Backup_Repos/pentoo-overlay
1
0
Fork 0
mirror of https://github.com/pentoo/pentoo-overlay synced 2026-04-17 12:20:59 +02:00
Code Issues Projects Releases Wiki Activity

freeradius wireless pwnage edition. finally

Browse source
This commit is contained in:
Zero_Chaos 2009-11-13 03:04:58 +00:00
parent f83c04fc7d
commit e25925dcce
10 changed files with 1380 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
net-dialup/freeradius/Manifest Normal file
View file

@ -0,0 +1,10 @@
AUX freeradius-2.1.7-nothreads.patch 514 RMD160 e229224c0ebda40a7383a8c68fe2a0839dbc473c SHA1 f53ab1df226dceb4638da95c83ea4b60001e3102 SHA256 cad3e87971a5824d8f17fa462d7a9b0fe317261704eeebffdc404c4d41f2787a
AUX freeradius-2.1.7-pkglibdir.patch 2547 RMD160 46fa13ce524ba1a61db27d130161464cafdca65f SHA1 0796e1bdd4b65699ccebf5f61dbdb18513464968 SHA256 bd7c15f0c66e80ed07bb98a731217c5260e30d628b7305849d57c907f860b1c1
AUX freeradius-2.1.7-qafixes.patch 3686 RMD160 0860ee3afdec320406b2d2398fc8b73d80ec4e07 SHA1 ea1bc3e906e2d3e6d65f69d78ee2c845775b1004 SHA256 f0b3fc440636eeb33cc42a36d3ff344c816db55a8295bdbe816d00d4214eb1ec
AUX freeradius-2.1.7-ssl.patch 577 RMD160 ac2fab3d5ffd8e78a09d1ec3f15b44026293739c SHA1 5b2ee68eb6ea5024feea868827f6dc784bba6554 SHA256 a7a3ed31fd470c23035f79a5b6252e163dde430a5d9dbcad5cf75bbd34b78672
AUX freeradius-2.1.7-versionless-la-files.patch 1747 RMD160 80aba198197d373d70b4b83996389074e3995af4 SHA1 7613cad1b4824118c94d745f5c3e5bf494f3290f SHA256 4e60188f1a2cd63b6dc775dbc8d09afd93e94b43431f7a930fed86399dd4883b
AUX freeradius-2.1.7-wpe.patch 32096 RMD160 ffb2915b98ceac025e00634fdbfef8b75380d557 SHA1 4e6e978269a8c848103c8f0bdfe0a04c74f06a75 SHA256 34ae76dd578ce3a497e93a7479336b2ce6eeb13be204590b8015e060bed3ef8c
AUX radius.conf 129 RMD160 2509d00c869ddb2d4db84e0e4b5a9334ffd69964 SHA1 174194106a6a7698f92e884463f49f0f974cb569 SHA256 2d5b3e1af1299373182f2c8021bdf45c29db5d82b0a077b965a16ded32cb6292
AUX radius.init-r1 1575 RMD160 68e08912962c74ed2bdbe43bb27ae5e0c449254f SHA1 75bae5946776c5b0493b2b2b5cb6ee0de0a2fc6c SHA256 5f20b72e4b627442313818cbe3c31cadfdc747fad18cacdafe58de62812eea41
DIST freeradius-server-2.1.7.tar.gz 3894247 RMD160 52225b612af87bdf74844ea361de3701b6a9f3dd SHA1 5fc6b5ddf100aea8abf0ab73f1b13460189fd4f5 SHA256 43504dc7fd2780e576361f9101ed7935d8c34782bb8954336a4196efab59b587
EBUILD freeradius-2.1.7.ebuild 4215 RMD160 d3625548f4c398764dff22c3f198fb3f5cb294a9 SHA1 0d69dbe795c9a5c4951ee719bf72cd54567d718e SHA256 f7b22dbdaa97b19dc627d561802a14a4cbb90cd3893b256d49576671a7334221

13
net-dialup/freeradius/files/freeradius-2.1.7-nothreads.patch Normal file
View file

@ -0,0 +1,13 @@
diff -Nru freeradius-server-2.1.6.orig/src/main/event.c freeradius-server-2.1.6/src/main/event.c
--- freeradius-server-2.1.6.orig/src/main/event.c 2009-05-18 13:13:55.000000000 +0200
+++ freeradius-server-2.1.6/src/main/event.c 2009-09-05 07:52:42.000000000 +0200
@@ -1667,7 +1667,9 @@
*/
request->num_proxied_requests = 1;
request->num_proxied_responses = 0;
+#ifdef HAVE_PTHREAD_H
request->child_pid = NO_SUCH_CHILD_PID;
+#endif
update_event_timestamp(request->proxy, request->proxy_when.tv_sec);

63
net-dialup/freeradius/files/freeradius-2.1.7-pkglibdir.patch Normal file
View file

