Re: Security issues with 1.1.3 flatfile

2011-08-01 Thread Andrew Hood 
d.tom.schm...@l-3com.com wrote:
 Currently running 1.1.3 on CentOS 5.x.
 
  
 
 I am currently using the flat file option and it works just fine as long
 as the permissions on the file are:
 
   664   RW-RW-R-

Is the file owner the same as the user as which freeradius is running?
If it is, I would expect 400 or at worst 600 to work. That will probably
make editting a job for root. Or make it 660 where the group is user
management.

Andrew
-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Own exec module with bash: permission denied

2011-03-20 Thread Andrew Hood 
Marten Pape wrote:

 
 ouch, that's it! /root didn't have the correct rights.

Wrong.

/root probably had the correct rights - usually 710. That is root's home
directory and should not be readable by any other user.

Put the script and anything it calls in a more appropriate place. If it
needs to be hidden from the general public, maybe under the home dir for
the user running radius, which should also be 750 or more restrictive
like 710.

Andrew
-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error logs on freeradius 2.1.8

2010-04-28 Thread Andrew Hood 
Alan DeKok wrote:
 Oninz Unix wrote:
 
I know some os the thread almost similar to my problem, but let
me send some logs from my freeradius logs.

Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 383.
Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 382.
Tue Apr 27 17:59:45 2010 : Info: WARNING: Child is hung for request 379.
Tue Apr 27 17:59:46 2010 : Info: WARNING: Child is hung for request 383.
Tue Apr 27 17:59:48 2010 : Info: WARNING: Child is hung for request 377.
 
 ...
 
Error: WARNING: Unresponsive child for request 384, in module
sql2_redundant component accounting
 
 ...
 
I hope you could help me were to start to debug and solve the problem.
 
 
   You have a firewall between the RADIUS server and database.  The
 firewall is dropping the RADIUS - database TCP connections.
 
   I have *no* idea why anyone thinks this is a good idea.  The firewall
 (if any) should be configured to allow ANY TCP (RADIUS - DB : port).
 But many people create rules allowing only established TCP
 connections, and then the firewall helpfully loses track of which
 sessions are established.
 
   Stop breaking your network.

Somewhat off topic, but relevant.

This is a generic problem with firewalls, and there appears to be no
solution which the security paranoid will accept. If you think this is
bad, try working with a mob who insist on dropping all ICMP traffic
(including frag required) at some or all firewalls.

Firewalls are normally configured to drop any established connection
from the tables where no traffic is sent for a configurable time. This
is to stop the tables growing uncontrollably.

If you are in this unfortunate position your only solution is to enable
TCP keepalive on all connections, and reduce the TCP keepalive timer to
below the firewall's connection drop timer.

-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

2009-03-20 Thread Andrew Hood 
a.l.m.bu...@lboro.ac.uk wrote:

 chown -R radiusd:radiusd /etc/raddb
 
 chmod -R 755 /etc/raddb/certs

Yuck - marking data files executable. I'd start with:

 find /etc/raddb/certs -type d -exec chmod 755 {} \;
 find /etc/raddb/certs \! -type d -exec chmod 644 {} \;

and fix any program file that should be 755

-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: client certs

2008-12-11 Thread Andrew Hood 
[EMAIL PROTECTED] wrote:

 Try attached Makefile. It has been altered so client certificates are
 signed by the ca and not server certificate. I was unable to
 persuade up-to-date Windows PCs to accept server certificate as an
 Intermediate CA. Changing the issuer resolved the problem.

Shouldn't that be:


$ diff  Makefile.20081211 Makefile
92c92
   openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
-key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext
-extfile xpextensions -config ./client.cnf
---
   openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
-key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf


-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: control-socket name one character short

2008-10-22 Thread Andrew Hood 
Alan DeKok wrote:
 Thomas Fagart wrote:
 
I though it was a question of rights, but even when I chmod/chown it with
more rights I still get the following error.

radmin: Failed connecting to /usr/local/var/run/radiusd/radiusd.sock: No
such file or directory
 
 
   shrug  If that's the error being returned by the OS, I'm not sure
 what else to suggest.

strace/truss and find out what filename it is really trying to use?

-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)

2008-08-22 Thread Andrew Hood 
Alan DeKok wrote:
 Andrew Hood wrote:
 
Pardon me if I've missed something, but as far as I can tell the server
cert isn't authorised to sign client certs, so I can't see how it could
work. The CA can sign client certs.
 
 
   There can be multiple levels of CA's.  Verisign, your company, the
 local division, etc.  This is all specifically allowed, and required, by
 SSL.

