[RADIATOR] Radiator Version 4.5 released

Jérôme Fleury jeje at jeje.org
Tue Nov 3 04:36:13 CST 2009


Hi Mike,

there's also a bug in the sample yubikey.cfg file you provide in goodies:

                # The default works with the sample databse schema provided
                # by db_schema.sql from the YubiKey Validation Server.
                # AuthSelect select secret, active, userId, counter,
NULL from yubikeys where tokenId=%1
                AuthSelect select secret, active, userId, counter,
NULL from yubikeys where tokenId=%1

This AuthSelect can not work with the code. You *have* to insert low
and high values in the AuthSelect

AuthSelect select secret, active, userId, counter, low, high,
staticpassword from yubikeys where tokenId
=%1 AND userId=%0

Also much better to include userId check, otherwise it means you can
log with any user Id with your own key, which is definitely not the
purpose of the key.

Regards,

Jerome.

On Fri, Oct 30, 2009 at 23:51, Mike McCauley <mikem at open.com.au> wrote:
> Hello Jérôme,
>
> On Friday 30 October 2009 08:38:36 pm Jérôme Fleury wrote:
>> Hi.
>>
>> Is it me or AuthSQLYUBIKEY.pm is not included in the tarball ??
>
> Its not you: it was incorrectly omitted. It is now in the latest patch set.
> Thanks for reporting it.
>
> Cheers.
>
>>
>> On Tue, Oct 27, 2009 at 01:20, Mike McCauley <mikem at open.com.au> wrote:
>> > We are pleased to announce the release of Radiator version 4.5
>> >
>> > This version contains some significant new modules, such as support for
>> > Yubikey tokens from Yubico (http://www.yubico.com), suport for HOTP (RFC
>> > 4226) one-time-passwords and a number of bug fixes.
>> >
>> > As usual, the new version is available to current licensees from:
>> > http://www.open.com.au/radiator/downloads/
>> >
>> > and to current evaluators from:
>> > http://www.open.com.au/radiator/demo-downloads
>> >
>> > Licensees with expired access contracts can renew at:
>> > http://www.open.com.au/renewal.php
>> >
>> > An extract from the history file
>> > http://www.open.com.au/radiator/history.html is below:
>> >
>> >
>> >
>> > Revision 4.5 (2009-10-27) New features and bug fixes
>> >
>> > Fixed a bug that could cause a crash at startup if the listening
>> > RADIUS port could not be opened due for example to an
>> > unresolvable bind address. The error message was "Not a CODE
>> > reference at Radius/ServerRADIUS.pm". Reported by Thomas
>> > Schlottke.
>> >
>> > Significant performance improvements in Select::add_timeout. Now
>> > used binary search for the insertion point, rather than resorting
>> > he whole list every time.
>> >
>> > Added support for authenticating Yubikey tokens from
>> > Yubico (http://www.yubico.com). Yubikeys are small, inexpensive
>> > USB tokens for one-time-password authentication. Added sample
>> > configuration file and descriptive test file. Suports one and 2
>> > factor authentication, replay detection etc.
>> >
>> > Fixed a problem with AuthBy LDAPRADIUS which would cause a crash
>> > during initialization.
>> >
>> > Improvements to ServerTACACSPLUS so it can find an appropriate
>> > Client clause even if the reverse DNS is screwy. Suggested by
>> > Ranko Zivojnovic.
>> >
>> > Fixed a problem with resolution of IPv6 addresses on some
>> > plaforms such as Solaris. Some debug messages were inadvertently
>> > left in Util::gethostbyname for ipv6. reported by Sami
>> > Keski-Kasari.
>> >
>> > Fixed a problem with heavily loaded server farms where a SIGHUP
>> > of the process leader could cause inability to bind to the
>> > listening ports after restart. Radiusd now waits for all farm
>> > children to die begfore restarting. Reported by Dan Cachola.
>> >
>> > Added support for HOTP (RFC 4226) one-time-passwords with AuthBy
>> > SQLHOTP HOTP one-time-passwords are authenticated based on a
>> > secret key stored in an SQL database. Detects replay attacks and
>> > brute-force attacks and counter resynchronisation. Can also
