import freeradius-3.0.17-6.module+el8.1.0+3392+9bd8939b
This commit is contained in:
commit
c61de46093
1
.freeradius.metadata
Normal file
1
.freeradius.metadata
Normal file
@ -0,0 +1 @@
|
||||
a0d4372ee124cbee6b90a4463ff068afe70e06ca SOURCES/freeradius-server-3.0.17.tar.bz2
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/freeradius-server-3.0.17.tar.bz2
|
97
SOURCES/freeradius-Add-missing-option-descriptions.patch
Normal file
97
SOURCES/freeradius-Add-missing-option-descriptions.patch
Normal file
@ -0,0 +1,97 @@
|
||||
From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Fri, 14 Sep 2018 12:20:11 +0300
|
||||
Subject: [PATCH] man: Add missing option descriptions
|
||||
|
||||
---
|
||||
man/man8/raddebug.8 | 4 ++++
|
||||
man/man8/radiusd.8 | 7 +++++++
|
||||
man/man8/radmin.8 | 4 ++++
|
||||
3 files changed, 15 insertions(+)
|
||||
|
||||
diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
|
||||
index 66e80e64fa..6e27e2453c 100644
|
||||
--- a/man/man8/raddebug.8
|
||||
+++ b/man/man8/raddebug.8
|
||||
@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
|
||||
.IR condition ]
|
||||
.RB [ \-d
|
||||
.IR config_directory ]
|
||||
+.RB [ \-D
|
||||
+.IR dictionary_directory ]
|
||||
.RB [ \-n
|
||||
.IR name ]
|
||||
.RB [ \-i
|
||||
@@ -73,6 +75,8 @@ option is equivalent to using:
|
||||
.IP "\-d \fIconfig directory\fP"
|
||||
The radius configuration directory, usually /etc/raddb. See the
|
||||
\fIradmin\fP manual page for more description of this option.
|
||||
+.IP "\-D \fIdictionary directory\fP"
|
||||
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
|
||||
.IP "\-n \fImname\fP"
|
||||
Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
|
||||
.IP \-I\ \fIipv6-address\fP
|
||||
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
|
||||
index c825f22d0d..98aef5e1be 100644
|
||||
--- a/man/man8/radiusd.8
|
||||
+++ b/man/man8/radiusd.8
|
||||
@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
|
||||
.RB [ \-C ]
|
||||
.RB [ \-d
|
||||
.IR config_directory ]
|
||||
+.RB [ \-D
|
||||
+.IR dictionary_directory ]
|
||||
.RB [ \-f ]
|
||||
.RB [ \-h ]
|
||||
.RB [ \-i
|
||||
@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
|
||||
.IR name ]
|
||||
.RB [ \-p
|
||||
.IR port ]
|
||||
+.RB [ \-P ]
|
||||
.RB [ \-s ]
|
||||
.RB [ \-t ]
|
||||
.RB [ \-v ]
|
||||
@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
|
||||
.IP "\-d \fIconfig directory\fP"
|
||||
Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
|
||||
files such as the \fIdictionary\fP and the \fIusers\fP files.
|
||||
+.IP "\-D \fIdictionary directory\fP"
|
||||
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
|
||||
.IP \-f
|
||||
Do not fork, stay running as a foreground process.
|
||||
.IP \-h
|
||||
@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
|
||||
\fIradiusd.conf\fP are ignored.
|
||||
|
||||
This option MUST be used in conjunction with "-i".
|
||||
+.IP "\-P
|
||||
+Always write out PID, even with -f.
|
||||
.IP \-s
|
||||
Run in "single server" mode. The server normally runs with multiple
|
||||
threads and/or processes, which can lower its response time to
|
||||
diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
|
||||
index 5ecc963d81..5bf661fa71 100644
|
||||
--- a/man/man8/radmin.8
|
||||
+++ b/man/man8/radmin.8
|
||||
@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
|
||||
.B radmin
|
||||
.RB [ \-d
|
||||
.IR config_directory ]
|
||||
+.RB [ \-D
|
||||
+.IR dictionary_directory ]
|
||||
.RB [ \-e
|
||||
.IR command ]
|
||||
.RB [ \-E ]
|
||||
@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
|
||||
Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
|
||||
configuration files to find the "listen" section that defines the
|
||||
control socket filename.
