import freeradius-3.0.20-1.module+el8.3.0+6967+0ef5980f
This commit is contained in:
commit
eeb70b2805
1
.freeradius.metadata
Normal file
1
.freeradius.metadata
Normal file
@ -0,0 +1 @@
|
||||
3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/freeradius-server-3.0.20.tar.bz2
|
@ -0,0 +1,60 @@
|
||||
From 958f470cda2ba8943f02f13d1b46f357f92d9639 Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Mon, 8 Sep 2014 12:32:13 +0300
|
||||
Subject: [PATCH] Adjust configuration to fit Red Hat specifics
|
||||
|
||||
---
|
||||
raddb/mods-available/eap | 4 ++--
|
||||
raddb/radiusd.conf.in | 7 +++----
|
||||
2 files changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
||||
index 2621e183c..94494b2c6 100644
|
||||
--- a/raddb/mods-available/eap
|
||||
+++ b/raddb/mods-available/eap
|
||||
@@ -533,7 +533,7 @@
|
||||
# You should also delete all of the files
|
||||
# in the directory when the server starts.
|
||||
#
|
||||
- # tmpdir = /tmp/radiusd
|
||||
+ # tmpdir = /var/run/radiusd/tmp
|
||||
|
||||
# The command used to verify the client cert.
|
||||
# We recommend using the OpenSSL command-line
|
||||
@@ -548,7 +548,7 @@
|
||||
# deleted by the server when the command
|
||||
# returns.
|
||||
#
|
||||
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
|
||||
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
|
||||
}
|
||||
|
||||
# OCSP Configuration
|
||||
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
|
||||
index a83c1f687..e500cf97b 100644
|
||||
--- a/raddb/radiusd.conf.in
|
||||
+++ b/raddb/radiusd.conf.in
|
||||
@@ -70,8 +70,7 @@ certdir = ${confdir}/certs
|
||||
cadir = ${confdir}/certs
|
||||
run_dir = ${localstatedir}/run/${name}
|
||||
|
||||
-# Should likely be ${localstatedir}/lib/radiusd
|
||||
-db_dir = ${raddbdir}
|
||||
+db_dir = ${localstatedir}/lib/radiusd
|
||||
|
||||
#
|
||||
# libdir: Where to find the rlm_* modules.
|
||||
@@ -398,8 +397,8 @@ security {
|
||||
# member. This can allow for some finer-grained access
|
||||
# controls.
|
||||
#
|
||||
-# user = radius
|
||||
-# group = radius
|
||||
+ user = radiusd
|
||||
+ group = radiusd
|
||||
|
||||
# Core dumps are a bad thing. This should only be set to
|
||||
# 'yes' if you're debugging a problem with the server.
|
||||
--
|
||||
2.13.2
|
||||
|
86
SOURCES/freeradius-Use-system-crypto-policy-by-default.patch
Normal file
86
SOURCES/freeradius-Use-system-crypto-policy-by-default.patch
Normal file
@ -0,0 +1,86 @@
|
||||
From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 8 May 2019 10:16:31 -0400
|
||||
Subject: [PATCH] Use system-provided crypto-policies by default
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/mods-available/eap | 4 ++--
|
||||
raddb/mods-available/inner-eap | 2 +-
|
||||
raddb/sites-available/abfab-tls | 2 +-
|
||||
raddb/sites-available/tls | 4 ++--
|
||||
4 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
||||
index 36849e10f2..b28c0f19c6 100644
|
||||
--- a/raddb/mods-available/eap
|
||||
+++ b/raddb/mods-available/eap
|
||||
@@ -368,7 +368,7 @@ eap {
|
||||
#
|
||||
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
|
||||
#
|
||||
- cipher_list = "DEFAULT"
|
||||
+ cipher_list = "PROFILE=SYSTEM"
|
||||
|
||||
# If enabled, OpenSSL will use server cipher list
|
||||
# (possibly defined by cipher_list option above)
|
||||
@@ -912,7 +912,7 @@ eap {
|
||||
# Note - for OpenSSL 1.1.0 and above you may need
|
||||
# to add ":@SECLEVEL=0"
|
||||
#
|
||||
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
|
||||
+ # cipher_list = "PROFILE=SYSTEM"
