Bob Beck-2 wrote:
> 
>       The point of authpf is for the user to say "this IP
> is me" - if that IP could perhaps not be him, well, this
> is not an application for authpf. I.E. if your users
> are coming in from a NAT, you should rethink what you
> are doing. 
> 
>       -Bob
> 

  I fully understand your reasoning.  Under normal circumstances users
authenticate from their desktop machines (which is a unique IP) and
therefore not a problem.  However, sometimes they are VNC'd into servers
(more CPU power) and want to access resources behind the internal
'firewall'.  This was fine until we came across multiple VNC sessions on the
same server.  I realize there would be a tiny loop-hole in that user A would
be able to access user B's authenticated resources and vice-versa but that
was a reasonable risk (these are all internal users).

  The only other option for users sharing resources on a single server was
to give each VNC session a unique IP.  And the only way I know how to do
that is via virtualization.  If there was one VNC session per user domain
this wouldn't be a problem.  However, that is bit of work.

  In short, I know the consequences of authenticating multiple users from
the same IP... is there an easy way to turn off this authpf feature? ;)

-- 
View this message in context: 
http://www.nabble.com/authpf-allows-only-one-user-from-the-same-source-ip--kicks-off-previous-user-tf3978999.html#a11297071
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Reply via email to