> I fully understand your reasoning. Under normal circumstances users
> authenticate from their desktop machines (which is a unique IP) and
> therefore not a problem. However, sometimes they are VNC'd into servers
> (more CPU power) and want to access resources behind the internal
> 'firewall'. This was fine until we came across multiple VNC sessions on the
> same server. I realize there would be a tiny loop-hole in that user A would
> be able to access user B's authenticated resources and vice-versa but that
> was a reasonable risk (these are all internal users).
>
> The only other option for users sharing resources on a single server was
> to give each VNC session a unique IP. And the only way I know how to do
> that is via virtualization. If there was one VNC session per user domain
> this wouldn't be a problem. However, that is bit of work.
Stop talking about VNC and talk about unix shell accounts
and I've been exactly where you are - 15 years ago :) it's the same
damn thing. I don't use authpf from shell hosts, or reccomend it's
use from them either.
>
> In short, I know the consequences of authenticating multiple users from
> the same IP... is there an easy way to turn off this authpf feature? ;)
Nope. and there won't be. it's important. You should just allow
your VNC'ed host through the firewall and trust that it has adequate logging
and security to deal with user separation.. Can't do that.. hmm.. then
authpf is doing *nothing* for you.
-Bob
