import freeradius-3.0.17-6.module+el8.1.0+3392+9bd8939b

This commit is contained in:
CentOS Sources 2019-08-01 22:51:11 -04:00 committed by Stepan Oksanichenko
commit c61de46093
16 changed files with 3103 additions and 0 deletions

1
.freeradius.metadata Normal file
View File

@ -0,0 +1 @@
a0d4372ee124cbee6b90a4463ff068afe70e06ca SOURCES/freeradius-server-3.0.17.tar.bz2

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/freeradius-server-3.0.17.tar.bz2

View File

@ -0,0 +1,97 @@
From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 14 Sep 2018 12:20:11 +0300
Subject: [PATCH] man: Add missing option descriptions
---
man/man8/raddebug.8 | 4 ++++
man/man8/radiusd.8 | 7 +++++++
man/man8/radmin.8 | 4 ++++
3 files changed, 15 insertions(+)
diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
index 66e80e64fa..6e27e2453c 100644
--- a/man/man8/raddebug.8
+++ b/man/man8/raddebug.8
@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
.IR condition ]
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-n
.IR name ]
.RB [ \-i
@@ -73,6 +75,8 @@ option is equivalent to using:
.IP "\-d \fIconfig directory\fP"
The radius configuration directory, usually /etc/raddb. See the
\fIradmin\fP manual page for more description of this option.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP "\-n \fImname\fP"
Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
.IP \-I\ \fIipv6-address\fP
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
index c825f22d0d..98aef5e1be 100644
--- a/man/man8/radiusd.8
+++ b/man/man8/radiusd.8
@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
.RB [ \-C ]
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-f ]
.RB [ \-h ]
.RB [ \-i
@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
.IR name ]
.RB [ \-p
.IR port ]
+.RB [ \-P ]
.RB [ \-s ]
.RB [ \-t ]
.RB [ \-v ]
@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
.IP "\-d \fIconfig directory\fP"
Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
files such as the \fIdictionary\fP and the \fIusers\fP files.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP \-f
Do not fork, stay running as a foreground process.
.IP \-h
@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
\fIradiusd.conf\fP are ignored.
This option MUST be used in conjunction with "-i".
+.IP "\-P
+Always write out PID, even with -f.
.IP \-s
Run in "single server" mode. The server normally runs with multiple
threads and/or processes, which can lower its response time to
diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
index 5ecc963d81..5bf661fa71 100644
--- a/man/man8/radmin.8
+++ b/man/man8/radmin.8
@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
.B radmin
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-e
.IR command ]
.RB [ \-E ]
@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
configuration files to find the "listen" section that defines the
control socket filename.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP "\-e \fIcommand\fP"
Run \fIcommand\fP and exit.
.IP \-E
--
2.18.0

View File

@ -0,0 +1,60 @@
From 958f470cda2ba8943f02f13d1b46f357f92d9639 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 8 Sep 2014 12:32:13 +0300
Subject: [PATCH] Adjust configuration to fit Red Hat specifics
---
raddb/mods-available/eap | 4 ++--
raddb/radiusd.conf.in | 7 +++----
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 2621e183c..94494b2c6 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -472,7 +472,7 @@ eap {
#
# You should also delete all of the files
# in the directory when the server starts.
- # tmpdir = /tmp/radiusd
+ # tmpdir = /var/run/radiusd/tmp
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
@@ -486,7 +486,7 @@ eap {
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
#
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index a83c1f687..e500cf97b 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -70,8 +70,7 @@ certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
+db_dir = ${localstatedir}/lib/radiusd
#
# libdir: Where to find the rlm_* modules.
@@ -398,8 +397,8 @@ security {
# member. This can allow for some finer-grained access
# controls.
#
-# user = radius
-# group = radius
+ user = radiusd
+ group = radiusd
# Core dumps are a bad thing. This should only be set to
# 'yes' if you're debugging a problem with the server.
--
2.13.2

View File

@ -0,0 +1,45 @@
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 7f91e4b230..848ca2055e 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);
+ /* validate received scalar */
+ if (BN_is_zero(session->peer_scalar) ||
+ BN_is_one(session->peer_scalar) ||
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
+ ERROR("Peer's scalar is not within the allowed range");
+ goto finish;
+ }
+
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto finish;
}
+ /* validate received element */
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
+ ERROR("Peer's element is not a point on the elliptic curve");
+ goto finish;
+ }
+
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
}
}
+ /* detect reflection attacks */
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
+ ERROR("Reflection attack detected");
+ goto finish;
+ }
+
/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||