|
||||
+.IP "\-D \fIdictionary directory\fP"
|
||||
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
|
||||
.IP "\-e \fIcommand\fP"
|
||||
Run \fIcommand\fP and exit.
|
||||
.IP \-E
|
||||
--
|
||||
2.18.0
|
||||
|
@ -0,0 +1,60 @@
|
||||
From 958f470cda2ba8943f02f13d1b46f357f92d9639 Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Mon, 8 Sep 2014 12:32:13 +0300
|
||||
Subject: [PATCH] Adjust configuration to fit Red Hat specifics
|
||||
|
||||
---
|
||||
raddb/mods-available/eap | 4 ++--
|
||||
raddb/radiusd.conf.in | 7 +++----
|
||||
2 files changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
||||
index 2621e183c..94494b2c6 100644
|
||||
--- a/raddb/mods-available/eap
|
||||
+++ b/raddb/mods-available/eap
|
||||
@@ -472,7 +472,7 @@ eap {
|
||||
#
|
||||
# You should also delete all of the files
|
||||
# in the directory when the server starts.
|
||||
- # tmpdir = /tmp/radiusd
|
||||
+ # tmpdir = /var/run/radiusd/tmp
|
||||
|
||||
# The command used to verify the client cert.
|
||||
# We recommend using the OpenSSL command-line
|
||||
@@ -486,7 +486,7 @@ eap {
|
||||
# in PEM format. This file is automatically
|
||||
# deleted by the server when the command
|
||||
# returns.
|
||||
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
|
||||
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
|
||||
}
|
||||
|
||||
#
|
||||
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
|
||||
index a83c1f687..e500cf97b 100644
|
||||
--- a/raddb/radiusd.conf.in
|
||||
+++ b/raddb/radiusd.conf.in
|
||||
@@ -70,8 +70,7 @@ certdir = ${confdir}/certs
|
||||
cadir = ${confdir}/certs
|
||||
run_dir = ${localstatedir}/run/${name}
|
||||
|
||||
-# Should likely be ${localstatedir}/lib/radiusd
|
||||
-db_dir = ${raddbdir}
|
||||
+db_dir = ${localstatedir}/lib/radiusd
|
||||
|
||||
#
|
||||
# libdir: Where to find the rlm_* modules.
|
||||
@@ -398,8 +397,8 @@ security {
|
||||
# member. This can allow for some finer-grained access
|
||||
# controls.
|
||||
#
|
||||
-# user = radius
|
||||
-# group = radius
|
||||
+ user = radiusd
|
||||
+ group = radiusd
|
||||
|
||||
# Core dumps are a bad thing. This should only be set to
|
||||
# 'yes' if you're debugging a problem with the server.
|
||||
--
|
||||
2.13.2
|
||||
|
45
SOURCES/freeradius-EAP-PWD-curve-handling.patch
Normal file
45
SOURCES/freeradius-EAP-PWD-curve-handling.patch
Normal file
@ -0,0 +1,45 @@
|
||||
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
index 7f91e4b230..848ca2055e 100644
|
||||
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
|
||||
data_len = BN_num_bytes(session->order);
|
||||
BN_bin2bn(ptr, data_len, session->peer_scalar);
|
||||
|
||||
+ /* validate received scalar */
|
||||
+ if (BN_is_zero(session->peer_scalar) ||
|
||||
+ BN_is_one(session->peer_scalar) ||
|
||||
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
|
||||
+ ERROR("Peer's scalar is not within the allowed range");
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
|
||||
DEBUG2("pwd: unable to get coordinates of peer's element");
|
||||
goto finish;
|
||||
}
|
||||
|
||||
+ /* validate received element */
|
||||
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
|
||||
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
|
||||
+ ERROR("Peer's element is not a point on the elliptic curve");
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
/* check to ensure peer's element is not in a small sub-group */
|
||||
if (BN_cmp(cofactor, BN_value_one())) {
|
||||
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
|
||||
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
|
||||
}
|
||||
}
|
||||
|
||||
+ /* detect reflection attacks */
|
||||
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
|
||||
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
|
||||
+ ERROR("Reflection attack detected");
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
/* compute the shared key, k */
|
||||
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
|
||||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||
|
68
SOURCES/freeradius-OpenSSL-HMAC-MD5.patch
Normal file
68
SOURCES/freeradius-OpenSSL-HMAC-MD5.patch
Normal file
@ -0,0 +1,68 @@
|
||||
From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Fri, 28 Sep 2018 09:54:46 -0400
|
||||
Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
|
||||
|
||||
If OpenSSL EVP is not found, fallback to internal implementation of
|
||||
HMAC-MD5.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 33 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
|
||||
index 2c662ff368..1cca00fa2a 100644
|
||||
--- a/src/lib/hmacmd5.c
|
||||
+++ b/src/lib/hmacmd5.c
|
||||
@@ -27,10 +27,41 @@
|
||||
|
||||
RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
|
||||
|
||||
+#ifdef HAVE_OPENSSL_EVP_H
|
||||
+#include <openssl/hmac.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#endif
|
||||
+
|
||||
#include <freeradius-devel/libradius.h>
|
||||
#include <freeradius-devel/md5.h>
|
||||
|
||||
-/** Calculate HMAC using MD5
|
||||
+#ifdef HAVE_OPENSSL_EVP_H
|
||||
+/** Calculate HMAC using OpenSSL's MD5 implementation
|
||||
+ *
|
||||
+ * @param digest Caller digest to be filled in.
