![[BACK]](/icons/back.gif){kind=icon}
Up to [NetBSD + pkgsrc-wip] / pkgsrc / net / freeradius
Request diff between arbitrary revisions - Display revisions graphically
Keyword substitution: kv
Default branch: MAIN
Changes 1.1.8: Bug fixes: Fix crash (memcpy with length -1) when invalid Tunnel-Password attributes are received.
Remove @dirrm entries from PLISTs
Update to 1.1.7 Feature Improvements * Updated LDAP documentation. * Added note on DH parameters in eap.conf, and debugging messages which complain if DH is used, but not configured properly. * Updated the Mikrotik dictionary. Added a note that the sample dictionary they supply is broken. * Output more information on blocked threads, which should help narrow down which modules is causing the problem. * Added more eDirectory support. * rlm_ldap now prints out attributes in the standard format * Enabled server-side handling of procedures in MySQL Bug Fixes * Added NT-Hash support for mschap_xlat. * Corrected documentation to point to correct location of files. * Checks for more recent FreeBSD versions. * uses -DLDAP_DEPRECATED to avoid OpenLDAP crashes. * Use correct value for authentication name in rlm_mschap. * Fix over-ride for usernames when use_tunneled_reply = yes.
Update to 1.1.6 Feature Improvements * Added more dictionaries Bug Fixes * Corrected typo in rlm_pap.c (closes #440) * Corrected typo in src/main/auth.c (closes #437) * Suppress SSL error messages if error is zero. (closes #436) * Don't complain about "Error in read client certificate A" if we expect to read it in the next packet. Fix based on patch by Dan Lukes. * Corrected nearly 30 bugs found by Coverity See also http://scan.coverity.com * Don't die on HUP. Instead leak memory (sorry). After a few hundred HUP's, the server will have leaked a few megabytes of memory, and you should probably re-start it. It's ugly, but better than dying. (Closes #426) * Corrected a few double free's * Corrected typo in radrelay, which prevented it from working * Made Firebird module build * Fixed bug in PostgreSQL module that caused server crash. * Fixed bug in SQL module that could cause server to crash.
Update to 1.1.5 2006.03.05 Version 1.1.5 has been released. The focus of this release is stability. Feature Improvements * Added more dictionaries * Dictionary files now MUST NOT be globally writable. * Configuration files now MUST NOT be globally writable. * Be more aggressive about freeing memory on clean exit. * Updated rlm_python. * Added another experimental SQL IP Pool module Bug Fixes * Corrected base64 decoding in rlm_pap * Don't retransmit accounting packets. The NAS should do this. * Handle Client-Error in EAP-SIM. (Closes #419) * Port OpenSSL locking fixes from CVS head. This makes PEAP more stable on i some systems. * Require Message-Authenticator in Status-Server packets. * Correct Tunnel-Medium-Type VALUEs in dictionary.rfc2868. * Increase buffer size for dynamic expansion, which allows longer SQL queries. (Closes #405) * Use correct line number when there's a parse error in one of the configuration sections. (Closes #421) * Terminate SSL sessions in EAP on error, rather than continuing in some cases. * Increase buffer size to allow parsing of long octet strings, * Fix string termination on xlat in rlm_perl.
Update to 1.1.4 * Major enhancements to rlm_pap, that make "encryption_scheme" a think of the past. See "man rlm_pap" for details. * Added SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag to use work-arounds that enable Windows Vista clients to work. * Added preliminary code to support Firebird. Use at your own risk! * Send MS-CHAP2-Success, which makes EAP-TTLS/MSCHAP work on more platforms. * Add a new "reply-name" directive in rlm_sqlcounter to define the name of the reply attribute. * Added more dictionaries and attributes * Print ntlm_auth failure reason in Module-Failure-Message * radsqlrelay is able to get the DB password from a file instead of command line. Bug fixes * Fix a parse error in the digest module, where malformed digest requests would result in the user being accepted. Oops... * VALUEs can only be defined for 'integer', to catch mistakes with setting VALUEs for type 'string'. * Better parsing of VALUE names, so that values starting with a digit work correctly. * Check return from malloc * Fix a double free() in rlm_eap_tls.c * Check return code of malloc() during initialization. * Fix a corner case where the proxy port isn't set either in radiusd.conf or in proxy.conf.