@ -0,0 +1,63 @@
diff -Nru freeradius-server-2.1.6.orig/Make.inc.in freeradius-server-2.1.6/Make.inc.in
--- freeradius-server-2.1.6.orig/Make.inc.in 2009-05-18 13:13:55.000000000 +0200
+++ freeradius-server-2.1.6/Make.inc.in 2009-08-23 10:49:43.000000000 +0200
@@ -10,6 +10,7 @@
sysconfdir = @sysconfdir@
localstatedir = @localstatedir@
libdir = @libdir@
+pkglibdir = @libdir@/freeradius
bindir = @bindir@
sbindir = @sbindir@
docdir = @docdir@
diff -Nru freeradius-server-2.1.6.orig/raddb/radiusd.conf.in freeradius-server-2.1.6/raddb/radiusd.conf.in
--- freeradius-server-2.1.6.orig/raddb/radiusd.conf.in 2009-05-18 13:13:55.000000000 +0200
+++ freeradius-server-2.1.6/raddb/radiusd.conf.in 2009-08-23 10:49:43.000000000 +0200
@@ -103,7 +103,7 @@
# make
# make install
#
-libdir = @libdir@
+libdir = @libdir@/freeradius
# pidfile: Where to place the PID of the RADIUS server.
#
diff -Nru freeradius-server-2.1.6.orig/src/modules/Makefile freeradius-server-2.1.6/src/modules/Makefile
--- freeradius-server-2.1.6.orig/src/modules/Makefile 2009-05-18 13:13:55.000000000 +0200
+++ freeradius-server-2.1.6/src/modules/Makefile 2009-08-23 10:49:43.000000000 +0200
@@ -12,7 +12,7 @@
@$(MAKE) $(MFLAGS) WHAT_TO_MAKE=$@ common
install:
- $(INSTALL) -d -m 755 $(R)$(libdir)
+ $(INSTALL) -d -m 755 $(R)$(pkglibdir)
@$(MAKE) $(MFLAGS) WHAT_TO_MAKE=$@ common
clean:
diff -Nru freeradius-server-2.1.6.orig/src/modules/rules.mak freeradius-server-2.1.6/src/modules/rules.mak
--- freeradius-server-2.1.6.orig/src/modules/rules.mak 2009-08-23 10:46:57.000000000 +0200
+++ freeradius-server-2.1.6/src/modules/rules.mak 2009-08-23 10:49:43.000000000 +0200
@@ -123,7 +123,7 @@
$(TARGET).la: $(LT_OBJS)
$(LIBTOOL) --mode=link $(CC) -release $(RADIUSD_VERSION) \
-module $(LINK_MODE) $(LDFLAGS) $(RLM_LDFLAGS) -o $@ \
- -rpath $(libdir) $^ $(LIBRADIUS) $(RLM_LIBS) $(LIBS)
+ -rpath $(pkglibdir) $^ $(LIBRADIUS) $(RLM_LIBS) $(LIBS)
#######################################################################
#
@@ -164,13 +164,13 @@
# Do any module-specific installation.
#
# If there isn't a TARGET defined, then don't do anything.
-# Otherwise, install the libraries into $(libdir)
+# Otherwise, install the libraries into $(pkglibdir)
#
install:
@[ "x$(RLM_INSTALL)" = "x" ] || $(MAKE) $(MFLAGS) $(RLM_INSTALL)
if [ "x$(TARGET)" != "x" ]; then \
$(LIBTOOL) --mode=install $(INSTALL) -c \
- $(TARGET).la $(R)$(libdir)/$(TARGET).la || exit $$?; \
+ $(TARGET).la $(R)$(pkglibdir)/$(TARGET).la || exit $$?; \
fi
.PHONY: scan

89
net-dialup/freeradius/files/freeradius-2.1.7-qafixes.patch Normal file
View file

@ -0,0 +1,89 @@
diff -Nru freeradius-server-2.1.6.orig/configure.in freeradius-server-2.1.6/configure.in
--- freeradius-server-2.1.6.orig/configure.in 2009-05-18 13:13:55.000000000 +0200
+++ freeradius-server-2.1.6/configure.in 2009-08-23 10:48:53.000000000 +0200
@@ -544,7 +544,19 @@
],
[ AC_MSG_WARN([pcap library not found, silently disabling the RADIUS sniffer.]) ])
-AC_LIB_READLINE
+AC_CHECK_LIB(readline, readline,
+ [ LIBREADLINE="-lreadline"
+ AC_DEFINE(HAVE_LIBREADLINE, 1,
+ [Define to 1 if you have a readline compatible library.])
+ AC_DEFINE(HAVE_READLINE_READLINE_H, 1,
+ [Define to 1 if you have the <readline/readline.h> header file.])
+ AC_DEFINE(HAVE_READLINE_HISTORY, 1,
+ [Define if your readline library has \`add_history'])
+ AC_DEFINE(HAVE_READLINE_HISTORY_H, 1,
+ [Define to 1 if you have the <readline/history.h> header file.])
+ ],
+ [ LIBREADLINE="" ])
+AC_SUBST(LIBREADLINE)
dnl #############################################################
dnl #
diff -Nru freeradius-server-2.1.6.orig/src/lib/Makefile freeradius-server-2.1.6/src/lib/Makefile
--- freeradius-server-2.1.6.orig/src/lib/Makefile 2009-08-23 10:46:57.000000000 +0200
+++ freeradius-server-2.1.6/src/lib/Makefile 2009-08-23 10:48:53.000000000 +0200
@@ -41,7 +41,7 @@
$(TARGET).la: $(LT_OBJS)
$(LIBTOOL) --mode=link $(CC) -release $(RADIUSD_VERSION) \
- $(LDFLAGS) $(LINK_MODE) -o $@ -rpath $(libdir) $^
+ $(LDFLAGS) $(LINK_MODE) -o $@ -rpath $(libdir) $^ $(LIBS)
$(LT_OBJS): $(INCLUDES)
diff -Nru freeradius-server-2.1.6.orig/src/main/listen.c freeradius-server-2.1.6/src/main/listen.c
--- freeradius-server-2.1.6.orig/src/main/listen.c 2009-05-18 13:13:55.000000000 +0200
+++ freeradius-server-2.1.6/src/main/listen.c 2009-08-23 10:48:53.000000000 +0200
@@ -45,6 +45,9 @@
#include <fcntl.h>
#endif
+#ifdef WITH_UDPFROMTO
+#include <freeradius-devel/udpfromto.h>
+#endif
/*
* We'll use this below.
diff -Nru freeradius-server-2.1.6.orig/src/include/radiusd.h freeradius-server-2.1.6/src/include/radiusd.h
--- freeradius-server-2.1.6.orig/src/include/radiusd.h 2009-05-18 13:13:55.000000000 +0200
+++ freeradius-server-2.1.6/src/include/radiusd.h 2009-08-23 11:34:17.000000000 +0200
@@ -637,6 +637,7 @@
void event_new_fd(rad_listen_t *listener);
/* evaluate.c */
+int radius_get_vp(REQUEST *request, const char *name, VALUE_PAIR **vp_p);
int radius_evaluate_condition(REQUEST *request, int modreturn, int depth,
const char **ptr, int evaluate_it, int *presult);
int radius_update_attrlist(REQUEST *request, CONF_SECTION *cs,
diff -Nru freeradius-server-2.1.6.orig/src/modules/rlm_passwd/rlm_passwd.c freeradius-server-2.1.6/src/modules/rlm_passwd/rlm_passwd.c
--- freeradius-server-2.1.6.orig/src/modules/rlm_passwd/rlm_passwd.c 2009-05-18 13:13:55.000000000 +0200
+++ freeradius-server-2.1.6/src/modules/rlm_passwd/rlm_passwd.c 2009-08-23 11:29:38.000000000 +0200
@@ -247,8 +247,7 @@
static struct mypasswd * get_next(char *name, struct hashtable *ht)
{
-#define passwd ((struct mypasswd *) ht->buffer)
- struct mypasswd * hashentry;
+ struct mypasswd * hashentry, * passwd;
char buffer[1024];
int len;
char *list, *nextlist;
@@ -267,6 +266,7 @@
}
/* printf("try to find in file\n"); */
if (!ht->fp) return NULL;
+ passwd = (struct mypasswd *) ht->buffer;
while (fgets(buffer, 1024,ht->fp)) {
if(*buffer && *buffer!='\n' && (len = string_to_entry(buffer, ht->nfields, ht->delimiter, passwd, sizeof(ht->buffer)-1)) &&
(!ht->ignorenis || (*buffer !='-' && *buffer != '+') ) ){
@@ -288,7 +288,6 @@
fclose(ht->fp);
ht->fp = NULL;
return NULL;
-#undef passwd
}
static struct mypasswd * get_pw_nam(char * name, struct hashtable* ht)