>> > support static passwords for 2 factor authentication when the
>> > user prefixes their static password before the HOTP
>> > one-time-password. Supports authentication by RADIUS PAP, EAP-OTP
>> > and EAP-GTC. Includes sample configuration file and sample
>> > database schema with test users.
>> >
>> > Added support for IdleTimeout to Server TACACSPLUS. If a client
>> > stays connected for more than this number of seconds without
>> > sending any requests it will be disconnected. Defaults to 180
>> > seconds. Requested by Yevgeniy Averin.
>> >
>> > Added new parameter UseContentsForDuplicateDetection to
>> > Client. This must be used in a server farm environment. The back
>> > end servers in a server farm will receive requests from a range
>> > of source ports. Dupliacates received by the front ends and
>> > proxied to the back ends may appear to come from a range of
>> > source ports and with a range of RADIUS identifiers. This flag
>> > causes duplicate detection to be based on the contents of the
>> > packet, and not on the 'envelope'. This permits duplicates to be
>> > detected regardless of the path they take to to get from the NAS
>> > to the server. It must be set in the Client clauses of the back
>> > end servers of a server farm architecture.
>> >
>> > Fixed a problem with the MIB name in CiscoSessionMIB. Reported by
>> > Tim Wolgemuth.
>> >
>> > Added support for UseContentsForDuplicateDetection to ClientList
>> > SQL. If the SQL queries returns a row 26, it will be used as the
>> > UseContentsForDuplicateDetection flag.
>> >
>> > Fixed a problem where some type of authentication would
>> > incorrectly succeed when NoEAP was in use. Reported by Heinrich
>> > Mislik.
>> >
>> > Added a new ReplyHook flag to AuthBy RADIUS so that hooks can
>> > signal the fact that a request has been redirected, and not to
>> > generate a reply from the AuthBy RADIUS. Sample configuration
>> > file in goodies/rejectproxy.cfg
>> >
>> > Fixed a problem with duplicate replies in test suite.
>> >
>> > When Trace -1 is enabled, prints the PID in the "currently
>> > handling" message. Suggested by Robert Patrick.
>> >
>> > Added various Trapeze VSAs to dictionary, contributed by Andrew
>> > Clark.
>> >
>> > Type of WiMAX-IP-Redirection-Rule in dictionary changed to
>> > string. Suggested by Garima Mahadik.
>> >
>> > Fixed a problem reported with TLS where, under unsual
>> > circumstances during a proxied TLS authentication,
>> > Net::SSLeay::SESSION_get_master_key could crash due to the TLS
>> > session being invalidated. Reported by Matti Saarinen.
>> >
>> > Added a number of Infoblox VSAs to dictionary. Provided by Andrew
>> > D. Clark.
>> >
>> > Fixed a problem with AuthBy PAM on Solaris: if a request without
>> > a username is received, it can case PAM to go into an infinite
>> > loop with messages like: "DEBUG: PAM is asking for 2: 'Please
>> > enter user name'". reported by Markus Moeller.
>> >
>> > Added a number of Huawei VSAs to dictionary.
>> >
>> > Reinstated changes to password decoding introduced in version 4
>> > that meant that certain non-compliant password encryptions were
>> > not decrypted properly. Reported by Roland Rosenfeld.
>> >
>> > Fixed a problem in ClientList SQL and ClientListLDAP where if the
>> > client creation phase fails, it could cause a subsequent crash
>> > when findDuplicate() is called within Client.pm. Reported by
>> > Shirley Wou.
>> >
>> > Added placeholders for Symbol (388) VSAs to dictionary.
>> >
>> > Packets created by EAP-TTLS for proxying now add
>> > Message-Authenticator if there is an EAP-Message. This ensures
>> > that if the packet is proxied to another RADIUS server, the lack
>> > of EAP-Message wont prevent processing of the request.
>> >
>> > Fixed a problem in the StreamTLS certificate verificaiton where
>> > it does the subjectAltName checks incorrectly if both URI and (IP
>> > or DNS) are checked. It never checks the IP or DNS. Reported by