No argument there.

   My suggestion was that maybe what's needed was to mark the server cert
 with the CA properties.  The server cert would then be an intermediate
 CA, which is Just Fine.

That's what Sergio seemed to be getting at in changing with the Makefile
to have a CA rather than the server sign the client cert. Is that the
better way?

Is the answer to give the server the right to sign the cert, and if so
how you do it so as to complete the root CA-server-client chain?

However, there may be multiple servers, each with its own cert. Why
should a client cert be signed by one server when it may be used with
other servers?

-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)

2008-08-21 Thread Andrew Hood 
Alan DeKok wrote:
 William Hegardt wrote:
 
EAP-TLS authentication fails with the fatal unknown ca message.
 
 
   The server cert may need to be marked with CA:true
 
 
If I hack the Makefile like Sergio mentioned last month to sign the
client certificate with
the CA key, then authentication succeeds.
 
 
   That can work, too.
 
 
I'd really like to understand what's wrong. Could wpa_supplicant be
somehow incompatible with
the bootstrap certificate chain?
 
 
   It's OpenSSL on both ends.  wpa_supplicant  FreeRADIUS are just
 wrappers to get the SSL data back and forth.

Pardon me if I've missed something, but as far as I can tell the server
cert isn't authorised to sign client certs, so I can't see how it could
work. The CA can sign client certs.


-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.5 on Solaris with openssl 0.9.8h

2008-08-17 Thread Andrew Hood 
Alan DeKok wrote:
 Rafiqul Ahsan wrote:
 
Ok, I tried as follows :
 
 ...
 
Still ldd /usr/local/sbin/radiusd shows the shared object from
/usr/sfw/lib/*0.9.7
 
 
   Then the issue is that the linker is linking against libssl.so, and
 not libssl.so.0.9.8.  This means that at run-time, /usr/sfw/lib is
 found *before* /usr/local/lib, and so it links to the other version of
 libssl.
 
   The only solutions are:
 
   a) change the order of directories that the run-time linker uses
   b) delete the /usr/sfw/lib/libssl* files

I haven't tried the method I suggested earlier in this thread on
Solaris. I have done it on Linux. For reasons too complex to go into I
can not replace the default version of openssl, but I need a later
verison to build freeradius. I put that version in the same target
directories:

openssl config:
./Configure no-shared enable-zlib-dynamic \
--prefix=/opt/freeradius --openssldir=/opt/freeradius/ssl \
linux-elf

freeradius configure script:

export PKG_CONFIG_PATH=/opt/freeradius/lib/pkgconfig
export CC='gcc -march=i686'
export F77='g77 -march=i686'
export CXX='g++ -march=i686'
export LDFLAGS='-Wl,-rpath -Wl,/opt/freeradius/lib'
./configure \
--prefix=/opt/freeradius \
--localstatedir=/var \
--with-openssl-includes=/opt/freeradius/include \
--with-openssl-libraries=/opt/freeradius/lib

And it works:

$ ldd /opt/freeradius/sbin/radiusd
libfreeradius-radius-2.0.5.so =
/opt/freeradius/lib/libfreeradius-radius-2.0.5.so (0x40016000)
libnsl.so.1 = /lib/libnsl.so.1 (0x4004d000)
libresolv.so.2 = /lib/libresolv.so.2 (0x40062000)
libpthread.so.0 = /lib/libpthread.so.0 (0x40072000)
libsnmp.so.15 = /usr/local/lib/libsnmp.so.15 (0x40087000)
libcrypt.so.1 = /lib/libcrypt.so.1 (0x4012e000)
libltdl.so.3 = /usr/lib/libltdl.so.3 (0x4015b000)
libdl.so.2 = /lib/libdl.so.2 (0x40162000)
libssl.so.0.9.8 = /opt/freeradius/lib/libssl.so.0.9.8 (0x40166000)
libcrypto.so.0.9.8 = /opt/freeradius/lib/libcrypto.so.0.9.8
(0x401a)
libc.so.6 = /lib/libc.so.6 (0x402c6000)
libcrypto.so.0 = /usr/lib/libcrypto.so.0 (0x403e9000)
/lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000)

-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.5 on Solaris with openssl 0.9.8h

2008-08-16 Thread Andrew Hood 
Rafiqul Ahsan wrote:
 It is Solaris 10 (V210). Now I have added below Flags (as per your
 previous email) :
 
 CFLAGS=-I/usr/local/ssl/include/openssl
 CPPFLAGS=-I/usr/local/ssl/include/openssl
 LDFLAGS='-L/usr/local/ssl/lib -R/usr/local/ssl/lib'
 export CFLAGS CPPFLAGS LDFLAGS
 
 How else to verify that my Frerradius 2.0.5 was built with
 openssl0.9.8h (Again, please note openssl 0.9.8h was installed in
 /usr/local/ssl, and prebuilt openssl (came with Solaris 10) 0.9.7 is
 at /usr/sfw) ? I wanted to build with 0.9.8h because it supports
 advance crypto like sha2, sha256 etcBut still does not seem like
 Freeradius is working with sha256.
 
