[RADIATOR] Radiator Version 4.5 released

Mike McCauley mikem at open.com.au
Tue Nov 3 05:40:14 CST 2009


Hello Jérôme,

On Tuesday 03 November 2009 08:36:13 pm Jérôme Fleury wrote:
> Hi Mike,
>
> there's also a bug in the sample yubikey.cfg file you provide in goodies:
>
>                 # The default works with the sample databse schema provided
>                 # by db_schema.sql from the YubiKey Validation Server.
>                 # AuthSelect select secret, active, userId, counter,
> NULL from yubikeys where tokenId=%1
>                 AuthSelect select secret, active, userId, counter,
> NULL from yubikeys where tokenId=%1

Yes, that example AuthSelect  was left commented out in error. That has now 
been fixed in and the missing NULLs also added the latest patch set.

>
> This AuthSelect can not work with the code. You *have* to insert low
> and high values in the AuthSelect
>
> AuthSelect select secret, active, userId, counter, low, high,
> staticpassword from yubikeys where tokenId
> =%1 AND userId=%0
>
> Also much better to include userId check, otherwise it means you can
> log with any user Id with your own key, which is definitely not the
> purpose of the key.

Yes, quite right. We have now altered the default AuthSelect to include 
the  'AND userId=%0', as it is safer. Users who require the original 
behaviour can define that with a custom AuthSelect.

Thanks for your report.
Cheers.