View File

@ -0,0 +1,68 @@
From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Sep 2018 09:54:46 -0400
Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
If OpenSSL EVP is not found, fallback to internal implementation of
HMAC-MD5.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
index 2c662ff368..1cca00fa2a 100644
--- a/src/lib/hmacmd5.c
+++ b/src/lib/hmacmd5.c
@@ -27,10 +27,41 @@
RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#endif
+
#include <freeradius-devel/libradius.h>
#include <freeradius-devel/md5.h>
-/** Calculate HMAC using MD5
+#ifdef HAVE_OPENSSL_EVP_H
+/** Calculate HMAC using OpenSSL's MD5 implementation
+ *
+ * @param digest Caller digest to be filled in.
+ * @param text Pointer to data stream.
+ * @param text_len length of data stream.
+ * @param key Pointer to authentication key.
+ * @param key_len Length of authentication key.
+ *
+ */
+void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ uint8_t const *key, size_t key_len)
+{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* Since MD5 is not allowed by FIPS, explicitly allow it. */
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
+
+ HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
+ HMAC_Update(ctx, text, text_len);
+ HMAC_Final(ctx, digest, NULL);
+ HMAC_CTX_free(ctx);
+}
+#else
+/** Calculate HMAC using internal MD5 implementation
*
* @param digest Caller digest to be filled in.
* @param text Pointer to data stream.
@@ -101,6 +132,7 @@
* hash */
fr_md5_final(digest, &context); /* finish up 2nd pass */
}
+#endif /* HAVE_OPENSSL_EVP_H */
/*
Test Vectors (Trailing '\0' of a character string not included in test):

View File

@ -0,0 +1,73 @@
From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Sep 2018 11:03:52 -0400
Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
If OpenSSL EVP is not found, fallback to internal implementation of
HMAC-SHA1.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
index c3cbd87a2c..211470ea35 100644
--- a/src/lib/hmacsha1.c
+++ b/src/lib/hmacsha1.c
@@ -10,13 +10,19 @@
RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#endif
+
#include <freeradius-devel/libradius.h>
#ifdef HMAC_SHA1_DATA_PROBLEMS
unsigned int sha1_data_problems = 0;
#endif
-/** Calculate HMAC using SHA1
+#ifdef HAVE_OPENSSL_EVP_H
+/** Calculate HMAC using OpenSSL's SHA1 implementation
*
* @param digest Caller digest to be filled in.
* @param text Pointer to data stream.
@@ -28,6 +34,26 @@
void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
uint8_t const *key, size_t key_len)
{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+ HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
+ HMAC_Update(ctx, text, text_len);
+ HMAC_Final(ctx, digest, NULL);
+ HMAC_CTX_free(ctx);
+}
+
+#else
+
+/** Calculate HMAC using internal SHA1 implementation
+ *
+ * @param digest Caller digest to be filled in.
+ * @param text Pointer to data stream.
+ * @param text_len length of data stream.
+ * @param key Pointer to authentication key.
+ * @param key_len Length of authentication key.
+ */
+void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ uint8_t const *key, size_t key_len)
+{
fr_sha1_ctx context;
uint8_t k_ipad[65]; /* inner padding - key XORd with ipad */
uint8_t k_opad[65]; /* outer padding - key XORd with opad */
@@ -142,6 +168,7 @@
}
#endif
}
+#endif /* HAVE_OPENSSL_EVP_H */
/*
Test Vectors (Trailing '\0' of a character string not included in test):

View File

@ -0,0 +1,76 @@
From d78bf5ab1f5c8102b2b6051cfb1198488be9597d Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 26 Sep 2016 19:48:36 +0300
Subject: [PATCH] Use system crypto policy by default
---
raddb/mods-available/eap | 2 +-
raddb/mods-available/inner-eap | 2 +-
raddb/sites-available/abfab-tls | 2 +-
raddb/sites-available/tls | 4 ++--
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 94494b2c6..9a8dc9327 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -323,7 +323,7 @@ eap {
#
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
#
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
index 2b4df6267..af9aa88cd 100644
--- a/raddb/mods-available/inner-eap
+++ b/raddb/mods-available/inner-eap
@@ -68,7 +68,7 @@ eap inner-eap {
# certificates. If so, edit this file.
ca_file = ${cadir}/ca.pem
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# You may want to set a very small fragment size.
# The TLS data here needs to go inside of the
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
index 5dbe143da..46b5fea78 100644
--- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
@@ -19,7 +19,7 @@ listen {
dh_file = ${certdir}/dh
fragment_size = 8192
ca_path = ${cadir}
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
cache {
enable = no
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index cf1cd7a8a..7dd59cb6f 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -197,7 +197,7 @@ listen {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -499,7 +499,7 @@ home_server tls {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
}
}
--
2.13.2