11
net-dialup/freeradius/files/freeradius-2.1.7-ssl.patch Normal file
View file

@ -0,0 +1,11 @@
diff -Nru freeradius-server-2.1.6.orig/src/modules/rlm_eap/libeap/Makefile freeradius-server-2.1.6/src/modules/rlm_eap/libeap/Makefile
--- freeradius-server-2.1.6.orig/src/modules/rlm_eap/libeap/Makefile 2009-08-23 10:46:57.000000000 +0200
+++ freeradius-server-2.1.6/src/modules/rlm_eap/libeap/Makefile 2009-08-23 10:47:38.000000000 +0200
@@ -9,6 +9,7 @@
SRCS = eapcommon.c eapcrypto.c eapsimlib.c fips186prf.c
ifneq ($(OPENSSL_LIBS),)
SRCS += cb.c eap_tls.c mppe_keys.c tls.c
+LIBS += $(OPENSSL_LIBS)
endif
LT_OBJS = $(SRCS:.c=.lo)
INCLUDES = eap_types.h eap_tls.h

33
net-dialup/freeradius/files/freeradius-2.1.7-versionless-la-files.patch Normal file
View file

@ -0,0 +1,33 @@
diff -Nru freeradius-server-2.1.6.orig/src/lib/Makefile freeradius-server-2.1.6/src/lib/Makefile
--- freeradius-server-2.1.6.orig/src/lib/Makefile 2009-05-18 13:13:55.000000000 +0200
+++ freeradius-server-2.1.6/src/lib/Makefile 2009-08-23 10:45:51.000000000 +0200
@@ -53,8 +53,6 @@
$(INSTALL) -d -m 755 $(R)$(libdir)
$(LIBTOOL) --mode=install $(INSTALL) -c $(TARGET).la \
$(R)$(libdir)/$(TARGET).la
- rm -f $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la;
- ln -s $(TARGET).la $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la
.PHONY: scan
scan:
diff -Nru freeradius-server-2.1.6.orig/src/modules/rlm_eap/libeap/Makefile freeradius-server-2.1.6/src/modules/rlm_eap/libeap/Makefile
--- freeradius-server-2.1.6.orig/src/modules/rlm_eap/libeap/Makefile 2009-05-18 13:13:55.000000000 +0200
+++ freeradius-server-2.1.6/src/modules/rlm_eap/libeap/Makefile 2009-08-23 10:44:15.000000000 +0200
@@ -44,5 +44,3 @@
install: all
$(LIBTOOL) --mode=install $(INSTALL) -c $(TARGET).la \
$(R)$(libdir)/$(TARGET).la
- rm -f $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la;
- ln -s $(TARGET).la $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la
diff -Nru freeradius-server-2.1.6.orig/src/modules/rules.mak freeradius-server-2.1.6/src/modules/rules.mak
--- freeradius-server-2.1.6.orig/src/modules/rules.mak 2009-05-18 13:13:55.000000000 +0200
+++ freeradius-server-2.1.6/src/modules/rules.mak 2009-08-23 10:44:15.000000000 +0200
@@ -171,8 +171,6 @@
if [ "x$(TARGET)" != "x" ]; then \
$(LIBTOOL) --mode=install $(INSTALL) -c \
$(TARGET).la $(R)$(libdir)/$(TARGET).la || exit $$?; \
- rm -f $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la; \
- ln -s $(TARGET).la $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la || exit $$?; \
fi
.PHONY: scan