>> > Heikki Vatiainen.
>> >
>> > Fixed a problem where AuthBy DNSROAM would activate AuthBy RADSEC
>> > and AuthBy RADIUS too often. Reported by Heikki Vatiainen.
>> >
>> > Fixed a problem where AuthBy DNSROAM did not correctly set
>> > ReplyHook or NoReplyHook in Routes or AuthBy RADSEC or AuthBy
>> > RADIUS. Reported by Heikki Vatiainen.
>> >
>> > Added new attributes from RFC5607 to dictionary.
>> >
>> > Added new attributes from RFC5580 to dictionary.
>> >
>> > Fixed a problem that prevented replies to Disconnect-Request and
>> > Change-Filter-Request from getting their Authenticator correctly
>> > computed. Reported by Jack Ho.
>> >
>> > For classes that use Stream connections (such as AuthBy RADIUS,
>> > ApplePasswordServer, if ConnectOnDemand is set, then, Stream
>> > always blocks until the connect either succeeds or
>> > fails. Requested by Sam Lin.
>> >
>> > Stream classes now support special characters in Host,
>> > HostAddress, ReconnectTimeout. Requested by Sam Lin.
>> >
>> > Added example Radiator configuration file and hook, showing how
>> > to support both RSA OnDemand and SecurID authentication for the
>> > same users.
>> >
>> > Added new parameter DisableMTUDiscovery to ServerRADIUS and
>> > AuthBy RADIUS. Disables MTU discovery on platforms that support
>> > that behaviour (currently Linux only). This can be used to
>> > prevent discarding of certain large RADIUS packet fragments on
>> > supporting operating systems.
>> >
>> > Added support for FramedGroup, StripFromReply, AllowInReply,
>> > AddToReply and AddToReplyIfNotExist to Server RADSEC. Requested
>> > by Paul Dekkers.
>> >
>> > Monitor and SNMPAgent clauses now support the Identifier
>> > parameter.
>> >
>> > Fixed a problem that prevented Origin-Host being set correctly in
>> > proxied requests. Reported and patched by Arthur Konovalov.
>> >
>> > Added sample hook to hooks.txt which runs in each child and
>> > closes the Monitor and SNMPAgent ports and re opens them on a
>> > different port number.
>> >
>> > Added OSC-Session-Identifier to dictionary.
>> >
>> > Added support for new special character Z which is replaced by
>> > the RADIUS Identifier in the current packet (if any).
>> >
>> > Improvements to AuthBy SQLYUBIKEY: Default UpdateQuery now uses
>> > current_timestamp() instead of now() for better compatibility
>> > with more SQL servers. Static password can now be separated from
>> > the token string with a ':' to ensure they can be identified,
>> > even with non-standard Yubikey token lengths. Suggestions by
>> > Jérôme Fleury.
>> >
>> > Minor change to log message when a requested EAP type is
>> > rejected, so the name of the desired type is printed. Patch
>> > supplied by Alexander Hartmaier.
>> >
>> > AuthBy LDAP2 now supports multiple space separated Host names,
>> > and Net::LDAP will choose the first available one. Patch supplied
>> > by Raphael Luta.
>> >
>> > Fixed a problem which could result in a blank user name in PEAP
>> > or TTLS or other inner requests under some very unusual
>> > circumstances. Improved EAP context finding algorithm so inner
>> > and outer requests with the same User-Name would not collide.
>> >
>> >
>> >
>> > --
>> > Mike McCauley                               mikem at open.com.au
>> > Open System Consultants Pty. Ltd
>> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>> > http://www.open.com.au Phone +61 7 5598-7474                       Fax
>> > +61 7 5598-7070
>> >
>> > Radiator: the most portable, flexible and configurable RADIUS server
>> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
>> > on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> > _______________________________________________
>> > radiator mailing list
>> > radiator at open.com.au
>> > http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> --
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>


More information about the radiator mailing list