problem
spec is mostly undefined but this sounds like a reasonable guess.) What
happens if somebody logs on, spends 4 hours and 59 minutes connected,
disconnects, then reconnects? Is it 5 hours in every 24, 5 hours from
midnight to midnight, 5 hours a week, 5 cumulative hours, 5 contiguous
hours?... There are various ERP packages that do this kind of thing, but
they're pretty big - unfortunately, I can't think of anything small at
the moment although logic says that there's got to be something.
</blockQuote>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	> [jra] 
ISTM one of the getty's has that stuff built in... or maybe it's
xinetd.
</blockQuote>
<blockQuote>
For, as Ben says, some subset of the possible problem space.
</blockQuote>
<P><STRONG>
<IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	> 
Well firstly, it a wireless Hot-spot kind of thing that
I'm trying to achieve here so the users dont have profiles.
</STRONG></P>
<P><STRONG>
Secondly, I have a kind of "mock" billing system in
place where the user enters credit card details (mock)
and then they are allowed access onto the network for
five hours. So I want them to be no longer have access
to the network when that five hours has expired.
</STRONG></P>
<P><STRONG>
This is only for demonstartion purposes, so dont worry
I'm not going to use this in a real life situation
where I'll be handling credit card info.
</STRONG></P>
<P><STRONG>
I hope it is clearer now
</STRONG></P>
<P><STRONG>
Thanks
Carl
</STRONG></P>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	> [Ben] 
Perhaps you don't fully realize what you're asking for, Carl. Once you
consider the degenerate cases of possible login schedules, you'll
realize that this is a large, complex task (you can define it to be much
simpler, but you haven't done so.)
</blockQuote>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	> [Thomas] 
Indeed, this is a security risk.... the closest I ever got to modifying
the "login" sources was to make the password entry field echo "*"'s as one
types in their password. I deleted it afterwards mind!
</blockQuote>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	> [Ben] 
Just as an example of a simple case, you could do this with PAM - which
would take a fair bit of study on your part - by creating a one-time
temporary account for each user that logs in. PAM would do a "runX" via
"pam_filter" (read "The Linux-PAM System Administrators' Guide",
<A HREF="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html"
	>http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html</A>) which
would invoke an "at" session
as Faber suggested. After the period elapses - <EM>or</EM> if the user logs off
- the session and the user account get wiped out, and they would need to
get reauthenticated by submitting a credit card or whatever.
</blockQuote>
<blockQuote>
I'm sure there are a number of other ways to accomplish similar things.
</blockQuote>

<blockquote><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	> [Heather] I think the word he's looking for here is "authentication" - lots
of coffee-shop or gamer-shop style connections have the cashier
authorize folks to use the network, on stations that are wired
in ... but wireless is different, you have to get one of these little
scripts to pick out the new MAC address and then get a go-ahead to
let them aboard.
</blockquote>
<blockquote>PAM allows for writing new modules, lemme check this partial list of them
(<A HREF="http://www.kernel.org/pub/linux/libs/pam/modules.html"
	>http://www.kernel.org/pub/linux/libs/pam/modules.html</A>) for some sort of
moderated-login thingy?  Hmm, unless TACACS+. RADIUS or Kerberos offer
something like that, looks like you'll need to whip up something on your
own, and mess with the control files underlying pam_time, too.  However,
here's something topical, an Authentication Gateway HOWTO:
<A HREF="http://www.itlab.musc.edu/~nathan/authentication_gateway"
	>http://www.itlab.musc.edu/~nathan/authentication_gateway</A>
</blockquote>
<blockquote>WHich just goes to show that there are more HOWTOs in the world than
tldp.org carries.  Juicy references to real-world use in the References
too.
</blockquote>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	> [Thomas] 
You might also want to consider making the process uninterruptable (i.e
catch certain calls) until the process is due to expire. This again though
has certain inherent security problems with it.
</blockQuote>

<!-- end 3 -->
<!-- *** BEGIN copyright *** -->
<hr>
<CENTER><SMALL><STRONG>
<h5>
<br>Copyright &copy; 2003
<br>Copying license <A HREF="">http://www.linuxgazette.com/copying.html</A>
<BR>Published in Issue 91 of <i>Linux Gazette</i>, June 2003</H5>
</STRONG></SMALL></CENTER>
<!-- *** END copyright *** -->

<SMALL><CENTER><H6 ALIGN="center">HTML script maintained by
        <A HREF="mailto:star@starshine.org">Heather Stern</a> of
        Starshine Technical Services,
       <A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
</H6></SMALL></CENTER>
<HR>

<!--startcut ======================================================= -->
<P> <hr> 
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
<p align="center">
<table width="100%" border="0"><tr>
<td align="right" valign="center"
	><IMG ALT="" SRC="../../gx/navbar/left.jpg"
        WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0"
><A HREF="../index.html"
	><IMG SRC="../../gx/navbar/toc.jpg" align="middle"
              ALT="[ Table Of Contents ]" border="0"></A
><A HREF="../lg_answer.html"
	><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
              ALT="[ Answer Guy Current Index ]" border="0"></A></td>
<td align="center" valign="center"><A HREF="../lg_answer.html#greeting"><img align="middle"
	src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A> &nbsp;
  <A HREF="../../tag/bios.html">Meet&nbsp;the&nbsp;Gang</A> &nbsp;
  <A HREF="1.html">1</A> &nbsp;
  <A HREF="2.html">2</A> &nbsp;
  <A HREF="3.html">3</A> &nbsp;
  <A HREF="4.html">4</A> 
  </td>
<td align="left" valign="center"><A HREF="../../tag/kb.html"
	><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
              ALT="[ Index of Past Answers ]" border="0"></A
><IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
        WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
</p>
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<!--endcut ========================================================= -->
<P> <hr> 
<!--startcut ======================================================= -->
<CENTER>
<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
</CENTER>
</p>
<!--endcut ========================================================= -->
<!--startcut ======================================================= -->
</BODY></HTML>
<!--endcut ========================================================= -->