|
||||
+ * @param text Pointer to data stream.
|
||||
+ * @param text_len length of data stream.
|
||||
+ * @param key Pointer to authentication key.
|
||||
+ * @param key_len Length of authentication key.
|
||||
+ *
|
||||
+ */
|
||||
+void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
|
||||
+ uint8_t const *key, size_t key_len)
|
||||
+{
|
||||
+ HMAC_CTX *ctx = HMAC_CTX_new();
|
||||
+
|
||||
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
|
||||
+ /* Since MD5 is not allowed by FIPS, explicitly allow it. */
|
||||
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
+#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
|
||||
+
|
||||
+ HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
|
||||
+ HMAC_Update(ctx, text, text_len);
|
||||
+ HMAC_Final(ctx, digest, NULL);
|
||||
+ HMAC_CTX_free(ctx);
|
||||
+}
|
||||
+#else
|
||||
+/** Calculate HMAC using internal MD5 implementation
|
||||
*
|
||||
* @param digest Caller digest to be filled in.
|
||||
* @param text Pointer to data stream.
|
||||
@@ -101,6 +132,7 @@
|
||||
* hash */
|
||||
fr_md5_final(digest, &context); /* finish up 2nd pass */
|
||||
}
|
||||
+#endif /* HAVE_OPENSSL_EVP_H */
|
||||
|
||||
/*
|
||||
Test Vectors (Trailing '\0' of a character string not included in test):
|
73
SOURCES/freeradius-OpenSSL-HMAC-SHA1.patch
Normal file
73
SOURCES/freeradius-OpenSSL-HMAC-SHA1.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Fri, 28 Sep 2018 11:03:52 -0400
|
||||
Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
|
||||
|
||||
If OpenSSL EVP is not found, fallback to internal implementation of
|
||||
HMAC-SHA1.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
|
||||
1 file changed, 28 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
|
||||
index c3cbd87a2c..211470ea35 100644
|
||||
--- a/src/lib/hmacsha1.c
|
||||
+++ b/src/lib/hmacsha1.c
|
||||
@@ -10,13 +10,19 @@
|
||||
|
||||
RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
|
||||
|
||||
+#ifdef HAVE_OPENSSL_EVP_H
|
||||
+#include <openssl/hmac.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#endif
|
||||
+
|
||||
#include <freeradius-devel/libradius.h>
|
||||
|
||||
#ifdef HMAC_SHA1_DATA_PROBLEMS
|
||||
unsigned int sha1_data_problems = 0;
|
||||
#endif
|
||||
|
||||
-/** Calculate HMAC using SHA1
|
||||
+#ifdef HAVE_OPENSSL_EVP_H
|
||||
+/** Calculate HMAC using OpenSSL's SHA1 implementation
|
||||
*
|
||||
* @param digest Caller digest to be filled in.
|
||||
* @param text Pointer to data stream.