|
||||
|
||||
# PAC lifetime in seconds (default: seven days)
|
||||
#
|
||||
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
|
||||
index 576eb7739e..ffa07188e2 100644
|
||||
--- a/raddb/mods-available/inner-eap
|
||||
+++ b/raddb/mods-available/inner-eap
|
||||
@@ -77,7 +77,7 @@ eap inner-eap {
|
||||
# certificates. If so, edit this file.
|
||||
ca_file = ${cadir}/ca.pem
|
||||
|
||||
- cipher_list = "DEFAULT"
|
||||
+ cipher_list = "PROFILE=SYSTEM"
|
||||
|
||||
# You may want to set a very small fragment size.
|
||||
# The TLS data here needs to go inside of the
|
||||
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
|
||||
index 92f1d6330e..cd69b3905a 100644
|
||||
--- a/raddb/sites-available/abfab-tls
|
||||
+++ b/raddb/sites-available/abfab-tls
|
||||
@@ -19,7 +19,7 @@ listen {
|
||||
dh_file = ${certdir}/dh
|
||||
fragment_size = 8192
|
||||
ca_path = ${cadir}
|
||||
- cipher_list = "DEFAULT"
|
||||
+ cipher_list = "PROFILE=SYSTEM"
|
||||
|
||||
cache {
|
||||
enable = no
|
||||
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
|
||||
index bbc761b1c5..83cd35b851 100644
|
||||
--- a/raddb/sites-available/tls
|
||||
+++ b/raddb/sites-available/tls
|
||||
@@ -215,7 +215,7 @@ listen {
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
- cipher_list = "DEFAULT"
|
||||
+ cipher_list = "PROFILE=SYSTEM"
|
||||
|
||||
# If enabled, OpenSSL will use server cipher list
|
||||
# (possibly defined by cipher_list option above)
|
||||
@@ -517,7 +517,7 @@ home_server tls {
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
- cipher_list = "DEFAULT"
|
||||
+ cipher_list = "PROFILE=SYSTEM"
|
||||
}
|
||||
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
103
SOURCES/freeradius-bootstrap-create-only.patch
Normal file
103
SOURCES/freeradius-bootstrap-create-only.patch
Normal file
@ -0,0 +1,103 @@
|
||||
From d38836ca4158b42c27f4d7f474e64f4f10aed16d Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 8 May 2019 10:29:08 -0400
|
||||
Subject: [PATCH] Don't clobber existing files on bootstrap
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/certs/bootstrap | 39 ++++++++++++---------------------------
|
||||
1 file changed, 12 insertions(+), 27 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 0f719aafd4..be81a2d697 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -13,17 +13,6 @@
|
||||
umask 027
|
||||
cd `dirname $0`
|
||||
|
||||
-make -h > /dev/null 2>&1
|
||||
-
|
||||
-#
|
||||
-# If we have a working "make", then use it. Otherwise, run the commands
|
||||
-# manually.
|
||||
-#
|
||||
-if [ "$?" = "0" ]; then
|
||||
- make all
|
||||
- exit $?