>
> Regards,
>
> Jerome.
>
> On Fri, Oct 30, 2009 at 23:51, Mike McCauley <mikem at open.com.au> wrote:
> > Hello Jérôme,
> >
> > On Friday 30 October 2009 08:38:36 pm Jérôme Fleury wrote:
> >> Hi.
> >>
> >> Is it me or AuthSQLYUBIKEY.pm is not included in the tarball ??
> >
> > Its not you: it was incorrectly omitted. It is now in the latest patch
> > set. Thanks for reporting it.
> >
> > Cheers.
> >
> >> On Tue, Oct 27, 2009 at 01:20, Mike McCauley <mikem at open.com.au> wrote:
> >> > We are pleased to announce the release of Radiator version 4.5
> >> >
> >> > This version contains some significant new modules, such as support
> >> > for Yubikey tokens from Yubico (http://www.yubico.com), suport for
> >> > HOTP (RFC 4226) one-time-passwords and a number of bug fixes.
> >> >
> >> > As usual, the new version is available to current licensees from:
> >> > http://www.open.com.au/radiator/downloads/
> >> >
> >> > and to current evaluators from:
> >> > http://www.open.com.au/radiator/demo-downloads
> >> >
> >> > Licensees with expired access contracts can renew at:
> >> > http://www.open.com.au/renewal.php
> >> >
> >> > An extract from the history file
> >> > http://www.open.com.au/radiator/history.html is below:
> >> >
> >> >
> >> >
> >> > Revision 4.5 (2009-10-27) New features and bug fixes
> >> >
> >> > Fixed a bug that could cause a crash at startup if the listening
> >> > RADIUS port could not be opened due for example to an
> >> > unresolvable bind address. The error message was "Not a CODE
> >> > reference at Radius/ServerRADIUS.pm". Reported by Thomas
> >> > Schlottke.
> >> >
> >> > Significant performance improvements in Select::add_timeout. Now
> >> > used binary search for the insertion point, rather than resorting
> >> > he whole list every time.
> >> >
> >> > Added support for authenticating Yubikey tokens from
> >> > Yubico (http://www.yubico.com). Yubikeys are small, inexpensive
> >> > USB tokens for one-time-password authentication. Added sample
> >> > configuration file and descriptive test file. Suports one and 2
> >> > factor authentication, replay detection etc.
> >> >
> >> > Fixed a problem with AuthBy LDAPRADIUS which would cause a crash
> >> > during initialization.
> >> >
> >> > Improvements to ServerTACACSPLUS so it can find an appropriate
> >> > Client clause even if the reverse DNS is screwy. Suggested by
> >> > Ranko Zivojnovic.
> >> >
> >> > Fixed a problem with resolution of IPv6 addresses on some
> >> > plaforms such as Solaris. Some debug messages were inadvertently
> >> > left in Util::gethostbyname for ipv6. reported by Sami
> >> > Keski-Kasari.
> >> >
> >> > Fixed a problem with heavily loaded server farms where a SIGHUP
> >> > of the process leader could cause inability to bind to the
> >> > listening ports after restart. Radiusd now waits for all farm
> >> > children to die begfore restarting. Reported by Dan Cachola.
> >> >
> >> > Added support for HOTP (RFC 4226) one-time-passwords with AuthBy
> >> > SQLHOTP HOTP one-time-passwords are authenticated based on a
> >> > secret key stored in an SQL database. Detects replay attacks and
> >> > brute-force attacks and counter resynchronisation. Can also
> >> > support static passwords for 2 factor authentication when the
> >> > user prefixes their static password before the HOTP
> >> > one-time-password. Supports authentication by RADIUS PAP, EAP-OTP
> >> > and EAP-GTC. Includes sample configuration file and sample
> >> > database schema with test users.
> >> >
> >> > Added support for IdleTimeout to Server TACACSPLUS. If a client
> >> > stays connected for more than this number of seconds without
> >> > sending any requests it will be disconnected. Defaults to 180
> >> > seconds. Requested by Yevgeniy Averin.
> >> >
> >> > Added new parameter UseContentsForDuplicateDetection to
> >> > Client. This must be used in a server farm environment. The back
> >> > end servers in a server farm will receive requests from a range
> >> > of source ports. Dupliacates received by the front ends and
> >> > proxied to the back ends may appear to come from a range of
> >> > source ports and with a range of RADIUS identifiers. This flag
> >> > causes duplicate detection to be based on the contents of the
> >> > packet, and not on the 'envelope'. This permits duplicates to be
> >> > detected regardless of the path they take to to get from the NAS
> >> > to the server. It must be set in the Client clauses of the back
> >> > end servers of a server farm architecture.
> >> >
> >> > Fixed a problem with the MIB name in CiscoSessionMIB. Reported by
> >> > Tim Wolgemuth.
> >> >
> >> > Added support for UseContentsForDuplicateDetection to ClientList
> >> > SQL. If the SQL queries returns a row 26, it will be used as the
> >> > UseContentsForDuplicateDetection flag.
> >> >
> >> > Fixed a problem where some type of authentication would
> >> > incorrectly succeed when NoEAP was in use. Reported by Heinrich
> >> > Mislik.
> >> >
> >> > Added a new ReplyHook flag to AuthBy RADIUS so that hooks can
> >> > signal the fact that a request has been redirected, and not to
> >> > generate a reply from the AuthBy RADIUS. Sample configuration
> >> > file in goodies/rejectproxy.cfg
> >> >
> >> > Fixed a problem with duplicate replies in test suite.
> >> >
> >> > When Trace -1 is enabled, prints the PID in the "currently
> >> > handling" message. Suggested by Robert Patrick.
> >> >
> >> > Added various Trapeze VSAs to dictionary, contributed by Andrew
> >> > Clark.
> >> >
> >> > Type of WiMAX-IP-Redirection-Rule in dictionary changed to
> >> > string. Suggested by Garima Mahadik.
> >> >
> >> > Fixed a problem reported with TLS where, under unsual
> >> > circumstances during a proxied TLS authentication,
> >> > Net::SSLeay::SESSION_get_master_key could crash due to the TLS
> >> > session being invalidated. Reported by Matti Saarinen.
