| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Ticket: CM-19457
Reviewed By: nobody
Testing Done: multiple logins, separately and simultaneously
Because we can't determine privilege level separately and up front with
the RADIUS protocol, unlike TACACS+, we wind up with all logins as the
same unprivileged radius uid. But we can set the auid (accounting or
auditing uid) correctly, and a separate setcap radius_shell can be set as
the login shell, and can fixup the uid before running /bin/bash.
To set the auid correctly, we need to know the privileged radius user
account. Added mapped_priv_user to the configuration file to handle
that. mapped_priv_user has to match the account used by libnss-mapuser.
That's a bit ugly, but a common config file would be uglier.
The radius shell is in a new package, since it has binaries. The new
package is radius-shell. In it's post actions, it changes the radius
users shell to radius_shell if they are present, and back to /bin/bash
on package removal. It uses capabilities, tries to be very restrictive
in what it changes, and depends on being installed setcap cap_setuid
Make the existing libpam-radius-auth package depend on radius-shell, so
it will pull in the new package on upgrades.
Also fixed another issue with reparsing changed config file, have to
handle case where there were servers defined, but aren't any longer.
|
|
Ticket: CM-20454
Reviewed By: nobody
My code to avoid redoing all the config didn't work right when
re-entered with no server listed in the config file. The result
was I'd return an error the first time, and success the 2nd-Nth
times, and then later code would try to dereference the NULL pointer
server list, and segv in login or sshd, etc.
Redid the logic in initialize() to fix that.
|
|
Ticket: CM-19457
Reviewed By:
Testing Done:
As with the tacplus client, we'll support priv-lvl=15 as a privileged
user, able to run config commands and sudo (when used with
libnss-mapuser).
Added new code to decode VSA attributes, and search for
shell:priv-lvl=#. A new config item is added "priv-lvl" in the
configuration file to specify the minimum value to be considered
privileged. The default is 15.
Writing mapping session file in the plugin now, because it needs to
be present for the final getpw* calls from ssh, login, etc.
Dropped the homedir in the mapfile, we not ready to get it via NSS when
we write the mapfile, and it wasn't ever used.
Also added same pam condition as tacplus, don't invoke pam_radius_auth
unless uid > 1000, to avoid overhead on system users and cumulus
account, although that won't help as much as with tacplus, given the
mappings.
Also added copyrights to the pam header file
Fixed a bunch of issues, which meant some significant restructuring.
src_ip (as noted in some comments) really should have been in the
server struct. Having done that, we don't need to open both v4 and
v6 sockets, we only open the one we need after moving host2server()
call into the initialization code.
Only parse the pam_radius_auth.conf config file once (unless the
PAM line specifies a different config file from previous pam mode,
or the config file has changed).
As part of that, do all the host name resolution up front, and
store ip_acct for accounting port, as well as the previous ip
for auth port.
While doing that, set it up so initialization and the config file
parsing are only done once in the common case. If the config file
is specified on the pam command line, and it's different, then we'll
re-open and re-initialize.
That also means we normally only open the socket and bind once.
Cleanup is now done via registering a pam_set_data() handler for
the server list. Since the _pam_end() call may happen late, also
ensure that all the sockets are marked close on exec.
Fixed some white space and line length issues. Really should have
been a separate commit, but...
Document how port for accounting is derived, and changed it to use
radacct if a named port was specified that isn't "radius" while
warning about it.
|
|
No actual code changes.
|
|
Ticket: CM-19908
Reviewed By:
Testing Done: installed, looked at logs
See the bug for background, but basicly it's better to use the
normal APIs. Unlike the tacacs client, this wasn't doing
openlog/closelog, but it makes sense to have them all using
the same logging.
|
|
Minor fix, and repositioning of the code.
Also needed to add the code for the IPv6 case as well.
Minor formatting fix to man page.
|
|
|
|
Add changes allow admins to set up RADIUS clients with no local
knowledge of the RADIUS accounts (no adduser required, nor LDAP, etc.)
This is done by using the nss-mapuser package. The only real change
to this package is to set up the SUDO prompt, so it's the RADIUS login
name, in the pam_sm_acct_mgmt entry point.
Bumped the version to 1.4.1
Change the PACKAGE info in configure to reflect Cumulus, and also
a few related fields. Changed maintiner to dev-support
Also incorporated changes to make debuging builds easier under debian.
Added comment and description of src_ip to the config file (author of
the src_ip changes hadn't yet done that), and removed the location of
config file from comments, since debian installs to a different
location.
Quieted config complaints; can't move to current because current is
GPLv3, and this doesn't use autoconf.
Tried to capture the 5 years of changes between 1.3.17 and 1.4.0
Added lintian overrides. Fixed up debian/copyright file to be standard
format, and match (approximately) the source files. overrides don't
quite work, because source vs binary confusion, but documents them
Added debian install files
Added man page for the plugin, and for the RADIUS client config file
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Replaced select with poll to allow file descriptors >FD_SETSIZE
|
|
Add Calling-Station-Id to accounting requests.
|
|
Make module (almost) thread-safe.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I needed to move the position of the structures
so I could use the CONST macro with the new
member.
|
|
|
|
|
|
|
|
Previously, it was stored as file-scope variable.
I also deleted the file-scope variable,
"live_server", because it was not being used.
|
|
pam_radius_auth.c was including config.h via
pam_radius_auth.h but only after other library
header files had been included. This meant you
could have _GNU_SOURCE, for example, defined in
config.h but it did not have any effect on which
library functions were provided.
|
|
|
|
Explicitly cast the arg to isdigit to an unsigned char.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Force authentication failure when a certain amount of challenges
has been reached.
This is a workaround for buggy servers that keep issueing
challenges, when they should really send Access-Reject.
The limit is configurable through parameter "max_challenge".
The default is 0, which means the workaround is disabled.
An invalid or negative value also disables this workaround.
|
|
SURFsara fixes and changes
|
|
|
|
|
|
|
|
Just making sure, it seems cleaner to make sure that the function
can not exit with the response in some random/undefined state
|
|
|
|
|
|
|
|
|
|
|
|
|