Update to 1.1.3: This version has been released to fix build issues in 1.1.2. The build tools (autoconf, libtool, libltld) have been upgraded to a recent version, and the server now builds "out of the box" on more platforms. Other fixes include: * More dictionary updates * Oracle support for radsqlrelay * Security and portability fixes to rlm_otp * Experimental module to store IP's in an SQL table. * Miscellaneous bug fixes
Add in PAM support Fix mySQL PLIST Fix all PLISTs to avoid a nightmare when the nb number is changed Bump to nb1
Update to 1.1.2 * Updated dictionaries (as always), * Extended Ascend "abinary" support for Juniper, * Configurable "cipher_list" for EAP methods that use TLS, * Additional checks on cert issuer validation for EAP methods that use TLS, * SQL IODBC bug fixes, * Updates to the LDAP module, * Better catching of errors in the config files, * Miscellaneous other fixes In addition to this add an extra option to options.mk which is "freeradius-simul-use". This will enable Simultaneous-Use and is enabled by default. If you disable it freeradius can be built without depending on the net-snmp package. Original idea from John Nemeth.
Add missing files to PLIST. Fix interpreter path in bin/radsqlrelay. Bump revision.
Use libtool PLIST handling, it works now. Add some missing symlinks for libtool archives, remove the .a and .so entries. Bump revision. Add DragonFly detection for shared libraries. Always try to find -lssl with -lcrypto, unbreaking the test at least on DragonFly, but should not harm elsewhere.
Remove some old hacks that are no longer needed Use our libtool Update to 1.1.1 Fixes security issue (DoS): http://secunia.com/advisories/19300/ > Security fixes > * Additional state checking in the EAP-MSCHAPv2 module. > Bug found by Steffen Schuster. > > Feature improvements > * More dictionary updates > * Additional tests and fixes for Digest module from Phillipe Sultan. > * Add new "phone" response mode to rlm_otp/cryptocard. > * Put the eap sessions into a tree, so that looking them up is very > fast, and no longer O(n) in the number of sessions. > * Install the schema examples for a set of backends with the rest > of the documentation. > * Add support for xlat expansion of attributes from LDAP. > > Bug fixes > * Fix rlm_perl crash. (closes: #348) > * Fix handling of CoA-Request packets (close #344). Also correct > name of CoA packets. > * Fix an error on x86_64 machines when reading dictionaries. > (closes: #312) > * Fix compilation errors on FreeBSD and NetBSD because of rlm_otp > module. (closes: #314 #328) > * Workaround Cisco bug in State attribute handling in rlm_otp. > * Support LP64 for async mode in rlm_otp. > * Fix libtool problems on Debian with rlm_eap_peap and rlm_eap_ttls > modules. (closes: #75) > * Make "use_tunneled_reply" work properly for PEAP. > * Copy the whole string when getting a one-to-one-mapped attribute > from LDAP (closes: #261) > * Fix net-snmp's ucd-snmp compatibility mode.
Update to 1.1.0
> FreeRADIUS 1.1.0 ; $Date: 2006/01/04 05:55:19 $, urgency=low
> Feature improvements
> * rlm_ldap has "set_auth_type" configuration option, which should
> address some configuration problems when using it.
> * Fix MIT Kerberos bug
> * Modules can be load balanced, both in isolation and redundantly.
> See doc/load-balance.txt for more information.
> * rlm_perl is now marked "stable"
> * N-tier certificate patch from Mohammed Petiwala.
> * Copied dictionaries from the CVS head (many, many, more vendors)
> * Enabled support for weird VSA formats, like Lucent and Starent.