View File

@ -0,0 +1,42 @@
From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Mon, 22 Apr 2019 14:38:19 -0400
Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host
In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added
which effectively result in a listen.ipaddr only allowing hostnames to
resolve to IPv4 addresses. With a hostname with only a IPv6 address,
it'll bail with the error message:
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
Failed resolving "ipv6.cipherboy.com" to IPv4 address:
Name or service not known
This directly contradicts the language in the default configuration
file, so support resolving both IPv4-only and IPv6-only hostnames.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/misc.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/src/lib/misc.c b/src/lib/misc.c
index dff21e33f7..5520d8a0a4 100644
--- a/src/lib/misc.c
+++ b/src/lib/misc.c
@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res
fr_strerror_printf("Invalid address");
return -1;
}
-
- /*
- * Fall through to resolving the address, using
- * whatever address family they prefer. If they
- * don't specify an address family, force IPv4.
- */
- if (af == AF_UNSPEC) af = AF_INET;
}
/*

View File

@ -0,0 +1,57 @@
# You can use this to rotate the /var/log/radius/* files, simply copy
# it to /etc/logrotate.d/radiusd
# There are different detail-rotating strategies you can use. One is
# to write to a single detail file per IP and use the rotate config
# below. Another is to write to a daily detail file per IP with:
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
# (or similar) in radiusd.conf, without rotation. If you go with the
# second technique, you will need another cron job that removes old
# detail files. You do not need to comment out the below for method #2.
/var/log/radius/radacct/*/detail {
monthly
rotate 4
nocreate
missingok
compress
su radiusd radiusd
}
/var/log/radius/checkrad.log {
monthly
rotate 4
create
missingok
compress
su radiusd radiusd
}
/var/log/radius/radius.log {
monthly
rotate 4
create
missingok
compress
su radiusd radiusd
postrotate
/usr/bin/systemctl reload-or-try-restart radiusd
endscript
}
/var/log/radius/radwtmp {
monthly
rotate 4
create
compress
missingok
su radiusd radiusd
}
/var/log/radius/sqltrace.sql {
monthly
rotate 4
create
compress
missingok
su radiusd radiusd
}