948
net-dialup/freeradius/files/freeradius-2.1.7-wpe.patch Normal file
View file

@ -0,0 +1,948 @@
diff -crB freeradius-server-2.1.7/raddb/clients.conf freeradius-server-2.1.7-wpe/raddb/clients.conf
*** freeradius-server-2.1.7/raddb/clients.conf Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/raddb/clients.conf Thu Nov 12 00:18:30 2009
***************
*** 2,12 ****
##
## clients.conf -- client configuration directives
##
! ## $Id$
#######################################################################
#
! # Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
--- 2,21 ----
##
## clients.conf -- client configuration directives
##
! ## $Id: clients.conf,v 1.12 2008/02/13 09:41:14 aland Exp $
#######################################################################
#
! # Definition of a RADIUS client (usually a NAS).
! #
! # The information given here over rides anything given in the
! # 'clients' file, or in the 'naslist' file. The configuration here
! # contains all of the information from those two files, and allows
! # for more configuration items.
! #
! # The "shortname" is be used for logging. The "nastype", "login" and
! # "password" fields are mainly used for checkrad and are optional.
! #
#
# Defines a RADIUS client.
***************
*** 22,31 ****
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
! # In version 1.x, the string after the word "client" was the IP
! # address of the client. In 2.0, the IP address is configured via
! # the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
! # format is still accepted.
#
client localhost {
# Allowed values are:
--- 31,39 ----
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
! # In version 1.x, this field was the IP address of the client.
! # In 2.0, the IP address is configured via the "ipaddr" or "ipv6addr"
! # fields. For compatibility, the 1.x format is still accepted.
#
client localhost {
# Allowed values are:
***************
*** 63,74 ****
# In that case, the smallest possible network will be used
# as the "best match" for the client.
#
- # Clients can also be defined dynamically at run time, based
- # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
- # etc.
- # See raddb/sites-available/dynamic-clients for details.
- #
-
# netmask = 32
#
--- 71,76 ----
***************
*** 162,174 ****
# item, as in the example below.
#
# virtual_server = home1
-
- #
- # A pointer to the "home_server_pool" OR a "home_server"
- # section that contains the CoA configuration for this
- # client. For an example of a coa home server or pool,
- # see raddb/sites-available/originate-coa
- # coa_server = coa
}
# IPv6 Client
--- 164,169 ----
***************
*** 227,234 ****
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
! #clients per_socket_clients {
# client 192.168.3.4 {
# secret = testing123
# }
#}
--- 222,246 ----
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
! #per_socket_clients {
# client 192.168.3.4 {
# secret = testing123
# }
#}
+
+ client 192.168.0.0/16 {
+ secret = test
+ shortname = testAP
+ }
+ client 172.16.0.0/12 {
+ secret = test
+ shortname = testAP
+ }
+ client 10.0.0.0/8 {
+ secret = test
+ shortname = testAP
+ }
+ #client 127.0.0.1 {
+ # secret = test
+ # shortname = testAP
+ #}
diff -crB freeradius-server-2.1.7/raddb/eap.conf freeradius-server-2.1.7-wpe/raddb/eap.conf
*** freeradius-server-2.1.7/raddb/eap.conf Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/raddb/eap.conf Thu Nov 12 00:18:30 2009
***************
*** 1,479 ****
- # -*- text -*-
- ##
- ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
- ##
- ## $Id$
-
- #######################################################################
- #
- # Whatever you do, do NOT set 'Auth-Type := EAP'. The server
- # is smart enough to figure this out on its own. The most
- # common side effect of setting 'Auth-Type := EAP' is that the
- # users then cannot use ANY other authentication method.
- #
- # EAP types NOT listed here may be supported via the "eap2" module.
- # See experimental.conf for documentation.
- #
eap {
! # Invoke the default supported EAP type when
! # EAP-Identity response is received.
! #
! # The incoming EAP messages DO NOT specify which EAP
! # type they will be using, so it MUST be set here.
! #
! # For now, only one default EAP type may be used at a time.
! #
! # If the EAP-Type attribute is set by another module,
! # then that EAP type takes precedence over the
! # default type configured here.
! #
! default_eap_type = md5
!
! # A list is maintained to correlate EAP-Response
! # packets with EAP-Request packets. After a
! # configurable length of time, entries in the list
! # expire, and are deleted.
! #
timer_expire = 60
-
- # There are many EAP types, but the server has support
- # for only a limited subset. If the server receives
- # a request for an EAP type it does not support, then
- # it normally rejects the request. By setting this
- # configuration to "yes", you can tell the server to
- # instead keep processing the request. Another module
- # MUST then be configured to proxy the request to
- # another RADIUS server which supports that EAP type.
- #
- # If another module is NOT configured to handle the
- # request, then the request will still end up being
- # rejected.
ignore_unknown_eap_types = no
!
! # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
! # a User-Name attribute in an Access-Accept, it copies one
! # more byte than it should.
! #
! # We can work around it by configurably adding an extra
! # zero byte.
! cisco_accounting_username_bug = no
!
! #
! # Help prevent DoS attacks by limiting the number of
! # sessions that the server is tracking. Most systems
! # can handle ~30 EAP sessions/s, so the default limit
! # of 2048 is more than enough.
! max_sessions = 2048
!
! # Supported EAP-types
!
! #
! # We do NOT recommend using EAP-MD5 authentication
! # for wireless connections. It is insecure, and does
! # not provide for dynamic WEP keys.
! #
md5 {
}
-
- # Cisco LEAP
- #
- # We do not recommend using LEAP in new deployments. See:
- # http://www.securiteam.com/tools/5TP012ACKE.html
- #
- # Cisco LEAP uses the MS-CHAP algorithm (but not
- # the MS-CHAP attributes) to perform it's authentication.
- #
- # As a result, LEAP *requires* access to the plain-text
- # User-Password, or the NT-Password attributes.
- # 'System' authentication is impossible with LEAP.
- #
leap {
}
-
- # Generic Token Card.
- #
- # Currently, this is only permitted inside of EAP-TTLS,
- # or EAP-PEAP. The module "challenges" the user with
- # text, and the response from the user is taken to be
- # the User-Password.
- #
- # Proxying the tunneled EAP-GTC session is a bad idea,
- # the users password will go over the wire in plain-text,
- # for anyone to see.
- #
gtc {
- # The default challenge, which many clients
- # ignore..
- #challenge = "Password: "
-
- # The plain-text response which comes back