> * Support encrypted IP address and integers, for Juniper clients.
> * Add PEAP machine authentication support in module "rlm_mschap".
> * Support User-Password field encryption in digest mode.
> * rlm_x99_token has become rlm_otp (with lots of changes).
> * Add rlm_sqlcounter to the list of stable modules.
> * Read MySQL specific options in sections [freeradius] and [client]
> from file "my.cnf".
> * Support the ${Cisco-AVPair[n]} syntax.
> * Execute modules in {Pre,Post}-Proxy-Type stanzas.
> * Add new options to radclient to run stress tests on the server.
> * New module "rlm_sql_log" to postpone the storage of accounting data
> in a SQL database. See rlm_sql_log(5) manpage.
> * New program "radsqlrelay" which sends the SQL logfile according to
> the SQL server's capabilities.
>
> Bug fixes
> * 306 (HUP when built with threads, but executed with -s)
> * 285 (more attributes in dictionary.cisco.vpn3000)
> * rlm_digest has a number of bug fixes to authentication types.
> * Don't leak memory in module "rlm_sql".
> * Update the dictionaries, so that VALUEs with the same name,
> but different numbers, aren't allowed.
> * Queue the request before looking for available threads.
> * Don't free the check items after we received the proxy reply.
> * Expand config variables in included files, too.
> * Check the return value of accounting modules and don't proxy
> invalid requests.
> * In rlm_passwd, don't close a file stream more than once.
> * Fix format string errors in rlm_sql.c, spotted by Primoz Bratanic.
> * Walk the whole string in when escaping strings in rlm_ldap.
> * Include crypt.h if it is available so we get a prototype for crypt(),
> spotted by Konstantin Kubatkin.
> * Removed (for almost all uses) length restrictions on vendor names
> and VALUE names.
> * Don't leak memory when proxying an Access-Challenge response.
> * Make the sleep time user-defined, so radrelay can send more than
> 7 requests/s.
> * Fix a memory leak in rlm_checkval.
> * radclient doesn't resend countless times packets with invalid
> signature.
> * Fix segfault and mem leak in rlm_pam.
Update to 1.0.5 > Security Fixes > * SQL injection attack in the module "rlm_sqlcounter". > * Buffer overflows in the module "rlm_sqlcounter". > * Expansion of variable %t may write 26 bytes beyond the buffer > bound. Primoz Bratanic is credited with the discovery of these > three bugs. > > Bug fixes > * Don't de-reference a NULL pointer if the auth-type is unknown > in the function rad_check_password(). > * Escape more characters in the LDAP queries. > Bug found by Suse engineers. > * In rlm_sql_unixodbc, don't call rad_malloc from sql_error(), > it leaks memory. > * Fix an off-by-one error in the module rlm_sql_unixodbc. > Bug found by Suse engineers. > * In rlm_sql, resize the buffer for the value of SQL-User-Name. > * Initialize memory for a new SQL socket in the module rlm_sql. > * Don't add too many attributes after running an external program. > Bug found by Suse engineers. > * Fix an off-by-one error in the function getthing(). > * snprintf() and vsnprintf() replacements were not compiled if > the autoconf tests didn't find the functions. > * Don't use vsprintf() anymore, but the replacement for vsnprintf() > in libradius instead. > * The function decode_attribute() may write beyond buffer bounds. > Bug found by Suse engineers. > * Fix a memset() in the function request_enqueue() which was > begining at the wrong address. Bug found by Matthias Ruttman. > * Fix an off-by-one error in the function xlat_copy(). > Bug found by Primoz Bratanic. > * Fix other off-by-one errors in