I’ve never used pptpd myself, but its docs say that it just uses the underlying pppd.

pppd can be configured via pam, using /etc/pam.d/ppp.

One PAM module is pam_listfile(8) (at least available on my Ubuntu 10.04 machine), which can be configured to deny users with usernames listed in a specific file:

   Classic ´ftpusers´ authentication can be implemented with this entry in /etc/pam.d/ftpd:

       #
       # deny ftp-access to users listed in the /etc/ftpusers file
       #
       auth    required       pam_listfile.so \
               onerr=succeed item=user sense=deny file=/etc/ftpusers

You may be able to amend this for your site; by appending names to a file after a successful login and removing the names on logout, you could make it very difficult to have two connections created for the same user account.

Of course, this would be pretty brittle — a dropped connection would need to have its line removed, and router reboots might annoy hundreds or thousands of users at once. I might suggest just truncating the whole file when users complain, and hope to avoid gross abuse of your system at best. (And the program to remove usernames would need to be carefully written to avoid races; you can use lockfile(1) or dotlockfile(1) to help you.)

Perhaps some periodic auditing would be another option: you could check the wutmp files (see w(1), lastlog(8)) or process listings (ps auxw is nice) once in a while and see if people are abusing it, and handle it as a policy issue, rather than a software enforcement issue.

Hope this helps.