 Here is the part of make log :
  gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/local/ssl/include/openssl 
 -I/usr/local/s
 sl/include/openssl -c ltdl.c  -fPIC -DPIC -o .libs/ltdl.o
  gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/local/ssl/include/openssl 
 -I/usr/local/s
 sl/include/openssl -c ltdl.c -o ltdl.o /dev/null 21
 /bin/bash ./libtool --tag=CC   --mode=link gcc  
 -I/usr/local/ssl/include/openssl
  -no-undefined -version-info 4:4:1 -L/usr/local/ssl/lib -R/usr/local/ssl/lib 
 -o
 libltdl.la -rpath /usr/local/lib ltdl.lo -ldl
 gcc -shared -Wl,-h -Wl,libltdl.so.3 -o .libs/libltdl.so.3.1.4  .libs/ltdl.o  
 -R/
 usr/local/ssl/lib -L/usr/local/ssl/lib -ldl -lc
 (cd .libs  rm -f libltdl.so.3  ln -s libltdl.so.3.1.4 libltdl.so.3)
 (cd .libs  rm -f libltdl.so  ln -s libltdl.so.3.1.4 libltdl.so)
 ar cru .libs/libltdl.a  ltdl.o
 ranlib .libs/libltdl.a
 creating libltdl.la

Assuming you have run make install, what does

ldd /your/path/to/libltdl.so

return?
-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.5 on Solaris with openssl 0.9.8h

2008-08-15 Thread Andrew Hood 
Rafiqul Ahsan wrote:
 Hi Alan, and All,
 
 Well, I believe I have linked Freeradius 2.0.5 with the right openssl
 (0.9.8h) now by adding below env variables(my build logs also says
 that linked with -L/usr/local/ssl/lib). However I still see the same
 error while using sha256 encryption algorithm with RSA 2048 key. I
 sent this query to openssl maillist, they are sending me back to you
 (freeradius folks) to verify whether Freeradius supports sha2, sha256
 etc. (I hoped that below patch would allow, but no luck).
 
 CFLAGS=-I/usr/local/ssl/include/openssl
 CPPFLAGS=-I/usr/local/ssl/include/openssl
 LDFLAGS=-L/usr/local/ssl/lib
 export CFLAGS CPPFLAGS LDFLAGS

I forget. Were you using the Sun toolchain or GNU?

You probably need one of:

LDFLAGS='-L/usr/local/ssl/lib -Wl,-rpath -Wl,/usr/local/ssl/lib

or

LDFLAGS='-L/usr/local/ssl/lib -R/usr/local/ssl/lib'

or whatever similar incantation your linker wants to achive the same
result, forcing it to use the version of openssl in /usr/local/lib


-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: dhcp server (DHCPFlags feature)

2008-06-21 Thread Andrew Hood 
Alan DeKok wrote:
 Haralds Ulmanis wrote:
 
Just checked out from cvs .. and got compile error:
...
/root/freeradius/radiusd/src/main/listen.c:309: undefined reference to 
`request_stats_reply'
 
 
   Edit src/main/Makefile, and add stats.c to the SERVER_SRCS line.
 
   It's in Makefile.in, but you probably didn't re-run configure, and
 likely don't want to do that, either.

That sounds odd, assuming normal auto* practice. The top Makefile should
contain a rule:

Makefile: Makefile.in

which would run ./config.status --recheck

What platform and version of make was this?

-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: newbie on radiustesting, Buxey and Hood

2008-04-17 Thread Andrew Hood 
[EMAIL PROTECTED] wrote:
 Hi,
 
By the way:
What would be the difference having the proposal of Andrew Hood performed:

find /etc/raddb/ -type d -exec chmod ug+x {} \;

compared to the proposal of Alan Buxey:

chmod -R ugo+x /etc/raddb/certs

I am not so familiar with the /-type d/ part of the find command
Would the result be the same?
 
 
 mu suggestion would have made all files in certs directory
 executable by others. maybe too much. but it works! :-)

Which is exactly why I suggested what I did. Directories need the x
attribute to permit them to be searched. Files only need the x attribute
so they can be executed.

