Re: Security issues with 1.1.3 flatfile
d.tom.schm...@l-3com.com wrote: Currently running 1.1.3 on CentOS 5.x. I am currently using the flat file option and it works just fine as long as the permissions on the file are: 664 RW-RW-R- Is the file owner the same as the user as which freeradius is running? If it is, I would expect 400 or at worst 600 to work. That will probably make editting a job for root. Or make it 660 where the group is user management. Andrew -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Own exec module with bash: permission denied
Marten Pape wrote: ouch, that's it! /root didn't have the correct rights. Wrong. /root probably had the correct rights - usually 710. That is root's home directory and should not be readable by any other user. Put the script and anything it calls in a more appropriate place. If it needs to be hidden from the general public, maybe under the home dir for the user running radius, which should also be 750 or more restrictive like 710. Andrew -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error logs on freeradius 2.1.8
Alan DeKok wrote: Oninz Unix wrote: I know some os the thread almost similar to my problem, but let me send some logs from my freeradius logs. Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 383. Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 382. Tue Apr 27 17:59:45 2010 : Info: WARNING: Child is hung for request 379. Tue Apr 27 17:59:46 2010 : Info: WARNING: Child is hung for request 383. Tue Apr 27 17:59:48 2010 : Info: WARNING: Child is hung for request 377. ... Error: WARNING: Unresponsive child for request 384, in module sql2_redundant component accounting ... I hope you could help me were to start to debug and solve the problem. You have a firewall between the RADIUS server and database. The firewall is dropping the RADIUS - database TCP connections. I have *no* idea why anyone thinks this is a good idea. The firewall (if any) should be configured to allow ANY TCP (RADIUS - DB : port). But many people create rules allowing only established TCP connections, and then the firewall helpfully loses track of which sessions are established. Stop breaking your network. Somewhat off topic, but relevant. This is a generic problem with firewalls, and there appears to be no solution which the security paranoid will accept. If you think this is bad, try working with a mob who insist on dropping all ICMP traffic (including frag required) at some or all firewalls. Firewalls are normally configured to drop any established connection from the tables where no traffic is sent for a configurable time. This is to stop the tables growing uncontrollably. If you are in this unfortunate position your only solution is to enable TCP keepalive on all connections, and reduce the TCP keepalive timer to below the firewall's connection drop timer. -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
a.l.m.bu...@lboro.ac.uk wrote: chown -R radiusd:radiusd /etc/raddb chmod -R 755 /etc/raddb/certs Yuck - marking data files executable. I'd start with: find /etc/raddb/certs -type d -exec chmod 755 {} \; find /etc/raddb/certs \! -type d -exec chmod 644 {} \; and fix any program file that should be 755 -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client certs
[EMAIL PROTECTED] wrote: Try attached Makefile. It has been altered so client certificates are signed by the ca and not server certificate. I was unable to persuade up-to-date Windows PCs to accept server certificate as an Intermediate CA. Changing the issuer resolved the problem. Shouldn't that be: $ diff Makefile.20081211 Makefile 92c92 openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf --- openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: control-socket name one character short