|
||||
-fi
|
||||
-
|
||||
#
|
||||
# The following commands were created by running "make -n", and edited
|
||||
# to remove the trailing backslash, and to add "exit 1" after the commands.
|
||||
@@ -31,52 +20,51 @@ fi
|
||||
# Don't edit the following text. Instead, edit the Makefile, and
|
||||
# re-generate these commands.
|
||||
#
|
||||
-if [ ! -f dh ]; then
|
||||
+if [ ! -e dh ]; then
|
||||
openssl dhparam -out dh 2048 || exit 1
|
||||
- if [ -e /dev/urandom ] ; then
|
||||
- ln -sf /dev/urandom random
|
||||
- else
|
||||
- date > ./random;
|
||||
- fi
|
||||
+ ln -sf /dev/urandom random
|
||||
fi
|
||||
|
||||
-if [ ! -f server.key ]; then
|
||||
+if [ ! -e server.key ]; then
|
||||
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
|
||||
fi
|
||||
|
||||
-if [ ! -f ca.key ]; then
|
||||
+if [ ! -e ca.key ]; then
|
||||
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
|
||||
fi
|
||||
|
||||
-if [ ! -f index.txt ]; then
|
||||
+if [ ! -e index.txt ]; then
|
||||
touch index.txt
|
||||
fi
|
||||
|
||||
-if [ ! -f serial ]; then
|
||||
+if [ ! -e serial ]; then
|
||||
echo '01' > serial
|
||||
fi
|
||||
|
||||
-if [ ! -f server.crt ]; then
|
||||
+if [ ! -e server.crt ]; then
|
||||
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
|
||||
fi
|
||||
|
||||
-if [ ! -f server.p12 ]; then
|
||||
+if [ ! -e server.p12 ]; then
|
||||
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
||||
fi
|
||||
|
||||
-if [ ! -f server.pem ]; then
|
||||
+if [ ! -e server.pem ]; then
|
||||
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
||||
openssl verify -CAfile ca.pem server.pem || exit 1
|
||||
fi
|
||||
|
||||
-if [ ! -f ca.der ]; then
|
||||
+if [ ! -e ca.der ]; then
|
||||
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
|
||||
fi
|
||||
|
||||
-if [ ! -f client.key ]; then
|
||||
+if [ ! -e client.key ]; then
|
||||
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||
fi
|
||||
|
||||
-if [ ! -f client.crt ]; then
|
||||
+if [ ! -e client.crt ]; then
|
||||
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
|
||||
fi
|
||||
+
|
||||
+chown root:radiusd dh ca.* client.* server.*
|
||||
+chmod 644 dh ca.* client.* server.*
|
||||
--
|
||||
2.21.0
|
||||
|
1955
SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch
Normal file
1955
SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch
Normal file
File diff suppressed because it is too large
Load Diff
57
SOURCES/freeradius-logrotate
Normal file
57
SOURCES/freeradius-logrotate
Normal file
@ -0,0 +1,57 @@
|
||||
# You can use this to rotate the /var/log/radius/* files, simply copy
|
||||
# it to /etc/logrotate.d/radiusd
|
||||
|
||||
# There are different detail-rotating strategies you can use. One is
|
||||
# to write to a single detail file per IP and use the rotate config
|
||||
# below. Another is to write to a daily detail file per IP with:
|
||||
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
|
||||
# (or similar) in radiusd.conf, without rotation. If you go with the
|
||||
# second technique, you will need another cron job that removes old
|
||||
# detail files. You do not need to comment out the below for method #2.
|
||||
/var/log/radius/radacct/*/detail {
|
||||
monthly
|
||||
rotate 4
|
||||
nocreate
|
||||
missingok
|
||||
compress
|
||||
su radiusd radiusd
|
||||
}
|
||||
|
||||
/var/log/radius/checkrad.log {
|
||||
monthly
|
||||
rotate 4
|
||||
create
|
||||
missingok
|
||||
compress
|
||||
su radiusd radiusd
|
||||
}
|
||||
|
||||
|
||||
/var/log/radius/radius.log {
|
||||
monthly
|
||||
rotate 4
|
||||
create
|
||||
missingok
|
||||
compress
|
||||
su radiusd radiusd
|
||||
postrotate
|
||||
/usr/bin/systemctl reload-or-try-restart radiusd
|
||||
endscript
|
||||
}
|
||||
|
||||
/var/log/radius/radwtmp {
|
||||
monthly
|
||||
rotate 4
|
||||
create
|
||||
compress
|
||||
missingok
|
||||
su radiusd radiusd
|
||||
}
|
||||
/var/log/radius/sqltrace.sql {
|
||||
monthly
|
||||
rotate 4
|
||||
create
|
||||
compress
|
||||
missingok
|
||||
su radiusd radiusd
|
||||
}
|
104
SOURCES/freeradius-no-buildtime-cert-gen.patch
Normal file
104
SOURCES/freeradius-no-buildtime-cert-gen.patch
Normal file
@ -0,0 +1,104 @@
|
||||
From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 8 May 2019 12:58:02 -0400
|
||||
Subject: [PATCH] Don't generate certificates in reproducible builds
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
Make.inc.in | 5 +++++
|
||||
configure | 4 ++++
|
||||
configure.ac | 3 +++
|
||||
raddb/all.mk | 4 ++++
|
||||
4 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/Make.inc.in b/Make.inc.in
|
||||
index 0b2cd74de8..8c623cf95c 100644
|
||||
--- a/Make.inc.in
|
||||
+++ b/Make.inc.in
|
||||
@@ -173,3 +173,8 @@ else
|
||||
TESTBINDIR = ./$(BUILD_DIR)/bin
|
||||
TESTBIN = ./$(BUILD_DIR)/bin
|
||||
endif
|
||||
+
|
||||
+#
|
||||
+# With reproducible builds, do not generate certificates during installation
|
||||
+#
|
||||
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
|
||||
diff --git a/configure b/configure
|
||||
index c2c599c92b..3d4403a844 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -655,6 +655,7 @@ RUSERS