|
||||
@@ -28,6 +34,26 @@
|
||||
void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
|
||||
uint8_t const *key, size_t key_len)
|
||||
{
|
||||
+ HMAC_CTX *ctx = HMAC_CTX_new();
|
||||
+ HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
|
||||
+ HMAC_Update(ctx, text, text_len);
|
||||
+ HMAC_Final(ctx, digest, NULL);
|
||||
+ HMAC_CTX_free(ctx);
|
||||
+}
|
||||
+
|
||||
+#else
|
||||
+
|
||||
+/** Calculate HMAC using internal SHA1 implementation
|
||||
+ *
|
||||
+ * @param digest Caller digest to be filled in.
|
||||
+ * @param text Pointer to data stream.
|
||||
+ * @param text_len length of data stream.
|
||||
+ * @param key Pointer to authentication key.
|
||||
+ * @param key_len Length of authentication key.
|
||||
+ */
|
||||
+void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
|
||||
+ uint8_t const *key, size_t key_len)
|
||||
+{
|
||||
fr_sha1_ctx context;
|
||||
uint8_t k_ipad[65]; /* inner padding - key XORd with ipad */
|
||||
uint8_t k_opad[65]; /* outer padding - key XORd with opad */
|
||||
@@ -142,6 +168,7 @@
|
||||
}
|
||||
#endif
|
||||
}
|
||||
+#endif /* HAVE_OPENSSL_EVP_H */
|
||||
|
||||
/*
|
||||
Test Vectors (Trailing '\0' of a character string not included in test):
|
76
SOURCES/freeradius-Use-system-crypto-policy-by-default.patch
Normal file
76
SOURCES/freeradius-Use-system-crypto-policy-by-default.patch
Normal file
@ -0,0 +1,76 @@
|
||||
From d78bf5ab1f5c8102b2b6051cfb1198488be9597d Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Mon, 26 Sep 2016 19:48:36 +0300
|
||||
Subject: [PATCH] Use system crypto policy by default
|
||||
|
||||
---
|
||||
raddb/mods-available/eap | 2 +-
|
||||
raddb/mods-available/inner-eap | 2 +-
|
||||
raddb/sites-available/abfab-tls | 2 +-
|
||||
raddb/sites-available/tls | 4 ++--
|
||||
4 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
||||
index 94494b2c6..9a8dc9327 100644
|
||||
--- a/raddb/mods-available/eap
|
||||
+++ b/raddb/mods-available/eap
|
||||
@@ -323,7 +323,7 @@ eap {
|
||||
#
|
||||
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
|
||||
#
|
||||
- cipher_list = "DEFAULT"
|
||||
+ cipher_list = "PROFILE=SYSTEM"
|
||||
|
||||
# If enabled, OpenSSL will use server cipher list
|
||||
# (possibly defined by cipher_list option above)
|
||||
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
|
||||
index 2b4df6267..af9aa88cd 100644
|
||||
--- a/raddb/mods-available/inner-eap
|
||||
+++ b/raddb/mods-available/inner-eap
|
||||
@@ -68,7 +68,7 @@ eap inner-eap {
|
||||
# certificates. If so, edit this file.
|
||||
ca_file = ${cadir}/ca.pem
|
||||
|
||||
- cipher_list = "DEFAULT"
|
||||
+ cipher_list = "PROFILE=SYSTEM"