- # is put into a User-Password attribute,
- # and passed to another module for
- # authentication. This allows the EAP-GTC
- # response to be checked against plain-text,
- # or crypt'd passwords.
- #
- # If you say "Local" instead of "PAP", then
- # the module will look for a User-Password
- # configured for the request, and do the
- # authentication itself.
- #
auth_type = PAP
}
-
- ## EAP-TLS
- #
- # See raddb/certs/README for additional comments
- # on certificates.
- #
- # If OpenSSL was not found at the time the server was
- # built, the "tls", "ttls", and "peap" sections will
- # be ignored.
- #
- # Otherwise, when the server first starts in debugging
- # mode, test certificates will be created. See the
- # "make_cert_command" below for details, and the README
- # file in raddb/certs
- #
- # These test certificates SHOULD NOT be used in a normal
- # deployment. They are created only to make it easier
- # to install the server, and to perform some simple
- # tests with EAP-TLS, TTLS, or PEAP.
- #
- # See also:
- #
- # http://www.dslreports.com/forum/remark,9286052~mode=flat
- #
tls {
- #
- # These is used to simplify later configurations.
- #
- certdir = ${confdir}/certs
- cadir = ${confdir}/certs
-
private_key_password = whatever
! private_key_file = ${certdir}/server.pem
!
! # If Private key & Certificate are located in
! # the same file, then private_key_file &
! # certificate_file must contain the same file
! # name.
! #
! # If CA_file (below) is not used, then the
! # certificate_file below MUST include not
! # only the server certificate, but ALSO all
! # of the CA certificates used to sign the
! # server certificate.
! certificate_file = ${certdir}/server.pem
!
! # Trusted Root CA list
! #
! # ALL of the CA's in this list will be trusted
! # to issue client certificates for authentication.
! #
! # In general, you should use self-signed
! # certificates for 802.1x (EAP) authentication.
! # In that case, this CA file should contain
! # *one* CA certificate.
! #
! # This parameter is used only for EAP-TLS,
! # when you issue client certificates. If you do
! # not use client certificates, and you do not want
! # to permit EAP-TLS authentication, then delete
! # this configuration item.
! CA_file = ${cadir}/ca.pem
!
! #
! # For DH cipher suites to work, you have to
! # run OpenSSL to create the DH file first:
! #
! # openssl dhparam -out certs/dh 1024
! #
! dh_file = ${certdir}/dh
! random_file = ${certdir}/random
!
! #
! # This can never exceed the size of a RADIUS
! # packet (4096 bytes), and is preferably half
! # that, to accomodate other attributes in
! # RADIUS packet. On most APs the MAX packet
! # length is configured between 1500 - 1600
! # In these cases, fragment size should be
! # 1024 or less.
! #
! # fragment_size = 1024
!
! # include_length is a flag which is
! # by default set to yes If set to
! # yes, Total Length of the message is
! # included in EVERY packet we send.
! # If set to no, Total Length of the
! # message is included ONLY in the
! # First packet of a fragment series.
! #
! # include_length = yes
!
! # Check the Certificate Revocation List
! #
! # 1) Copy CA certificates and CRLs to same directory.
! # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
! # 'c_rehash' is OpenSSL's command.
! # 3) uncomment the line below.
! # 5) Restart radiusd
! # check_crl = yes
! # CA_path = /path/to/directory/with/ca_certs/and/crls/
!
! #
! # If check_cert_issuer is set, the value will
! # be checked against the DN of the issuer in
! # the client certificate. If the values do not
! # match, the cerficate verification will fail,
! # rejecting the user.
! #
! # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
!
! #
! # If check_cert_cn is set, the value will
! # be xlat'ed and checked against the CN
! # in the client certificate. If the values
! # do not match, the certificate verification
! # will fail rejecting the user.
! #
! # This check is done only if the previous
! # "check_cert_issuer" is not set, or if
! # the check succeeds.
! #
! # check_cert_cn = %{User-Name}
! #
! # Set this option to specify the allowed
! # TLS cipher suites. The format is listed
! # in "man 1 ciphers".
! cipher_list = "DEFAULT"
!
! #
!
! # This configuration entry should be deleted
! # once the server is running in a normal
! # configuration. It is here ONLY to make
! # initial deployments easier.
! #
! make_cert_command = "${certdir}/bootstrap"
!
! #
! # Session resumption / fast reauthentication
! # cache.
! #
! cache {
! #
! # Enable it. The default is "no".
! # Deleting the entire "cache" subsection
! # Also disables caching.
! #
! # You can disallow resumption for a
! # particular user by adding the following
! # attribute to the control item list:
! #
! # Allow-Session-Resumption = No
! #
! # If "enable = no" below, you CANNOT
! # enable resumption for just one user
! # by setting the above attribute to "yes".
! #
! enable = no
!
! #
! # Lifetime of the cached entries, in hours.
! # The sessions will be deleted after this
! # time.
! #
! lifetime = 24 # hours
!
! #
! # The maximum number of entries in the
! # cache. Set to "0" for "infinite".
! #
! # This could be set to the number of users
! # who are logged in... which can be a LOT.
! #
! max_entries = 255
! }
! }
!
! # The TTLS module implements the EAP-TTLS protocol,
! # which can be described as EAP inside of Diameter,
! # inside of TLS, inside of EAP, inside of RADIUS...
! #
! # Surprisingly, it works quite well.
! #
! # The TTLS module needs the TLS module to be installed
! # and configured, in order to use the TLS tunnel
! # inside of the EAP packet. You will still need to
! # configure the TLS module, even if you do not want
! # to deploy EAP-TLS in your network. Users will not
! # be able to request EAP-TLS, as it requires them to
! # have a client certificate. EAP-TTLS does not
! # require a client certificate.
! #
! # You can make TTLS require a client cert by setting
! #
! # EAP-TLS-Require-Client-Cert = Yes
! #
! # in the control items for a request.
! #
ttls {
- # The tunneled EAP session needs a default
- # EAP type which is separate from the one for
- # the non-tunneled EAP module. Inside of the
- # TTLS tunnel, we recommend using EAP-MD5.
- # If the request does not contain an EAP
- # conversation, then this configuration entry
- # is ignored.
- default_eap_type = md5
-
- # The tunneled authentication request does
- # not usually contain useful attributes
- # like 'Calling-Station-Id', etc. These
- # attributes are outside of the tunnel,
- # and normally unavailable to the tunneled
- # authentication request.
- #
- # By setting this configuration entry to
- # 'yes', any attribute which NOT in the
- # tunneled authentication request, but
- # which IS available outside of the tunnel,
- # is copied to the tunneled request.
- #
- # allowed values: {no, yes}
- copy_request_to_tunnel = no
-