module "rlm_unix", too. > Bug found by Allan Bazinet. > * Fix a 2-byte over-run read in function rad_decode(). > * Update thread pool queue properly. > * Autonconf tests try first any user-specified directory, > otherwise they may pick up the wrong version. > * Delete the autoconf tests for the libldap dependancies. > * Install all the regular files under the "doc" directory. > * Distinguish between exit code <0 (failure) and >0 (reject) > in Exec-Program-Wait. Patch from Thor Spruyt. > * Make Expiration work. > * Clean up the code for opening a proxy socket. > * When finding a realm to proxy to, if all are dead, wake them > if wake_all_if_all_dead is true. > * In radwho, print the NAS-Port as unsigned int. > * Use extended regex instead of basic regex in rlm_attr_filter. > * Catch the case where someone deletes a directory that rlm_detail > is using. > * Use the variable $(LDFLAGS) when linking a module. > * Ignore the Stripped-User-Name when a realm has the "nostrip" > directive. > * Add support for NT-Password in rlm_pap. > * In rlm_sqlcounter, use the time left to the next reset if it's > inferior to the time left in the counter. > * Calculate Message-Authenticator correctly for Accounting-Request > and Accounting-Response. Bug found by Paolo Rotela. > * Build on MAC OS X. Still need --disable-shared, though. > * Fix bug #255 (crash with expired CRL's, etc.) > * Fix quote removal of the values from a SQL database. > * Reap the zombie process after a command run from "Exec-Program". > * Allow to cancel proxy of accounting with "Proxy-To-Realm := LOCAL". > * Don't copy VSA's to an Access-Reject packet.
- Make gdbm optional, but keep it as default. (Partial dbm support using a builtin Berkeley DB 1.8x can now be used with option "bdb -gdbm"; no dbm support at all can be selected with "-gdbm".) - Specify --with/--without exactly once per option. - Merge postgresql support to a single option (pgsql), and correspondingly use pgsql.buildlink3.mk to pick the builder's desired implementation. This aligns freeradius with the rest of pkgsrc, wrt pgsql support.
PLIST fix as pointed out by Krister on pkgsrc-bulk@ Bump PKGREVISION
- Update to freeradius 1.0.4 - The security issues mentioned in this update were incorporated into patch-ak previously and a security advisory was already made in regards to this. > FreeRADIUS 1.0.4 ; Date: 2005/06/11 22:46:52, urgency=medium > > * Fix installation problem. > * Increase a buffer size, so radrelay doesn't truncate values. > * Updates in the documentation. Patches from Thor Spruyt. > > FreeRADIUS 1.0.3 ; Date: 2005/06/03 17:15:11, urgency=high > Security Fixes > * Always escape the strings in the SQL module. > * Check buffer bound when input character needs escaping in > the SQL module. Bug found by Primoz Bratanic. > > Bug fixes > * Return EAP-Fail in Access-Reject, rather than an empty Access-Reject > * Don't send Proxy-State from home server in TTLS. > * Fixes for forking external programs, so the server doesn't > suddenly stop processing requests, or stop forking programs. > * radzap now works, but it's command-line options have changed > completely, and it's a shell script. > * radwho has updated command-line options, and no longer reads > Unix "utmp" files. > * Fix bug in calling checkrad script with NAS port > 9999999 > * Fix long-standing bug when both crypt and pthreads are in use > * Don't SEGV when rlm_sql gets 'NULL' value from request. > * Re-arrange code in radrelay to not duplicate accounting packets. > * In rlm_attr_rewrite, change the value when the attribute type > is different from string.