|
||||
|
||||
# You may want to set a very small fragment size.
|
||||
# The TLS data here needs to go inside of the
|
||||
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
|
||||
index 5dbe143da..46b5fea78 100644
|
||||
--- a/raddb/sites-available/abfab-tls
|
||||
+++ b/raddb/sites-available/abfab-tls
|
||||
@@ -19,7 +19,7 @@ listen {
|
||||
dh_file = ${certdir}/dh
|
||||
fragment_size = 8192
|
||||
ca_path = ${cadir}
|
||||
- cipher_list = "DEFAULT"
|
||||
+ cipher_list = "PROFILE=SYSTEM"
|
||||
|
||||
cache {
|
||||
enable = no
|
||||
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
|
||||
index cf1cd7a8a..7dd59cb6f 100644
|
||||
--- a/raddb/sites-available/tls
|
||||
+++ b/raddb/sites-available/tls
|
||||
@@ -197,7 +197,7 @@ listen {
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
- cipher_list = "DEFAULT"
|
||||
+ cipher_list = "PROFILE=SYSTEM"
|
||||
|
||||
# If enabled, OpenSSL will use server cipher list
|
||||
# (possibly defined by cipher_list option above)
|
||||
@@ -499,7 +499,7 @@ home_server tls {
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
- cipher_list = "DEFAULT"
|
||||
+ cipher_list = "PROFILE=SYSTEM"
|
||||
}
|
||||
|
||||
}
|
||||
--
|
||||
2.13.2
|
||||
|
42
SOURCES/freeradius-listen-ipv6-fix.patch
Normal file
42
SOURCES/freeradius-listen-ipv6-fix.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Mon, 22 Apr 2019 14:38:19 -0400
|
||||
Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host
|
||||
|
||||
In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added
|
||||
which effectively result in a listen.ipaddr only allowing hostnames to
|
||||
resolve to IPv4 addresses. With a hostname with only a IPv6 address,
|
||||
it'll bail with the error message:
|
||||
|
||||
radiusd: #### Opening IP addresses and Ports ####
|
||||
listen {
|
||||
type = "auth"
|
||||
Failed resolving "ipv6.cipherboy.com" to IPv4 address:
|
||||
Name or service not known
|
||||
|
||||
This directly contradicts the language in the default configuration
|
||||
file, so support resolving both IPv4-only and IPv6-only hostnames.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/lib/misc.c | 7 -------
|
||||
1 file changed, 7 deletions(-)
|
||||
|
||||
diff --git a/src/lib/misc.c b/src/lib/misc.c
|
||||
index dff21e33f7..5520d8a0a4 100644
|
||||
--- a/src/lib/misc.c
|
||||
+++ b/src/lib/misc.c
|
||||
@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res
|
||||
fr_strerror_printf("Invalid address");
|
||||
return -1;
|
||||
}
|
||||
-
|
||||
- /*
|
||||
- * Fall through to resolving the address, using
|
||||
- * whatever address family they prefer. If they
|
||||
- * don't specify an address family, force IPv4.
|
||||
- */
|
||||
- if (af == AF_UNSPEC) af = AF_INET;
|
||||
}
|
||||
|
||||
/*
|
57
SOURCES/freeradius-logrotate
Normal file
57
SOURCES/freeradius-logrotate
Normal file
@ -0,0 +1,57 @@
|
||||
# You can use this to rotate the /var/log/radius/* files, simply copy
|
||||
# it to /etc/logrotate.d/radiusd
|
||||
|
||||
# There are different detail-rotating strategies you can use. One is
|
||||
# to write to a single detail file per IP and use the rotate config
|
||||
# below. Another is to write to a daily detail file per IP with:
|
||||
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
|
||||
# (or similar) in radiusd.conf, without rotation. If you go with the
|
||||
# second technique, you will need another cron job that removes old
|
||||
# detail files. You do not need to comment out the below for method #2.
|
||||
/var/log/radius/radacct/*/detail {
|
||||
monthly
|
||||
rotate 4
|
||||
nocreate
|
||||
missingok
|
||||
compress
|
||||
su radiusd radiusd
|
||||
}
|
||||
|
||||
/var/log/radius/checkrad.log {
|
||||
monthly
|
||||
rotate 4
|
||||
create
|
||||
missingok
|
||||
compress
|
||||
su radiusd radiusd
|
||||
}
|
||||
|
||||
|
||||
/var/log/radius/radius.log {
|
||||
monthly
|
||||
rotate 4
|
||||
create
|
||||
missingok
|
||||
compress
|
||||
su radiusd radiusd
|
||||
postrotate
|
||||
/usr/bin/systemctl reload-or-try-restart radiusd
|
||||
endscript
|
||||
}
|
||||
|
||||
/var/log/radius/radwtmp {
|
||||
monthly
|
||||
rotate 4
|
||||
create
|
||||
compress
|
||||
missingok
|
||||
su radiusd radiusd
|
||||
}
|
||||
/var/log/radius/sqltrace.sql {
|
||||
monthly
|
||||
rotate 4
|
||||
create
|
||||
compress
|
||||
missingok
|
||||
su radiusd radiusd
|
||||
}
|
94
SOURCES/freeradius-man-Fix-some-typos.patch
Normal file
94
SOURCES/freeradius-man-Fix-some-typos.patch
Normal file
@ -0,0 +1,94 @@
|
||||
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Fri, 14 Sep 2018 11:53:28 +0300
|
||||
Subject: [PATCH] man: Fix some typos
|
||||
|
||||
---
|
||||
man/man5/radrelay.conf.5 | 2 +-
|
||||
man/man5/rlm_files.5 | 2 +-
|
||||
man/man5/unlang.5 | 8 ++++----
|
||||
man/man8/radrelay.8 | 2 +-
|
||||
4 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/man/man5/radrelay.conf.5 b/man/man5/radrelay.conf.5
|
||||
index 5fb38bfc4e..e3e665024b 100644
|
||||
--- a/man/man5/radrelay.conf.5
|
||||
+++ b/man/man5/radrelay.conf.5
|
||||
@@ -26,7 +26,7 @@ Many sites run multiple radius servers; at least one primary and one
|
||||
backup server. When the primary goes down, most NASes detect that and
|
||||
switch to the backup server.