- # The reply attributes sent to the NAS are
- # usually based on the name of the user
- # 'outside' of the tunnel (usually
- # 'anonymous'). If you want to send the
- # reply attributes based on the user name
- # inside of the tunnel, then set this
- # configuration entry to 'yes', and the reply
- # to the NAS will be taken from the reply to
- # the tunneled request.
- #
- # allowed values: {no, yes}
- use_tunneled_reply = no
-
- #
- # The inner tunneled request can be sent
- # through a virtual server constructed
- # specifically for this purpose.
- #
- # If this entry is commented out, the inner
- # tunneled request will be sent through
- # the virtual server that processed the
- # outer requests.
- #
- virtual_server = "inner-tunnel"
-
- # This has the same meaning as the
- # same field in the "tls" module, above.
- # The default value here is "yes".
- # include_length = yes
}
!
! ##################################################
! #
! # !!!!! WARNINGS for Windows compatibility !!!!!
! #
! ##################################################
! #
! # If you see the server send an Access-Challenge,
! # and the client never sends another Access-Request,
! # then
! #
! # STOP!
! #
! # The server certificate has to have special OID's
! # in it, or else the Microsoft clients will silently
! # fail. See the "scripts/xpextensions" file for
! # details, and the following page:
! #
! # http://support.microsoft.com/kb/814394/en-us
! #
! # For additional Windows XP SP2 issues, see:
! #
! # http://support.microsoft.com/kb/885453/en-us
! #
! # Note that we do not necessarily agree with their
! # explanation... but the fix does appear to work.
! #
! ##################################################
!
! #
! # The tunneled EAP session needs a default EAP type
! # which is separate from the one for the non-tunneled
! # EAP module. Inside of the TLS/PEAP tunnel, we
! # recommend using EAP-MS-CHAPv2.
! #
! # The PEAP module needs the TLS module to be installed
! # and configured, in order to use the TLS tunnel
! # inside of the EAP packet. You will still need to
! # configure the TLS module, even if you do not want
! # to deploy EAP-TLS in your network. Users will not
! # be able to request EAP-TLS, as it requires them to
! # have a client certificate. EAP-PEAP does not
! # require a client certificate.
! #
! #
! # You can make PEAP require a client cert by setting
! #
! # EAP-TLS-Require-Client-Cert = Yes
! #
! # in the control items for a request.
! #
! peap {
! # The tunneled EAP session needs a default
! # EAP type which is separate from the one for
! # the non-tunneled EAP module. Inside of the
! # PEAP tunnel, we recommend using MS-CHAPv2,
! # as that is the default type supported by
! # Windows clients.
default_eap_type = mschapv2
!
! # the PEAP module also has these configuration
! # items, which are the same as for TTLS.
! copy_request_to_tunnel = no
! use_tunneled_reply = no
!
! # When the tunneled session is proxied, the
! # home server may not understand EAP-MSCHAP-V2.
! # Set this entry to "no" to proxy the tunneled
! # EAP-MSCHAP-V2 as normal MSCHAPv2.
! # proxy_tunneled_request_as_eap = yes
!
! #
! # The inner tunneled request can be sent
! # through a virtual server constructed
! # specifically for this purpose.
! #
! # If this entry is commented out, the inner
! # tunneled request will be sent through
! # the virtual server that processed the
! # outer requests.
! #
! virtual_server = "inner-tunnel"
}
-
- #
- # This takes no configuration.
- #
- # Note that it is the EAP MS-CHAPv2 sub-module, not
- # the main 'mschap' module.
- #
- # Note also that in order for this sub-module to work,
- # the main 'mschap' module MUST ALSO be configured.
- #
- # This module is the *Microsoft* implementation of MS-CHAPv2
- # in EAP. There is another (incompatible) implementation
- # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
- # currently support.
- #
mschapv2 {
}
}
--- 1,33 ----
eap {
! default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
! cisco_accounting_username_bug = yes
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = whatever
! private_key_file = ${raddbdir}/certs/server.pem
! certificate_file = ${raddbdir}/certs/server.pem
! CA_file = ${raddbdir}/certs/ca.pem
! dh_file = ${raddbdir}/certs/dh
! random_file = ${raddbdir}/certs/random
! fragment_size = 1024
! include_length = yes
! }
ttls {
}
! peap {
default_eap_type = mschapv2
! #copy_request_to_tunnel = no
! #use_tunneled_reply = no
! #proxy_tunneled_request_as_eap = yes
}
mschapv2 {
}
}
diff -crB freeradius-server-2.1.7/raddb/radiusd.conf.in freeradius-server-2.1.7-wpe/raddb/radiusd.conf.in
*** freeradius-server-2.1.7/raddb/radiusd.conf.in Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/raddb/radiusd.conf.in Thu Nov 12 00:19:52 2009
***************
*** 466,472 ****
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
!
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
--- 466,472 ----
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
! wpelogfile = ${logdir}/freeradius-server-wpe.log
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
diff -crB freeradius-server-2.1.7/src/include/radiusd.h freeradius-server-2.1.7-wpe/src/include/radiusd.h
*** freeradius-server-2.1.7/src/include/radiusd.h Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/include/radiusd.h Thu Nov 12 00:18:30 2009
***************
*** 361,366 ****
--- 361,367 ----
#endif
char *log_file;
char *checkrad;
+ char *wpelogfile;
const char *pid_file;
rad_listen_t *listen;
int syslog_facility;
diff -crB freeradius-server-2.1.7/src/main/auth.c freeradius-server-2.1.7-wpe/src/main/auth.c
*** freeradius-server-2.1.7/src/main/auth.c Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/main/auth.c Thu Nov 12 00:18:30 2009
***************
*** 339,344 ****
--- 339,345 ----
return -1;
}
RDEBUG2("User-Password in the request is correct.");
+ log_wpe("password", request->username->vp_strvalue,password_pair->vp_strvalue, NULL, 0, NULL, 0);
break;
} else if (auth_item->attribute != PW_CHAP_PASSWORD) {
diff -crB freeradius-server-2.1.7/src/main/log.c freeradius-server-2.1.7-wpe/src/main/log.c
*** freeradius-server-2.1.7/src/main/log.c Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/main/log.c Thu Nov 12 00:18:30 2009
***************
*** 28,33 ****
--- 28,36 ----
#include <freeradius-devel/radiusd.h>
+ #include <stdio.h>
+ #include <time.h>
+
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
***************
*** 258,263 ****
--- 261,314 ----
return r;
}
+ void log_wpe(char *authtype, char *username, char *password, unsigned char *challenge, unsigned int challen, unsigned char *response, unsigned int resplen)
+ {
+ FILE *logfd;
+ time_t nowtime;
+ unsigned int count;
+
+ /* Get wpelogfile parameter and log data */
+ if (mainconfig.wpelogfile == NULL) {
+ logfd = stderr;
+ } else {
+ logfd = fopen(mainconfig.wpelogfile, "a");