Alan DeKok wrote: Thomas Fagart wrote: I though it was a question of rights, but even when I chmod/chown it with more rights I still get the following error. radmin: Failed connecting to /usr/local/var/run/radiusd/radiusd.sock: No such file or directory shrug If that's the error being returned by the OS, I'm not sure what else to suggest. strace/truss and find out what filename it is really trying to use? -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)
Alan DeKok wrote: Andrew Hood wrote: Pardon me if I've missed something, but as far as I can tell the server cert isn't authorised to sign client certs, so I can't see how it could work. The CA can sign client certs. There can be multiple levels of CA's. Verisign, your company, the local division, etc. This is all specifically allowed, and required, by SSL. No argument there. My suggestion was that maybe what's needed was to mark the server cert with the CA properties. The server cert would then be an intermediate CA, which is Just Fine. That's what Sergio seemed to be getting at in changing with the Makefile to have a CA rather than the server sign the client cert. Is that the better way? Is the answer to give the server the right to sign the cert, and if so how you do it so as to complete the root CA-server-client chain? However, there may be multiple servers, each with its own cert. Why should a client cert be signed by one server when it may be used with other servers? -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)
Alan DeKok wrote: William Hegardt wrote: EAP-TLS authentication fails with the fatal unknown ca message. The server cert may need to be marked with CA:true If I hack the Makefile like Sergio mentioned last month to sign the client certificate with the CA key, then authentication succeeds. That can work, too. I'd really like to understand what's wrong. Could wpa_supplicant be somehow incompatible with the bootstrap certificate chain? It's OpenSSL on both ends. wpa_supplicant FreeRADIUS are just wrappers to get the SSL data back and forth. Pardon me if I've missed something, but as far as I can tell the server cert isn't authorised to sign client certs, so I can't see how it could work. The CA can sign client certs. -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.5 on Solaris with openssl 0.9.8h
Alan DeKok wrote: Rafiqul Ahsan wrote: Ok, I tried as follows : ... Still ldd /usr/local/sbin/radiusd shows the shared object from /usr/sfw/lib/*0.9.7 Then the issue is that the linker is linking against libssl.so, and not libssl.so.0.9.8. This means that at run-time, /usr/sfw/lib is found *before* /usr/local/lib, and so it links to the other version of libssl. The only solutions are: a) change the order of directories that the run-time linker uses b) delete the /usr/sfw/lib/libssl* files I haven't tried the method I suggested earlier in this thread on Solaris. I have done it on Linux. For reasons too complex to go into I can not replace the default version of openssl, but I need a later verison to build freeradius. I put that version in the same target directories: openssl config: ./Configure no-shared enable-zlib-dynamic \ --prefix=/opt/freeradius --openssldir=/opt/freeradius/ssl \ linux-elf freeradius configure script: export PKG_CONFIG_PATH=/opt/freeradius/lib/pkgconfig export CC='gcc -march=i686' export F77='g77 -march=i686' export CXX='g++ -march=i686' export LDFLAGS='-Wl,-rpath -Wl,/opt/freeradius/lib' ./configure \ --prefix=/opt/freeradius \ --localstatedir=/var \ --with-openssl-includes=/opt/freeradius/include \ --with-openssl-libraries=/opt/freeradius/lib And it works: $ ldd /opt/freeradius/sbin/radiusd libfreeradius-radius-2.0.5.so = /opt/freeradius/lib/libfreeradius-radius-2.0.5.so (0x40016000) libnsl.so.1 = /lib/libnsl.so.1 (0x4004d000) libresolv.so.2 = /lib/libresolv.so.2 (0x40062000) libpthread.so.0 = /lib/libpthread.so.0 (0x40072000) libsnmp.so.15 = /usr/local/lib/libsnmp.so.15 (0x40087000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x4012e000) libltdl.so.3 = /usr/lib/libltdl.so.3 (0x4015b000) libdl.so.2 = /lib/libdl.so.2 (0x40162000) libssl.so.0.9.8 = /opt/freeradius/lib/libssl.so.0.9.8 (0x40166000) libcrypto.so.0.9.8 = /opt/freeradius/lib/libcrypto.so.0.9.8 (0x401a) libc.so.6 = /lib/libc.so.6 (0x402c6000) libcrypto.so.0 = /usr/lib/libcrypto.so.0 (0x403e9000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.5 on Solaris with openssl 0.9.8h