|
||||
|
||||
-That will cause your accounting packets to go the the backup server -
|
||||
+That will cause your accounting packets to go to the backup server -
|
||||
and some NASes don't even switch back to the primary server when it
|
||||
comes back up.
|
||||
|
||||
diff --git a/man/man5/rlm_files.5 b/man/man5/rlm_files.5
|
||||
index bfee5030ff..52f4734ae3 100644
|
||||
--- a/man/man5/rlm_files.5
|
||||
+++ b/man/man5/rlm_files.5
|
||||
@@ -48,7 +48,7 @@ This configuration entry enables you to have configurations that
|
||||
perform per-group checks, and return per-group attributes, where the
|
||||
group membership is dynamically defined by a previous module. It also
|
||||
lets you do things like key off of attributes in the reply, and
|
||||
-express policies like like "when I send replies containing attribute
|
||||
+express policies like "when I send replies containing attribute
|
||||
FOO with value BAR, do more checks, and maybe send additional
|
||||
attributes".
|
||||
.SH CONFIGURATION
|
||||
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
|
||||
index 76db8f2d1c..12fe7855b2 100644
|
||||
--- a/man/man5/unlang.5
|
||||
+++ b/man/man5/unlang.5
|
||||
@@ -36,7 +36,7 @@ the pre-defined keywords here.
|
||||
|
||||
Subject to a few limitations described below, any keyword can appear
|
||||
in any context. The language consists of a series of entries, each
|
||||
-one one line. Each entry begins with a keyword. Entries are
|
||||
+one line. Each entry begins with a keyword. Entries are
|
||||
organized into lists. Processing of the language is line by line,
|
||||
from the start of the list to the end. Actions are executed
|
||||
per-keyword.
|
||||
@@ -131,7 +131,7 @@ expanded as described in the DATA TYPES section, below. The match is
|
||||
then performed on the string returned from the expansion. If the
|
||||
argument is an attribute reference (e.g. &User-Name), then the match
|
||||
is performed on the value of that attribute. Otherwise, the argument
|
||||
-is taken to be a literal string, and and matching is done via simple
|
||||
+is taken to be a literal string, and matching is done via simple
|
||||
comparison.
|
||||
|
||||
No statement other than "case" can appear in a "switch" block.
|
||||
@@ -155,7 +155,7 @@ expanded as described in the DATA TYPES section, below. The match is
|
||||
then performed on the string returned from the expansion. If the
|
||||
argument is an attribute reference (e.g. &User-Name), then the match
|
||||
is performed on the value of that attribute. Otherwise, the argument
|
||||
-is taken to be a literal string, and and matching is done via simple
|
||||
+is taken to be a literal string, and matching is done via simple
|
||||
comparison.
|
||||
|
||||
.DS
|
||||
@@ -799,7 +799,7 @@ regular expression. If no attribute matches, nothing else is done.
|
||||
The value can be an attribute reference, or an attribute-specific
|
||||
string.
|
||||
|
||||
-When the value is an an attribute reference, it must take the form of
|
||||
+When the value is an attribute reference, it must take the form of
|
||||
"&Attribute-Name". The leading "&" signifies that the value is a
|
||||
reference. The "Attribute-Name" is an attribute name, such as
|
||||
"User-Name" or "request:User-Name". When an attribute reference is
|
||||
diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8
|
||||
index fdba6995d5..99e65732a2 100644
|
||||
--- a/man/man8/radrelay.8
|
||||
+++ b/man/man8/radrelay.8
|
||||
@@ -13,7 +13,7 @@ Many sites run multiple radius servers; at least one primary and one
|
||||
backup server. When the primary goes down, most NASes detect that and
|
||||
switch to the backup server.