Since you said the files and directories all had group radiusd, and the
user was a member of that group, setting ug+x on directories is enough.
There should be no need for anyone outside group radiusd to be able to
search those directories.

It would probably make sense to also:

chgrp -R radiusd /etc/raddb/
find /etc/raddb/ -type d -exec chmod g+s {} \;

So all the existing objects would have group radiusd, and any new ones
will get group radiusd.


-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: newbie on radiustesting

2008-04-16 Thread Andrew Hood 
Si St wrote:

 linux:/etc/raddb/certs # l
 insgesamt 53
 drw-r-  3 root radiusd  472 2008-03-31 22:53 ./
 drwxr-xr-x  5 root root 728 2008-04-16 20:40 ../
 -rw-r-  1 root radiusd  721 2005-09-13 04:15 cert-clt.der
 -rw-r-  1 root radiusd 1741 2005-09-13 04:15 cert-clt.p12
 -rw-r-  1 root radiusd 2452 2005-09-13 04:15 cert-clt.pem
 -rw-r-  1 root radiusd  717 2005-09-13 04:15 cert-srv.der
 -rw-r-  1 root radiusd 1733 2005-09-13 04:15 cert-srv.p12
 -rw-r-  1 root radiusd 2439 2005-09-13 04:15 cert-srv.pem
 drw-r-  2 root radiusd  200 2008-03-31 22:53 demoCA/
 -rw-r-  1 root radiusd0 2005-09-13 04:15 dh
 -rw-r-  1 root radiusd 2913 2005-09-13 04:15 newcert.pem
 -rw-r-  1 root radiusd 1753 2005-09-13 04:15 newreq.pem
 -rw-r-  1 root radiusd 1024 2005-09-13 04:15 random
 -rw-r-  1 root radiusd  431 2005-09-13 04:15 README
 -rw-r-  1 root radiusd  954 2005-09-13 04:15 root.der
 -rw-r-  1 root radiusd 1973 2005-09-13 04:15 root.p12
 -rw-r-  1 root radiusd 2764 2005-09-13 04:15 root.pem
 
 linux:/etc/raddb/certs/demoCA # l
 insgesamt 21
 drw-r-  2 root radiusd  200 2008-03-31 22:53 ./
 drw-r-  3 root radiusd  472 2008-03-31 22:53 ../
 -rw-r-  1 root radiusd 1346 2005-09-13 04:15 cacert.pem
 -rw-r-  1 root radiusd  276 2005-09-13 04:15 index.txt
 -rw-r-  1 root radiusd  140 2005-09-13 04:15 index.txt.old
 -rw-r-  1 root radiusd3 2005-09-13 04:15 serial
 -rw-r-  1 root radiusd3 2005-09-13 04:15 serial.old

Bad directory perms?

umask 022
find /etc/raddb/ -type d -exec chmod ug+x {} \;

-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_tnc.c source not stricly C

2008-04-09 Thread Andrew Hood 
Alan DeKok wrote:
 Andrew Hood wrote:
 
I know good style says newbies should lurk before posting, but anyway:

Is freeradius supposed to be C89?
 
 
   It's supposed to be as portable as possible.
 
 
src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c

Is full of C++ comments and C99isms.
 
 
   Yes.  Most of those should be fixed.
 
   As always, patches are welcome.

I'm not going to subscribe to developers just to send one patch,
especially with all the warnings for non-core developers.

This removes those C99-isms and C++ comments which gcc+linux finds.

-- 
REALITY.SYS not found: Universe halted.


freeradius-server-2.0.3.patch.gz
Description: Unix tar archive
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_tnc.c source not stricly C

2008-02-12 Thread Andrew Hood 
Alan DeKok wrote:
 Andrew Hood wrote:
 
I know good style says newbies should lurk before posting, but anyway:

Is freeradius supposed to be C89?
 
 
   It's supposed to be as portable as possible.
 
 
src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c

Is full of C++ comments and C99isms.
 
 
   Yes.  Most of those should be fixed.
 
   As always, patches are welcome.

OK

-- 
REALITY.SYS not found: Universe halted.


eap_tnc.c.diff.gz
Description: application/gzip
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

eap_tnc.c source not stricly C

2008-02-11 Thread Andrew Hood 
I know good style says newbies should lurk before posting, but anyway:

Is freeradius supposed to be C89?

src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c

Is full of C++ comments and C99isms.

-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html