> >> >
> >> > Added a number of Infoblox VSAs to dictionary. Provided by Andrew
> >> > D. Clark.
> >> >
> >> > Fixed a problem with AuthBy PAM on Solaris: if a request without
> >> > a username is received, it can case PAM to go into an infinite
> >> > loop with messages like: "DEBUG: PAM is asking for 2: 'Please
> >> > enter user name'". reported by Markus Moeller.
> >> >
> >> > Added a number of Huawei VSAs to dictionary.
> >> >
> >> > Reinstated changes to password decoding introduced in version 4
> >> > that meant that certain non-compliant password encryptions were
> >> > not decrypted properly. Reported by Roland Rosenfeld.
> >> >
> >> > Fixed a problem in ClientList SQL and ClientListLDAP where if the
> >> > client creation phase fails, it could cause a subsequent crash
> >> > when findDuplicate() is called within Client.pm. Reported by
> >> > Shirley Wou.
> >> >
> >> > Added placeholders for Symbol (388) VSAs to dictionary.
> >> >
> >> > Packets created by EAP-TTLS for proxying now add
> >> > Message-Authenticator if there is an EAP-Message. This ensures
> >> > that if the packet is proxied to another RADIUS server, the lack
> >> > of EAP-Message wont prevent processing of the request.
> >> >
> >> > Fixed a problem in the StreamTLS certificate verificaiton where
> >> > it does the subjectAltName checks incorrectly if both URI and (IP
> >> > or DNS) are checked. It never checks the IP or DNS. Reported by
> >> > Heikki Vatiainen.
> >> >
> >> > Fixed a problem where AuthBy DNSROAM would activate AuthBy RADSEC
> >> > and AuthBy RADIUS too often. Reported by Heikki Vatiainen.
> >> >
> >> > Fixed a problem where AuthBy DNSROAM did not correctly set
> >> > ReplyHook or NoReplyHook in Routes or AuthBy RADSEC or AuthBy
> >> > RADIUS. Reported by Heikki Vatiainen.
> >> >
> >> > Added new attributes from RFC5607 to dictionary.
> >> >
> >> > Added new attributes from RFC5580 to dictionary.
> >> >
> >> > Fixed a problem that prevented replies to Disconnect-Request and
> >> > Change-Filter-Request from getting their Authenticator correctly
> >> > computed. Reported by Jack Ho.
> >> >
> >> > For classes that use Stream connections (such as AuthBy RADIUS,
> >> > ApplePasswordServer, if ConnectOnDemand is set, then, Stream
> >> > always blocks until the connect either succeeds or
> >> > fails. Requested by Sam Lin.
> >> >
> >> > Stream classes now support special characters in Host,
> >> > HostAddress, ReconnectTimeout. Requested by Sam Lin.
> >> >
> >> > Added example Radiator configuration file and hook, showing how
> >> > to support both RSA OnDemand and SecurID authentication for the
> >> > same users.
> >> >
> >> > Added new parameter DisableMTUDiscovery to ServerRADIUS and
> >> > AuthBy RADIUS. Disables MTU discovery on platforms that support
> >> > that behaviour (currently Linux only). This can be used to
> >> > prevent discarding of certain large RADIUS packet fragments on
> >> > supporting operating systems.
> >> >
> >> > Added support for FramedGroup, StripFromReply, AllowInReply,
> >> > AddToReply and AddToReplyIfNotExist to Server RADSEC. Requested
> >> > by Paul Dekkers.
> >> >
> >> > Monitor and SNMPAgent clauses now support the Identifier
> >> > parameter.
> >> >
> >> > Fixed a problem that prevented Origin-Host being set correctly in
> >> > proxied requests. Reported and patched by Arthur Konovalov.
> >> >
> >> > Added sample hook to hooks.txt which runs in each child and
> >> > closes the Monitor and SNMPAgent ports and re opens them on a
> >> > different port number.
> >> >
> >> > Added OSC-Session-Identifier to dictionary.
> >> >
> >> > Added support for new special character Z which is replaced by
> >> > the RADIUS Identifier in the current packet (if any).
> >> >
> >> > Improvements to AuthBy SQLYUBIKEY: Default UpdateQuery now uses
> >> > current_timestamp() instead of now() for better compatibility
> >> > with more SQL servers. Static password can now be separated from
> >> > the token string with a ':' to ensure they can be identified,
> >> > even with non-standard Yubikey token lengths. Suggestions by
> >> > Jérôme Fleury.
> >> >
> >> > Minor change to log message when a requested EAP type is
> >> > rejected, so the name of the desired type is printed. Patch
> >> > supplied by Alexander Hartmaier.
> >> >
> >> > AuthBy LDAP2 now supports multiple space separated Host names,
> >> > and Net::LDAP will choose the first available one. Patch supplied
> >> > by Raphael Luta.
> >> >
> >> > Fixed a problem which could result in a blank user name in PEAP
> >> > or TTLS or other inner requests under some very unusual
> >> > circumstances. Improved EAP context finding algorithm so inner
> >> > and outer requests with the same User-Name would not collide.
> >> >
> >> >
> >> >
> >> > --
> >> > Mike McCauley                               mikem at open.com.au
> >> > Open System Consultants Pty. Ltd
> >> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> >> > http://www.open.com.au Phone +61 7 5598-7474                       Fax
> >> > +61 7 5598-7070
> >> >
> >> > Radiator: the most portable, flexible and configurable RADIUS server
> >> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> >> > TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full
> >> > source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> >> > _______________________________________________
> >> > radiator mailing list
> >> > radiator at open.com.au
> >> > http://www.open.com.au/mailman/listinfo/radiator
> >
> > --
> > Mike McCauley                               mikem at open.com.au
> > Open System Consultants Pty. Ltd
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia  
> > http://www.open.com.au Phone +61 7 5598-7474                       Fax  
> > +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
> > on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list