Bob Beck-2 wrote: > > The point of authpf is for the user to say "this IP > is me" - if that IP could perhaps not be him, well, this > is not an application for authpf. I.E. if your users > are coming in from a NAT, you should rethink what you > are doing. > > -Bob >
I fully understand your reasoning. Under normal circumstances users authenticate from their desktop machines (which is a unique IP) and therefore not a problem. However, sometimes they are VNC'd into servers (more CPU power) and want to access resources behind the internal 'firewall'. This was fine until we came across multiple VNC sessions on the same server. I realize there would be a tiny loop-hole in that user A would be able to access user B's authenticated resources and vice-versa but that was a reasonable risk (these are all internal users). The only other option for users sharing resources on a single server was to give each VNC session a unique IP. And the only way I know how to do that is via virtualization. If there was one VNC session per user domain this wouldn't be a problem. However, that is bit of work. In short, I know the consequences of authenticating multiple users from the same IP... is there an easy way to turn off this authpf feature? ;) -- View this message in context: http://www.nabble.com/authpf-allows-only-one-user-from-the-same-source-ip--kicks-off-previous-user-tf3978999.html#a11297071 Sent from the openbsd user - misc mailing list archive at Nabble.com.
