Limit OS X Server VPN connections to one per user

Jun 26, '08 07:30:00AM

Contributed by: Johnny_B

VPN in Mac OS X Server (all versions, I think) allows users to have as many sessions from as many different computers as they want to the VPN server. I didn't like this, so I tried to find a way to restrict them to only one session. I tried looking at plists, thinking maybe Apple had some hidden option for this, but I couldn't find it. I then dug around in man files for vpn and pppd and such, and found something of interest in pppd's man page:

/etc/ppp/auth-up
A program or script which is executed after the remote system successfully authenticates itself. It is executed with the parameters:

interface-name peer-name user-name tty-device speed

Note that this script is not executed if the peer doesn't authenticate itself, for example when the noauth option is used.
Great! All I need now is some code and a way to find out which users are currently online.

After some more man reading, I found this command with grep to do just that:

serveradmin command vpn:command = getConnectedUsers | grep -G "vpn:ConnectedUsers:_array_index:[[:xdigit:]]*:name"
Then I made the script. Copy and paste this into the file /private/etc/ppp/auth-down:
#!/usr/bin/perl -w
# Version 1.0
# made june 25. by Simen S. Øya, simen@mac.com
# please don't remove my name from the credits if you modify the source

my $in = `/usr/sbin/serveradmin command vpn:command = getConnectedUsers | /usr/bin/grep -G "vpn:ConnectedUsers:_array_index:[[:xdigit:]]*:name"`;
my $interface =$ARGV[0]
my $username=$ARGV[1];

my @list = split(/\n/, $in);
my $s;
my $u;

foreach $l (@list) {
   $s=index($l, "=");
   chop($u=substr($l,$s+3));

   if ($u eq $username) {
       system("/bin/kill `/bin/cat /private/var/run/$interface.pid`");
       last;
   }
}
What the script does is to check if the user who just logged in is already logged in. If he is, we kill his connection. Yes, it's a little dirty, but it works great. Please comment on this if you have a better way to do it, or improvements to the above script.

Comments (6)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20080625145536473