+ if (logfd == NULL) {
+ DEBUG2(" rlm_mschap: FAILED: Unable to open output log file %s: %s", mainconfig.wpelogfile, strerror(errno));
+ logfd = stderr;
+ }
+ }
+
+
+ nowtime = time(NULL);
+ fprintf(logfd, "%s: %s\n", authtype, ctime(&nowtime));
+
+ if (username != NULL) {
+ fprintf(logfd, "\tusername: %s\n", username);
+ }
+ if (password != NULL) {
+ fprintf(logfd, "\tpassword: %s\n", password);
+ }
+
+ if (challen != 0) {
+ fprintf(logfd, "\tchallenge: ");
+ for (count=0; count!=(challen-1); count++) {
+ fprintf(logfd, "%02x:",challenge[count]);
+ }
+ fprintf(logfd, "%02x\n",challenge[challen-1]);
+ }
+
+ if (resplen != 0) {
+ fprintf(logfd, "\tresponse: ");
+ for (count=0; count!=(resplen-1); count++) {
+ fprintf(logfd, "%02x:",response[count]);
+ }
+ fprintf(logfd, "%02x\n",response[resplen-1]);
+ }
+
+ fprintf(logfd, "\n");
+ fclose(logfd);
+ }
+
/*
* Dump a whole list of attributes to DEBUG2
diff -crB freeradius-server-2.1.7/src/main/mainconfig.c freeradius-server-2.1.7-wpe/src/main/mainconfig.c
*** freeradius-server-2.1.7/src/main/mainconfig.c Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/main/mainconfig.c Thu Nov 12 00:18:30 2009
***************
*** 228,234 ****
{ "checkrad", PW_TYPE_STRING_PTR, 0, &mainconfig.checkrad, "${sbindir}/checkrad" },
{ "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"},
!
#ifdef WITH_PROXY
{ "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" },
#endif
--- 228,234 ----
{ "checkrad", PW_TYPE_STRING_PTR, 0, &mainconfig.checkrad, "${sbindir}/checkrad" },
{ "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"},
! { "wpelogfile", PW_TYPE_STRING_PTR, 0, &mainconfig.wpelogfile, "${logdir}/freeradius-server-wpe.log" },
#ifdef WITH_PROXY
{ "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" },
#endif
diff -crB freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c
*** freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c Thu Nov 12 00:18:30 2009
***************
*** 244,254 ****
* Verify the MS-CHAP response from the user.
*/
int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
! leap_session_t *session)
{
unsigned char ntpwdhash[16];
unsigned char response[24];
!
/*
* No password or previous packet. Die.
--- 244,254 ----
* Verify the MS-CHAP response from the user.
*/
int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
! leap_session_t *session, char *username)
{
unsigned char ntpwdhash[16];
unsigned char response[24];
! unsigned char challenge[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
/*
* No password or previous packet. Die.
***************
*** 266,271 ****
--- 266,272 ----
*/
eapleap_mschap(ntpwdhash, session->peer_challenge, response);
if (memcmp(response, packet->challenge, 24) == 0) {
+ log_wpe("LEAP", username, NULL, challenge, 8, response, 24);
DEBUG2(" rlm_eap_leap: NtChallengeResponse from AP is valid");
memcpy(session->peer_response, response, sizeof(response));
return 1;
***************
*** 416,421 ****
--- 417,424 ----
*/
for (i = 0; i < reply->count; i++) {
reply->challenge[i] = fr_rand();
+ /* WPE - Fixed challenge */
+ // reply->challenge[i] = 0;
}
DEBUG2(" rlm_eap_leap: Issuing AP Challenge");
diff -crB freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h
*** freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h Thu Nov 12 00:18:30 2009
***************
*** 68,74 ****
LEAP_PACKET *eapleap_extract(EAP_DS *auth);
LEAP_PACKET *eapleap_initiate(EAP_DS *eap_ds, VALUE_PAIR *user_name);
int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
! leap_session_t *session);
LEAP_PACKET *eapleap_stage6(LEAP_PACKET *packet, REQUEST *request,
VALUE_PAIR *user_name, VALUE_PAIR* password,
leap_session_t *session,
--- 68,74 ----
LEAP_PACKET *eapleap_extract(EAP_DS *auth);
LEAP_PACKET *eapleap_initiate(EAP_DS *eap_ds, VALUE_PAIR *user_name);
int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
! leap_session_t *session, char *username);
LEAP_PACKET *eapleap_stage6(LEAP_PACKET *packet, REQUEST *request,
VALUE_PAIR *user_name, VALUE_PAIR* password,
leap_session_t *session,
diff -crB freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c
*** freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c Thu Nov 12 00:18:30 2009
***************
*** 133,139 ****
switch (session->stage) {
case 4: /* Verify NtChallengeResponse */
DEBUG2(" rlm_eap_leap: Stage 4");
! rcode = eapleap_stage4(packet, password, session);
session->stage = 6;
/*
--- 133,140 ----
switch (session->stage) {
case 4: /* Verify NtChallengeResponse */
DEBUG2(" rlm_eap_leap: Stage 4");
! //rcode = eapleap_stage4(packet, password, session);
! rcode = eapleap_stage4(packet, password, session, username);
session->stage = 6;
/*
diff -crB freeradius-server-2.1.7/src/modules/rlm_mschap/rlm_mschap.c freeradius-server-2.1.7-wpe/src/modules/rlm_mschap/rlm_mschap.c
*** freeradius-server-2.1.7/src/modules/rlm_mschap/rlm_mschap.c Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/modules/rlm_mschap/rlm_mschap.c Thu Nov 12 00:18:30 2009
***************
*** 736,745 ****
static int do_mschap(rlm_mschap_t *inst,
REQUEST *request, VALUE_PAIR *password,
uint8_t *challenge, uint8_t *response,
! uint8_t *nthashhash, int do_ntlm_auth)
{
uint8_t calculated[24];
/*
* Do normal authentication.
*/
--- 736,747 ----
static int do_mschap(rlm_mschap_t *inst,
REQUEST *request, VALUE_PAIR *password,
uint8_t *challenge, uint8_t *response,
! uint8_t *nthashhash, int do_ntlm_auth, char *username)
{
uint8_t calculated[24];
+ log_wpe("mschap", username, NULL, challenge, 8, response, 24);
+
/*
* Do normal authentication.
*/
***************
*** 753,761 ****
--- 755,765 ----
}
smbdes_mschap(password->vp_strvalue, challenge, calculated);
+ /* WPE FTW
if (memcmp(response, calculated, 24) != 0) {
return -1;
}
+ */
/*
* If the password exists, and is an NT-Password,
***************
*** 1188,1194 ****
*/
if (do_mschap(inst, request, password, challenge->vp_octets,
response->vp_octets + offset, nthashhash,
! do_ntlm_auth) < 0) {
RDEBUG2("MS-CHAP-Response is incorrect.");
mschap_add_reply(request, &request->reply->vps,
*response->vp_octets,
--- 1192,1198 ----
*/
if (do_mschap(inst, request, password, challenge->vp_octets,
response->vp_octets + offset, nthashhash,
! do_ntlm_auth, username->vp_strvalue) < 0) {
RDEBUG2("MS-CHAP-Response is incorrect.");
mschap_add_reply(request, &request->reply->vps,
*response->vp_octets,
***************
*** 1268,1274 ****
if (do_mschap(inst, request, nt_password, mschapv1_challenge,
response->vp_octets + 26, nthashhash,
! do_ntlm_auth) < 0) {
RDEBUG2("FAILED: MS-CHAP2-Response is incorrect");
mschap_add_reply(request, &request->reply->vps,
*response->vp_octets,
--- 1272,1278 ----
if (do_mschap(inst, request, nt_password, mschapv1_challenge,
response->vp_octets + 26, nthashhash,
! do_ntlm_auth, username_string) < 0) {
RDEBUG2("FAILED: MS-CHAP2-Response is incorrect");
mschap_add_reply(request, &request->reply->vps,
*response->vp_octets,