|
||||
SNMPWALK
|
||||
SNMPGET
|
||||
PERL
|
||||
+ENABLE_REPRODUCIBLE_BUILDS
|
||||
openssl_version_check_config
|
||||
WITH_DHCP
|
||||
modconfdir
|
||||
@@ -5586,6 +5587,7 @@ else
|
||||
fi
|
||||
|
||||
|
||||
+ENABLE_REPRODUCIBLE_BUILDS=yes
|
||||
# Check whether --enable-reproducible-builds was given.
|
||||
if test "${enable_reproducible_builds+set}" = set; then :
|
||||
enableval=$enable_reproducible_builds; case "$enableval" in
|
||||
@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
|
||||
;;
|
||||
*)
|
||||
reproducible_builds=no
|
||||
+ ENABLE_REPRODUCIBLE_BUILDS=no
|
||||
esac
|
||||
|
||||
fi
|
||||
@@ -5604,6 +5607,7 @@ fi
|
||||
|
||||
|
||||
|
||||
+
|
||||
CHECKRAD=checkrad
|
||||
# Extract the first word of "perl", so it can be a program name with args.
|
||||
set dummy perl; ac_word=$2
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index a7abf0025a..35b013f4af 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
|
||||
dnl #
|
||||
dnl # extra argument: --enable-reproducible-builds
|
||||
dnl #
|
||||
+ENABLE_REPRODUCIBLE_BUILDS=yes
|
||||
AC_ARG_ENABLE(reproducible-builds,
|
||||
[AS_HELP_STRING([--enable-reproducible-builds],
|
||||
[ensure the build does not change each time])],
|
||||
@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
|
||||
;;
|
||||
*)
|
||||
reproducible_builds=no
|
||||
+ ENABLE_REPRODUCIBLE_BUILDS=no
|
||||
esac ]
|
||||
)
|
||||
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
|
||||
|
||||
|
||||
dnl #############################################################
|
||||
diff --git a/raddb/all.mk b/raddb/all.mk
|
||||
index c966edd657..c8e976a499 100644
|
||||
--- a/raddb/all.mk
|
||||
+++ b/raddb/all.mk
|
||||
@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize
|
||||
ifneq "$(LOCAL_CERT_PRODUCTS)" ""
|
||||
$(LOCAL_CERT_PRODUCTS):
|
||||
@echo BOOTSTRAP raddb/certs/
|
||||
+ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes"
|
||||
+ @$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk
|
||||
+else
|
||||
@$(MAKE) -C $(R)$(raddbdir)/certs/
|
||||
+endif
|
||||
|
||||
# Bootstrap is special
|
||||
$(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
|
||||
--
|
||||
2.21.0
|
||||
|
6
SOURCES/freeradius-pam-conf
Normal file
6
SOURCES/freeradius-pam-conf
Normal file
@ -0,0 +1,6 @@
|
||||
#%PAM-1.0
|
||||
auth include password-auth
|
||||
account required pam_nologin.so
|
||||
account include password-auth
|
||||
password include password-auth
|
||||
session include password-auth
|
1
SOURCES/freeradius-tmpfiles.conf
Normal file
1
SOURCES/freeradius-tmpfiles.conf
Normal file
@ -0,0 +1 @@
|
||||
D /run/radiusd 0710 radiusd radiusd -
|
15
SOURCES/radiusd.service
Normal file
15
SOURCES/radiusd.service
Normal file
@ -0,0 +1,15 @@
|
||||
[Unit]
|
||||
Description=FreeRADIUS high performance RADIUS server.
|
||||
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
PIDFile=/var/run/radiusd/radiusd.pid
|
||||
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
|
||||
ExecStartPre=/usr/sbin/radiusd -C
|
||||
ExecStart=/usr/sbin/radiusd -d /etc/raddb
|
||||
ExecReload=/usr/sbin/radiusd -C
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
2437
SPECS/freeradius.spec
Normal file
2437
SPECS/freeradius.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user