[opensuse-security] FreeRADIUS 2.0.3 listens on random port instead of 1812?
Hi all, I've just upgraded to openSuSE 11.0 and my freeradius server now seems to be broken. It seems to be listening for auth requests on a random port instead of UDP 1812 I've done a bit of digging on the net and as far as I can see, the issue occurs in a number of other distributions but there doesn't seem to be a fix for it. Has anyone else seen this problem on openSuSE? Is there a fix available, or should I just go back to v1.1.7? I've appended some debug output below. Cheers, Neil # radiusd -X FreeRADIUS Version 2.0.3, for host x86_64-unknown-linux-gnu, built on Jun 7 2008 at 04:26:43 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/snmp.conf including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" user = "nobody" group = "nobody" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 127.0.0.1 { require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" } client 192.168.x.x/32 { require_message_authenticator = no secret = "xxxxx" shortname = "Weasel-AP" } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/xxx.pem" certificate_file = "/etc/raddb/certs/xxx.pem" CA_file = "/etc/raddb/certs/xxx.pem" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no check_cert_cn = "%{User-Name}" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP- Address,NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP- Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 5409 Listening on accounting address * port 18126 Ready to process requests.
On Wed, Jul 30, 2008 at 12:58:37PM +0100, Neil Anderson wrote:
Hi all,
I've just upgraded to openSuSE 11.0 and my freeradius server now seems to be broken. It seems to be listening for auth requests on a random port instead of UDP 1812 I've done a bit of digging on the net and as far as I can see, the issue occurs in a number of other distributions but there doesn't seem to be a fix for it.
Has anyone else seen this problem on openSuSE? Is there a fix available, or should I just go back to v1.1.7? I've appended some debug output below.
Rule 1: "If in doubt, open a bugreport." I cc'ed you to https://bugzilla.novell.com/show_bug.cgi?id=413250 Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-07-30 at 16:40 +0200, Marcus Meissner wrote:
Rule 1:
"If in doubt, open a bugreport."
:-) Some of us prefer to ask first for comments. The chair-keyboard interface is always suspect, you know ;-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIkICytTMYHG2NR9URAsSzAJ9gSD78w7mJGM7YS3Da6LZrIBT85wCcDCQ5 hAnLE+vFNXydjJmF6wvTzYM= =ncLb -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Yeah. Too often there is that loose nut between the chair and keyboard. ;-) Jonathon M. Robison "There are 10 kinds of people in the world. Those who understand binary, and those who don't" On Wed, 2008-07-30 at 16:54 +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Wednesday 2008-07-30 at 16:40 +0200, Marcus Meissner wrote:
Rule 1:
"If in doubt, open a bugreport."
:-)
Some of us prefer to ask first for comments. The chair-keyboard interface is always suspect, you know ;-)
- -- Cheers, Carlos E. R.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFIkICytTMYHG2NR9URAsSzAJ9gSD78w7mJGM7YS3Da6LZrIBT85wCcDCQ5 hAnLE+vFNXydjJmF6wvTzYM= =ncLb -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Heh, thanks for the vote of confidence Jonathon. Seriously though, thanks for the responses guys. Much appreciated. Cheers, Neil On Thursday 31 July 2008 03:33:01 Jonathon M. Robison wrote:
Yeah. Too often there is that loose nut between the chair and keyboard. ;-)
Jonathon M. Robison
"There are 10 kinds of people in the world. Those who understand binary, and those who don't"
On Wed, 2008-07-30 at 16:54 +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Wednesday 2008-07-30 at 16:40 +0200, Marcus Meissner wrote:
Rule 1:
"If in doubt, open a bugreport."
:-)
Some of us prefer to ask first for comments. The chair-keyboard interface is always suspect, you know ;-)
- -- Cheers, Carlos E. R.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFIkICytTMYHG2NR9URAsSzAJ9gSD78w7mJGM7YS3Da6LZrIBT85wCcDCQ5 hAnLE+vFNXydjJmF6wvTzYM= =ncLb -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
Carlos E. R. -
Jonathon M. Robison -
Marcus Meissner -
Neil Anderson