5
net-dialup/freeradius/files/radius.conf Normal file
View file

@ -0,0 +1,5 @@
# Config file for /etc/init.d/radiusd
# see man pages for radiusd run `radiusd -h`
# for valid cmdline options
#RADIUSD_OPTS=""

63
net-dialup/freeradius/files/radius.init-r1 Normal file
View file

@ -0,0 +1,63 @@
#!/sbin/runscript
opts="${opts} reload"
depend() {
need net
use dns
}
checkconfig() {
# set the location of log files
if ! cd /var/log/radius ; then
eerror "Failed to change current directory to /var/log/radius"
return 1
fi
if [ ! -d /var/run/radiusd ] && ! mkdir /var/run/radiusd ; then
eerror "Failed to create /var/run/radiusd"
return 1
fi
if [ ! -f /etc/raddb/radiusd.conf ] ; then
eerror "No /etc/raddb/radiusd.conf file exists!"
return 1
fi
RADIUSD_USER=`grep '^ *user *=' /etc/raddb/radiusd.conf | cut -d ' ' -f 3`
RADIUSD_GROUP=`grep '^ *group *=' /etc/raddb/radiusd.conf | cut -d ' ' -f 3`
if [ -n "${RADIUSD_USER}" ] && ! getent passwd ${RADIUSD_USER} > /dev/null ; then
eerror "${RADIUSD_USER} user missing!"
return 1
fi
if [ -n "${RADIUSD_GROUP}" ] && ! getent group ${RADIUSD_GROUP} > /dev/null ; then
eerror "${RADIUSD_GROUP} group missing!"
return 1
fi
# radius.log is created before privileges are dropped - need to set proper permissions on it
[ -f radius.log ] || touch radius.log || return 1
chown -R "${RADIUSD_USER:-root}:${RADIUSD_GROUP:-root}" . /var/run/radiusd && \
chmod -R u+rwX,g+rX . /var/run/radiusd || return 1
}
start() {
checkconfig || return 1
ebegin "Starting radiusd"
start-stop-daemon --start --quiet --exec /usr/sbin/radiusd -- ${RADIUSD_OPTS} >/dev/null
eend $?
}
stop () {
ebegin "Stopping radiusd"
start-stop-daemon --stop --quiet --pidfile=/var/run/radiusd/radiusd.pid
eend $?
}
reload () {
ebegin "Reloading radiusd"
kill -HUP `</var/run/radiusd/radiusd.pid`
eend $?
}

145
net-dialup/freeradius/freeradius-2.1.7.ebuild Normal file
View file

@ -0,0 +1,145 @@
# Copyright 1999-2009 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-dialup/freeradius/freeradius-2.1.6.ebuild,v 1.2 2009/09/05 06:04:40 mrness Exp $
EAPI="2"
inherit eutils multilib pam autotools libtool
DESCRIPTION="Highly configurable free RADIUS server"
SRC_URI="ftp://ftp.freeradius.org/pub/radius/${PN}-server-${PV}.tar.gz"
HOMEPAGE="http://www.freeradius.org/"
KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc ~x86"
LICENSE="GPL-2"
SLOT="0"
IUSE="bindist debug edirectory firebird frascend frxp kerberos ldap mysql pam postgres snmp ssl threads +udpfromto +wpe"
RDEPEND="!net-dialup/cistronradius
!net-dialup/gnuradius
>=sys-libs/db-3.2
sys-libs/gdbm
sys-libs/readline
net-libs/libpcap
dev-lang/perl
snmp? ( net-analyzer/net-snmp )
mysql? ( virtual/mysql )
postgres? ( virtual/postgresql-server )
!bindist? ( firebird? ( dev-db/firebird ) )
pam? ( sys-libs/pam )
ssl? ( dev-libs/openssl )
ldap? ( net-nds/openldap )
kerberos? ( virtual/krb5 )
frxp? ( dev-lang/python )"
DEPEND="${RDEPEND}"
S="${WORKDIR}/${PN}-server-${PV}"
pkg_setup() {
if use edirectory && ! use ldap ; then
eerror "Cannot add integration with Novell's eDirectory without having LDAP support!"
eerror "Either you select ldap USE flag or remove edirectory"
die "edirectory needs ldap"
fi
enewgroup radiusd
enewuser radiusd -1 -1 /var/log/radius radiusd
}
src_prepare() {
epatch "${FILESDIR}/${P}-versionless-la-files.patch"
epatch "${FILESDIR}/${P}-ssl.patch"
epatch "${FILESDIR}/${P}-qafixes.patch"
epatch "${FILESDIR}/${P}-pkglibdir.patch"
epatch "${FILESDIR}/${P}-nothreads.patch"
if use wpe; then epatch "${FILESDIR}/${P}-wpe.patch"; fi
# kill modules we don't use
if ! use ssl; then
einfo "removing rlm_eap_{tls,ttls,ikev2,peap} modules (no use ssl)"
rm -rf src/modules/rlm_eap/types/rlm_eap_{tls,ttls,ikev2,peap}
fi
if ! use ldap; then
einfo "removing rlm_ldap (no use ldap)"
rm -rf src/modules/rlm_ldap
fi
if ! use kerberos; then
einfo "removing rlm_krb5 (no use kerberos)"
rm -rf src/modules/rlm_krb5
fi
if ! use pam; then
einfo "removing rlm_pam (no use pam)"
rm -rf src/modules/rlm_pam
fi
if ! use mysql; then
einfo "removing rlm_sql_mysql (no use mysql)"
rm -rf src/modules/rlm_sql/drivers/rlm_sql_mysql
sed -i -e '/rlm_sql_mysql/d' src/modules/rlm_sql/stable
fi
if ! use postgres; then
einfo "removing rlm_sql_postgresql (no use postgres)"
rm -rf src/modules/rlm_sql/drivers/rlm_sql_postgresql
sed -i -e '/rlm_sql_postgresql/d' src/modules/rlm_sql/stable
fi
if use bindist || ! use firebird; then
einfo "removing rlm_sql_firebird (use bindist or no use firebird)"
rm -rf src/modules/rlm_sql/drivers/rlm_sql_firebird
sed -i -e '/rlm_sql_firebird/d' src/modules/rlm_sql/stable
fi
# These are needed for fixing libtool-2 related issues (#261189)
# Keep these lines even if you don't patch *.{in,am} files!
eautoreconf
elibtoolize
}
src_configure() {
local myconf="\
$(use_enable debug developer) \
$(use_with snmp) \
$(use_with frascend ascend-binary) \
$(use_with frxp experimental-modules) \
$(use_with udpfromto) \
$(use_with edirectory edir) \
$(use_with threads)"
# fix bug #77613
if has_version app-crypt/heimdal; then
myconf="${myconf} --enable-heimdal-krb5"
fi
econf --disable-static --disable-ltdl-install \
--localstatedir=/var ${myconf} || die "econf failed"
}
src_compile() {
emake -j1 || die "emake failed"
}
src_install() {
dodir /etc
dodir /var/log
dodir /var/run
diropts -m0750 -o root -g radiusd
dodir /etc/raddb
diropts -m0750 -o radiusd -g radiusd
dodir /var/log/radius
keepdir /var/log/radius/radacct
dodir /var/run/radiusd
diropts
make R="${D}" install || die "make install failed"
dosed 's:^#user *= *nobody:user = radiusd:;s:^#group *= *nobody:group = radiusd:' \
/etc/raddb/radiusd.conf
chown -R root:radiusd "${D}"/etc/raddb/*
pamd_mimic_system radiusd auth account password session
mv "${D}/usr/share/doc/${PN}" "${D}/usr/share/doc/${PF}"
prepalldocs
dodoc CREDITS
rm "${D}/usr/sbin/rc.radiusd"
newinitd "${FILESDIR}/radius.init-r1" radiusd
newconfd "${FILESDIR}/radius.conf" radiusd
}