RCD_SCRIPTS_EXAMPLEDIR is no longer customizable. And always is defined as share/examples/rc.d which was the default before. This rc.d scripts are not automatically added to PLISTs now also. So add to each corresponding PLIST as required. This was discussed on tech-pkg in late January and late April. Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
- Update freeradius to 1.0.2 - Fix for PR #29437 opened by luiszuccolo(at)ciudad.com.ar, thanks for the PR ! > FreeRADIUS 1.0.2 ; $Date: 2005/02/13 01:03:20 $, urgency=medium > * Novell eDirectoty support. Patch from Novell. > * localweb & Trapeze dictionary updates. > * EAP-SIM fixes. > * Make "Strip-User-Name = No" work. > * Don't declare zero-length arrays in rlm_passwd > * Bug fix to make udpfromto code work > * radrelay shouldn't dump core if it can't read a VP from the > detail file. > * Only initialize the random pool once. > * In rlm_sql, don't escape characters twice. > * Fix MD4 calculation on big-endian machines. > * In rlm_ldap, only claim Auth-Type if a plain text password is present. > * Treat Quintium VSAs like Cisco VSAs > * Locking fixes in threading code > * rlm_krb5 includes /usr/include/et for Fedora Core > * Fix post-auth REJECT stanza processing for rejections from external > processes or home RADIUS servers > * Fix building on gcc-4.0 by not trying to access static auth_port from > other files. > * Fix building SNMP support on Solaris 9, which needs -lkstat
Pullup ticket 118 - requested by Adrian Portelli build and security fixes for freeradius Based on patches provided by Adrian.
- Update freeradius to 1.0.1 - Fix builds on 1.6 and 2.0_BETA - ok'ed wiz@ - Addresses PR 26987 opened by Rui Paulo, thanks. - Fix startup script using the wrong options - Lots of changes including - Denial-of-Service Security Fix. - Make IPv6 support work better. - Many, many minor bug fixes and feature enhancements. - EAP-module feature improvements.
Mechanical changes to package PLISTs to make use of LIBTOOLIZE_PLIST. All library names listed by *.la files no longer need to be listed in the PLIST, e.g., instead of: lib/libfoo.a lib/libfoo.la lib/libfoo.so lib/libfoo.so.0 lib/libfoo.so.0.1 one simply needs: lib/libfoo.la and bsd.pkg.mk will automatically ensure that the additional library names are listed in the installed package +CONTENTS file. Also make LIBTOOLIZE_PLIST default to "yes".
mk/bsd.pkg.install.mk now automatically registers
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
Convert to the bsd.pkg.install.mk framework: - Install all configuration files under the examples directory. - Copy configuration files to PKG_SYSCONFDIR using CONF_FILES. - Honour PKG_SYSCONFDIR. - Use OWN_DIRS to handle the /var/run/radiusd status directory. - Use RCD_SCRIPTS to handle the rc.d script automatically. As a result, bump PKGREVISION to 3.
Remove the installation of libltdl and make this use the already installed one that libtool-base puts down. Also, fix one place in the freeradius code where a config.h should have been emitted but wasn't. Also, for NetBSD < 1.6N disable threads as this requires threads and the posix semaphore headers which pth/etc don't provide and didn't appear until 1.6N
Adding freeradius package. Thanks to David Ferlier <david@netbsd-fr.org>
for putting this package together. Closes PR pkg/20013.
I had originally requested this package even though we already had the
Cistern RADIUS package because some terminal servers won't work with
one or the other of these packages. This increases the number of terminal
servers that can work with NetBSD.
from the DESCR file:
All code in this server was written from scratch.
The server is mostly compatible with livingston radiusd-2.01
(no menus or s/key support though) but with more feautures, such as:
o Can limit max. number of simultaneous logins on a per-user basis!
o Multiple DEFAULT entries, that can optionally fall-through.
o In fact, every entry can fall-through
o Deny/permit access based on huntgroup users dials into
o Set certain parameters (such as static IP address) based on huntgroup
o Extra "hints" file that can select SLIP/PPP/rlogin based on
username pattern (Puser or user.ppp is PPP, plain "user" is rlogin etc).
o Can execute an external program when user has authenticated (for example
to run a sendmail queue).
o Can use `$INCLUDE filename' in radiusd.conf, users, and dictionary files
o Can act as a proxy server, relaying requests to a remote server
o Supports Vendor-Specific attributes
o No good documentation at all, just like the original radiusd 1.16!
Then of course for general RADIUS questions, especially if you are using
Livingston / Lucent RABU equipment, there is the portmaster-radius mailing
list. Send mail to portmaster-radius-request@livingston.com to find
out how to subscribe.