Rafiqul Ahsan wrote: It is Solaris 10 (V210). Now I have added below Flags (as per your previous email) : CFLAGS=-I/usr/local/ssl/include/openssl CPPFLAGS=-I/usr/local/ssl/include/openssl LDFLAGS='-L/usr/local/ssl/lib -R/usr/local/ssl/lib' export CFLAGS CPPFLAGS LDFLAGS How else to verify that my Frerradius 2.0.5 was built with openssl0.9.8h (Again, please note openssl 0.9.8h was installed in /usr/local/ssl, and prebuilt openssl (came with Solaris 10) 0.9.7 is at /usr/sfw) ? I wanted to build with 0.9.8h because it supports advance crypto like sha2, sha256 etcBut still does not seem like Freeradius is working with sha256. Here is the part of make log : gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/local/ssl/include/openssl -I/usr/local/s sl/include/openssl -c ltdl.c -fPIC -DPIC -o .libs/ltdl.o gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/local/ssl/include/openssl -I/usr/local/s sl/include/openssl -c ltdl.c -o ltdl.o /dev/null 21 /bin/bash ./libtool --tag=CC --mode=link gcc -I/usr/local/ssl/include/openssl -no-undefined -version-info 4:4:1 -L/usr/local/ssl/lib -R/usr/local/ssl/lib -o libltdl.la -rpath /usr/local/lib ltdl.lo -ldl gcc -shared -Wl,-h -Wl,libltdl.so.3 -o .libs/libltdl.so.3.1.4 .libs/ltdl.o -R/ usr/local/ssl/lib -L/usr/local/ssl/lib -ldl -lc (cd .libs rm -f libltdl.so.3 ln -s libltdl.so.3.1.4 libltdl.so.3) (cd .libs rm -f libltdl.so ln -s libltdl.so.3.1.4 libltdl.so) ar cru .libs/libltdl.a ltdl.o ranlib .libs/libltdl.a creating libltdl.la Assuming you have run make install, what does ldd /your/path/to/libltdl.so return? -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.5 on Solaris with openssl 0.9.8h
Rafiqul Ahsan wrote: Hi Alan, and All, Well, I believe I have linked Freeradius 2.0.5 with the right openssl (0.9.8h) now by adding below env variables(my build logs also says that linked with -L/usr/local/ssl/lib). However I still see the same error while using sha256 encryption algorithm with RSA 2048 key. I sent this query to openssl maillist, they are sending me back to you (freeradius folks) to verify whether Freeradius supports sha2, sha256 etc. (I hoped that below patch would allow, but no luck). CFLAGS=-I/usr/local/ssl/include/openssl CPPFLAGS=-I/usr/local/ssl/include/openssl LDFLAGS=-L/usr/local/ssl/lib export CFLAGS CPPFLAGS LDFLAGS I forget. Were you using the Sun toolchain or GNU? You probably need one of: LDFLAGS='-L/usr/local/ssl/lib -Wl,-rpath -Wl,/usr/local/ssl/lib or LDFLAGS='-L/usr/local/ssl/lib -R/usr/local/ssl/lib' or whatever similar incantation your linker wants to achive the same result, forcing it to use the version of openssl in /usr/local/lib -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dhcp server (DHCPFlags feature)
Alan DeKok wrote: Haralds Ulmanis wrote: Just checked out from cvs .. and got compile error: ... /root/freeradius/radiusd/src/main/listen.c:309: undefined reference to `request_stats_reply' Edit src/main/Makefile, and add stats.c to the SERVER_SRCS line. It's in Makefile.in, but you probably didn't re-run configure, and likely don't want to do that, either. That sounds odd, assuming normal auto* practice. The top Makefile should contain a rule: Makefile: Makefile.in which would run ./config.status --recheck What platform and version of make was this? -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie on radiustesting, Buxey and Hood
