|
Now we'll set up the user accounts.
Add vpn-users group
just run:
# /usr/sbin/groupadd vpn-users
|
Now cat the /etc/group file and look at the last line. It should be
the entry for the vpn-users group. Note the third field.
This is the group ID (GID).
Write it down, as we'll need it in a minute. For this example, the GID is 101.
|
create the vpn-users home directory
We're going to use a single home directory for
all of the users. So just run:
The .ssh directory
Now create the .ssh directory in the vpn-users home
directory.
# mkdir /home/vpn-users/.ssh
|
Adding users
Now comes the fun part. We're going to edit the /etc/passwd file
by hand. Normally you let the system handle this file, but for an unusual
setup like this, it is easier to do it yourself. To start, open the
/etc/passwd file and see what's in there. Here's an example of what
you might find:
...
nobody:x:65534:100:nobody:/dev/null:
mwilson:x:1000:100:Matthew Wilson,,,:/home/mwilson:/bin/bash
joe:*:1020:101:Joe Mode (home),,,:/home/vpn-users:/usr/sbin/pppd
bill:*:1020:101:Bill Smith (home),,,:/home/vpn-users:/usr/sbin/pppd
frank:*:1020:101:Frank Jones (home),,,:/home/vpn-users:/usr/sbin/pppd
...
|
You'll find the first user on most any system. The second one is me.
After that are a few made up vpn-users. The first field is the username,
and the second is the password field. The third is user ID (UID) and the
fourth is the group ID (GID). After that comes some info on who the
people are in the fifth field. The sixth field is the user's home
directory, and the last is their shell. As you can see, each field is
separated by a colon. Look at the last three lines. The only difference
between them is the username in the first field, and the user info in
the fifth field. What we want to do is create lines like this for each
user. Don't just use one user for all of the connections, you'll never
be able to tell them apart if you do. So copy the last line of this
file and edit it so that it looks something like the above. Make sure
that the second field has an asterisk (*). The second field should be
unique to all the other IDs in the file. I used 1020. You should use a
number above 1000, since those below are typically reserved for system
use. The fourth field should be the group ID for vpn-users. I told you
to write it down, now is the time that you need it. So put the group ID
in there. Lastly, change the home directory to
/home/vpn-users, and the shell to /usr/sbin/pppd.
Now copy that line to make more users. Just edit the first
the fifth fields and you're set.
Administration
One of the advantages to using this system for user accounts is that you
can take advantage of the UNIX user administration commands. Since each client
is logged in as a user, you can use standard methods to get user statistics.
The following are a few commands that I like to use to see what all is going on.
- who
Prints the users currently logged in, as well as when they logged in,
from where (name or IP), and on which port.
- w
This command prints a more extensive listing of who is currently logged
in. It also tells you uptime and load averages for the system. It also lists
the user's current process (which should be -pppd for VPN clients) as well
as idle time, and current CPU usage for all processes as well as the current
process. Read the w man page for more info.
- last [username]
This lists the login history for the specified user, or for all users if
a username is not provided. It's most useful for finding out how well
the tunnels are running as it prints the length of time that the user
was logged in, or states that the user is still logged in. I should warn
you that on a system that has been up a long time, this list can grow
extremely long. Pipe is through grep or head to find
out exactly what you want to know.
You can also control which users are allowed to connect by modifying the
/home/vpn-users/.ssh/authorized_keys file. If you remove the user's
public key line from this file, they won't be able to log in.