View File

@ -0,0 +1,94 @@
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 14 Sep 2018 11:53:28 +0300
Subject: [PATCH] man: Fix some typos
---
man/man5/radrelay.conf.5 | 2 +-
man/man5/rlm_files.5 | 2 +-
man/man5/unlang.5 | 8 ++++----
man/man8/radrelay.8 | 2 +-
4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/man/man5/radrelay.conf.5 b/man/man5/radrelay.conf.5
index 5fb38bfc4e..e3e665024b 100644
--- a/man/man5/radrelay.conf.5
+++ b/man/man5/radrelay.conf.5
@@ -26,7 +26,7 @@ Many sites run multiple radius servers; at least one primary and one
backup server. When the primary goes down, most NASes detect that and
switch to the backup server.
-That will cause your accounting packets to go the the backup server -
+That will cause your accounting packets to go to the backup server -
and some NASes don't even switch back to the primary server when it
comes back up.
diff --git a/man/man5/rlm_files.5 b/man/man5/rlm_files.5
index bfee5030ff..52f4734ae3 100644
--- a/man/man5/rlm_files.5
+++ b/man/man5/rlm_files.5
@@ -48,7 +48,7 @@ This configuration entry enables you to have configurations that
perform per-group checks, and return per-group attributes, where the
group membership is dynamically defined by a previous module. It also
lets you do things like key off of attributes in the reply, and
-express policies like like "when I send replies containing attribute
+express policies like "when I send replies containing attribute
FOO with value BAR, do more checks, and maybe send additional
attributes".
.SH CONFIGURATION
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
index 76db8f2d1c..12fe7855b2 100644
--- a/man/man5/unlang.5
+++ b/man/man5/unlang.5
@@ -36,7 +36,7 @@ the pre-defined keywords here.
Subject to a few limitations described below, any keyword can appear
in any context. The language consists of a series of entries, each
-one one line. Each entry begins with a keyword. Entries are
+one line. Each entry begins with a keyword. Entries are
organized into lists. Processing of the language is line by line,
from the start of the list to the end. Actions are executed
per-keyword.
@@ -131,7 +131,7 @@ expanded as described in the DATA TYPES section, below. The match is
then performed on the string returned from the expansion. If the
argument is an attribute reference (e.g. &User-Name), then the match
is performed on the value of that attribute. Otherwise, the argument
-is taken to be a literal string, and and matching is done via simple
+is taken to be a literal string, and matching is done via simple
comparison.
No statement other than "case" can appear in a "switch" block.
@@ -155,7 +155,7 @@ expanded as described in the DATA TYPES section, below. The match is
then performed on the string returned from the expansion. If the
argument is an attribute reference (e.g. &User-Name), then the match
is performed on the value of that attribute. Otherwise, the argument
-is taken to be a literal string, and and matching is done via simple
+is taken to be a literal string, and matching is done via simple
comparison.
.DS
@@ -799,7 +799,7 @@ regular expression. If no attribute matches, nothing else is done.
The value can be an attribute reference, or an attribute-specific
string.
-When the value is an an attribute reference, it must take the form of
+When the value is an attribute reference, it must take the form of
"&Attribute-Name". The leading "&" signifies that the value is a
reference. The "Attribute-Name" is an attribute name, such as
"User-Name" or "request:User-Name". When an attribute reference is
diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8
index fdba6995d5..99e65732a2 100644
--- a/man/man8/radrelay.8
+++ b/man/man8/radrelay.8
@@ -13,7 +13,7 @@ Many sites run multiple radius servers; at least one primary and one
backup server. When the primary goes down, most NASes detect that and
switch to the backup server.
-That will cause your accounting packets to go the the backup server -
+That will cause your accounting packets to go to the backup server -
and some NASes don't even switch back to the primary server when it
comes back up.
--
2.18.0

View File

@ -0,0 +1,6 @@
#%PAM-1.0
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth

View File

@ -0,0 +1,64 @@
From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 18 Oct 2018 12:40:53 -0400
Subject: [PATCH] Clarify shebangs to be python2
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
scripts/radtee | 2 +-
src/modules/rlm_python/example.py | 2 +-
src/modules/rlm_python/prepaid.py | 2 +-
src/modules/rlm_python/radiusd.py | 2 +-
src/modules/rlm_python/radiusd_test.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/scripts/radtee b/scripts/radtee
index 123769d244..78b4bcbe0b 100755
--- a/scripts/radtee
+++ b/scripts/radtee
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python2
from __future__ import with_statement
# RADIUS comparison tee v1.0
diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
index 5950a07678..eaf456e349 100644
--- a/src/modules/rlm_python/example.py
+++ b/src/modules/rlm_python/example.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Python module example file
# Miguel A.L. Paraz <mparaz@mparaz.com>
diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
index c3cbf57b8f..3b1dc2e2e8 100644
--- a/src/modules/rlm_python/prepaid.py
+++ b/src/modules/rlm_python/prepaid.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Example Python module for prepaid usage using MySQL
diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
index c535bb3caf..7129923994 100644
--- a/src/modules/rlm_python/radiusd.py
+++ b/src/modules/rlm_python/radiusd.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Definitions for RADIUS programs
#
diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
index 13b7128b29..97b5b64f08 100644
--- a/src/modules/rlm_python/radiusd_test.py
+++ b/src/modules/rlm_python/radiusd_test.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Python module test
# Miguel A.L. Paraz <mparaz@mparaz.com>

View File

@ -0,0 +1 @@
D /var/run/radiusd 0710 radiusd radiusd -

15
SOURCES/radiusd.service Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=FreeRADIUS high performance RADIUS server.
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service
[Service]
Type=forking
PIDFile=/var/run/radiusd/radiusd.pid
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=/usr/sbin/radiusd -C
ExecStart=/usr/sbin/radiusd -d /etc/raddb
ExecReload=/usr/sbin/radiusd -C
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target

2403
SPECS/freeradius.spec Normal file

File diff suppressed because it is too large Load Diff