[EMAIL PROTECTED] wrote: Hi, By the way: What would be the difference having the proposal of Andrew Hood performed: find /etc/raddb/ -type d -exec chmod ug+x {} \; compared to the proposal of Alan Buxey: chmod -R ugo+x /etc/raddb/certs I am not so familiar with the /-type d/ part of the find command Would the result be the same? mu suggestion would have made all files in certs directory executable by others. maybe too much. but it works! :-) Which is exactly why I suggested what I did. Directories need the x attribute to permit them to be searched. Files only need the x attribute so they can be executed. Since you said the files and directories all had group radiusd, and the user was a member of that group, setting ug+x on directories is enough. There should be no need for anyone outside group radiusd to be able to search those directories. It would probably make sense to also: chgrp -R radiusd /etc/raddb/ find /etc/raddb/ -type d -exec chmod g+s {} \; So all the existing objects would have group radiusd, and any new ones will get group radiusd. -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie on radiustesting
Si St wrote: linux:/etc/raddb/certs # l insgesamt 53 drw-r- 3 root radiusd 472 2008-03-31 22:53 ./ drwxr-xr-x 5 root root 728 2008-04-16 20:40 ../ -rw-r- 1 root radiusd 721 2005-09-13 04:15 cert-clt.der -rw-r- 1 root radiusd 1741 2005-09-13 04:15 cert-clt.p12 -rw-r- 1 root radiusd 2452 2005-09-13 04:15 cert-clt.pem -rw-r- 1 root radiusd 717 2005-09-13 04:15 cert-srv.der -rw-r- 1 root radiusd 1733 2005-09-13 04:15 cert-srv.p12 -rw-r- 1 root radiusd 2439 2005-09-13 04:15 cert-srv.pem drw-r- 2 root radiusd 200 2008-03-31 22:53 demoCA/ -rw-r- 1 root radiusd0 2005-09-13 04:15 dh -rw-r- 1 root radiusd 2913 2005-09-13 04:15 newcert.pem -rw-r- 1 root radiusd 1753 2005-09-13 04:15 newreq.pem -rw-r- 1 root radiusd 1024 2005-09-13 04:15 random -rw-r- 1 root radiusd 431 2005-09-13 04:15 README -rw-r- 1 root radiusd 954 2005-09-13 04:15 root.der -rw-r- 1 root radiusd 1973 2005-09-13 04:15 root.p12 -rw-r- 1 root radiusd 2764 2005-09-13 04:15 root.pem linux:/etc/raddb/certs/demoCA # l insgesamt 21 drw-r- 2 root radiusd 200 2008-03-31 22:53 ./ drw-r- 3 root radiusd 472 2008-03-31 22:53 ../ -rw-r- 1 root radiusd 1346 2005-09-13 04:15 cacert.pem -rw-r- 1 root radiusd 276 2005-09-13 04:15 index.txt -rw-r- 1 root radiusd 140 2005-09-13 04:15 index.txt.old -rw-r- 1 root radiusd3 2005-09-13 04:15 serial -rw-r- 1 root radiusd3 2005-09-13 04:15 serial.old Bad directory perms? umask 022 find /etc/raddb/ -type d -exec chmod ug+x {} \; -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_tnc.c source not stricly C
Alan DeKok wrote: Andrew Hood wrote: I know good style says newbies should lurk before posting, but anyway: Is freeradius supposed to be C89? It's supposed to be as portable as possible. src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c Is full of C++ comments and C99isms. Yes. Most of those should be fixed. As always, patches are welcome. I'm not going to subscribe to developers just to send one patch, especially with all the warnings for non-core developers. This removes those C99-isms and C++ comments which gcc+linux finds. -- REALITY.SYS not found: Universe halted. freeradius-server-2.0.3.patch.gz Description: Unix tar archive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_tnc.c source not stricly C
Alan DeKok wrote: Andrew Hood wrote: I know good style says newbies should lurk before posting, but anyway: Is freeradius supposed to be C89? It's supposed to be as portable as possible. src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c Is full of C++ comments and C99isms. Yes. Most of those should be fixed. As always, patches are welcome. OK -- REALITY.SYS not found: Universe halted. eap_tnc.c.diff.gz Description: application/gzip - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap_tnc.c source not stricly C
I know good style says newbies should lurk before posting, but anyway: Is freeradius supposed to be C89? src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c Is full of C++ comments and C99isms. -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html