|
||||
|
||||
-That will cause your accounting packets to go the the backup server -
|
||||
+That will cause your accounting packets to go to the backup server -
|
||||
and some NASes don't even switch back to the primary server when it
|
||||
comes back up.
|
||||
|
||||
--
|
||||
2.18.0
|
||||
|
6
SOURCES/freeradius-pam-conf
Normal file
6
SOURCES/freeradius-pam-conf
Normal file
@ -0,0 +1,6 @@
|
||||
#%PAM-1.0
|
||||
auth include password-auth
|
||||
account required pam_nologin.so
|
||||
account include password-auth
|
||||
password include password-auth
|
||||
session include password-auth
|
64
SOURCES/freeradius-python2-shebangs.patch
Normal file
64
SOURCES/freeradius-python2-shebangs.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Thu, 18 Oct 2018 12:40:53 -0400
|
||||
Subject: [PATCH] Clarify shebangs to be python2
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
scripts/radtee | 2 +-
|
||||
src/modules/rlm_python/example.py | 2 +-
|
||||
src/modules/rlm_python/prepaid.py | 2 +-
|
||||
src/modules/rlm_python/radiusd.py | 2 +-
|
||||
src/modules/rlm_python/radiusd_test.py | 2 +-
|
||||
5 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/scripts/radtee b/scripts/radtee
|
||||
index 123769d244..78b4bcbe0b 100755
|
||||
--- a/scripts/radtee
|
||||
+++ b/scripts/radtee
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python2
|
||||
from __future__ import with_statement
|
||||
|
||||
# RADIUS comparison tee v1.0
|
||||
diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
|
||||
index 5950a07678..eaf456e349 100644
|
||||
--- a/src/modules/rlm_python/example.py
|
||||
+++ b/src/modules/rlm_python/example.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#! /usr/bin/env python
|
||||
+#! /usr/bin/env python2
|
||||
#
|
||||
# Python module example file
|
||||
# Miguel A.L. Paraz <mparaz@mparaz.com>
|
||||
diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
|
||||
index c3cbf57b8f..3b1dc2e2e8 100644
|
||||
--- a/src/modules/rlm_python/prepaid.py
|
||||
+++ b/src/modules/rlm_python/prepaid.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#! /usr/bin/env python
|
||||
+#! /usr/bin/env python2
|
||||
#
|
||||
# Example Python module for prepaid usage using MySQL
|
||||
|
||||
diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
|
||||
index c535bb3caf..7129923994 100644
|
||||
--- a/src/modules/rlm_python/radiusd.py
|
||||
+++ b/src/modules/rlm_python/radiusd.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#! /usr/bin/env python
|
||||
+#! /usr/bin/env python2
|
||||
#
|
||||
# Definitions for RADIUS programs
|
||||
#
|
||||
diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
|
||||
index 13b7128b29..97b5b64f08 100644
|
||||
--- a/src/modules/rlm_python/radiusd_test.py
|
||||
+++ b/src/modules/rlm_python/radiusd_test.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#! /usr/bin/env python
|
||||
+#! /usr/bin/env python2
|
||||
#
|
||||
# Python module test
|
||||
# Miguel A.L. Paraz <mparaz@mparaz.com>
|
1
SOURCES/freeradius-tmpfiles.conf
Normal file
1
SOURCES/freeradius-tmpfiles.conf
Normal file
@ -0,0 +1 @@
|
||||
D /var/run/radiusd 0710 radiusd radiusd -
|
15
SOURCES/radiusd.service
Normal file
15
SOURCES/radiusd.service
Normal file
@ -0,0 +1,15 @@
|
||||
[Unit]
|
||||
Description=FreeRADIUS high performance RADIUS server.
|
||||
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
PIDFile=/var/run/radiusd/radiusd.pid
|
||||
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
|
||||
ExecStartPre=/usr/sbin/radiusd -C
|
||||
ExecStart=/usr/sbin/radiusd -d /etc/raddb
|
||||
ExecReload=/usr/sbin/radiusd -C
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
2403
SPECS/freeradius.spec
Normal file
2403
SPECS/freeradius.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user