From bc28d49d0d68b3c98c125fa52f1d830ecb03cc0e Mon Sep 17 00:00:00 2001 From: Brian Read Date: Wed, 12 Jul 2023 09:08:31 +0100 Subject: [PATCH] initial commit of file from CVS for e-smith-radiusd on Wed 12 Jul 09:08:31 BST 2023 --- .gitignore | 4 + Makefile | 21 ++ README.md | 18 +- additional/COPYING | 340 ++++++++++++++++++ contriborbase | 1 + createlinks | 96 +++++ e-smith-radiusd.spec | 267 ++++++++++++++ .../db/configuration/defaults/radiusd/status | 1 + .../db/configuration/defaults/radiusd/type | 1 + .../etc/raddb/certs/radiusd.pem | 4 + .../templates.metadata/etc/raddb/clients.conf | 3 + .../etc/raddb/mods-available/eap | 3 + .../etc/raddb/mods-available/ldap | 3 + .../etc/raddb/mods-available/smbpasswd | 3 + .../etc/raddb/mods-config/files/authorize | 3 + .../templates.metadata/etc/raddb/proxy.conf | 3 + .../templates.metadata/etc/raddb/radiusd.conf | 3 + .../etc/raddb/sites-available/default | 3 + .../etc/raddb/sites-available/inner-tunnel | 3 + .../etc/radiusclient-ng/servers | 1 + .../etc/ppp/options.pptpd/radius-config-file | 1 + .../etc/raddb/clients.conf/10localhost | 60 ++++ .../templates/etc/raddb/clients.conf/20local | 25 ++ .../etc/raddb/mods-available/eap/10eap | 1 + .../raddb/mods-available/eap/15defaultType | 14 + .../raddb/mods-available/eap/20timerExpire | 7 + .../raddb/mods-available/eap/25ignoreUnknown | 14 + .../etc/raddb/mods-available/eap/30ciscoBug | 8 + .../etc/raddb/mods-available/eap/35tlscommon | 130 +++++++ .../etc/raddb/mods-available/eap/37tls | 21 ++ .../etc/raddb/mods-available/eap/39ttls | 90 +++++ .../etc/raddb/mods-available/eap/40peap | 33 ++ .../etc/raddb/mods-available/eap/45mschapv2 | 18 + .../etc/raddb/mods-available/eap/99end | 1 + .../raddb/mods-available/ldap/25modules30ldap | 291 +++++++++++++++ .../etc/raddb/mods-available/smbpasswd/05init | 19 + .../mods-config/files/authorize/10noroot | 2 + .../mods-config/files/authorize/20vpnusers | 29 ++ .../raddb/mods-config/files/authorize/30eap | 1 + .../raddb/mods-config/files/authorize/90deny | 1 + .../templates/etc/raddb/proxy.conf/05init | 117 ++++++ .../templates/etc/raddb/proxy.conf/10null | 11 + .../templates/etc/raddb/proxy.conf/20default | 10 + .../templates/etc/raddb/radiusd.conf/05init | 268 ++++++++++++++ .../templates/etc/raddb/radiusd.conf/07log | 127 +++++++ .../etc/raddb/radiusd.conf/10security | 88 +++++ .../etc/raddb/radiusd.conf/15configuration | 117 ++++++ .../templates/etc/raddb/radiusd.conf/17snmp | 10 + .../etc/raddb/radiusd.conf/20modules00init | 40 +++ .../etc/raddb/radiusd.conf/30modules99end | 1 + .../etc/raddb/radiusd.conf/77Instantiate | 45 +++ .../templates/etc/raddb/radiusd.conf/80Policy | 20 ++ .../raddb/radiusd.conf/90LoadVirtualServers | 33 ++ .../etc/raddb/sites-available/default/01init | 49 +++ .../raddb/sites-available/default/20listen | 90 +++++ .../default/35authorization00init | 11 + .../default/35authorization40default | 106 ++++++ .../default/35authorization99end | 1 + .../default/40authenticate00setup | 5 + .../default/40authenticate10AuthMsChap | 5 + .../default/40authenticate15ldap | 5 + .../default/40authenticate20authEap | 4 + .../default/40authenticate25authPap | 7 + .../default/40authenticate99process | 23 ++ .../raddb/sites-available/default/55preacct | 47 +++ .../default/60accounting00init | 5 + .../default/60accounting40default | 5 + .../sites-available/default/60accounting99end | 1 + .../sites-available/default/70session00init | 6 + .../sites-available/default/70session99end | 1 + .../sites-available/default/80postauth00init | 8 + .../sites-available/default/80postauth99end | 26 ++ .../raddb/sites-available/default/85preproxy | 28 ++ .../raddb/sites-available/default/90postproxy | 54 +++ .../etc/raddb/sites-available/default/99end | 7 + .../raddb/sites-available/inner-tunnel/01init | 13 + .../sites-available/inner-tunnel/20listen | 27 ++ .../inner-tunnel/35authorization00init | 11 + .../inner-tunnel/35authorization40default | 117 ++++++ .../inner-tunnel/35authorization99end | 1 + .../inner-tunnel/40authenticate00setup | 5 + .../inner-tunnel/40authenticate10AuthMsChap | 5 + .../inner-tunnel/40authenticate12pap | 5 + .../inner-tunnel/40authenticate13chap | 5 + .../inner-tunnel/40authenticate15ldap | 5 + .../inner-tunnel/40authenticate20authEap | 4 + .../inner-tunnel/40authenticate99process | 23 ++ .../sites-available/inner-tunnel/55preacct | 47 +++ .../inner-tunnel/70session00init | 6 + .../inner-tunnel/70session40default | 3 + .../inner-tunnel/70session99end | 1 + .../inner-tunnel/80postauth00init | 8 + .../inner-tunnel/80postauth40default | 31 ++ .../inner-tunnel/80postauth99end | 26 ++ .../sites-available/inner-tunnel/85preproxy | 17 + .../sites-available/inner-tunnel/90postproxy | 54 +++ .../raddb/sites-available/inner-tunnel/99end | 7 + .../radiusclient.conf/00AuthOrder | 1 + .../radiusclient.conf/05LoginTries | 1 + .../radiusclient.conf/10LoginTimeout | 1 + .../radiusclient.conf/15NoLogin | 1 + .../radiusclient-ng/radiusclient.conf/20Issue | 1 + .../radiusclient.conf/25Servers | 3 + .../radiusclient.conf/30Dictionary | 1 + .../radiusclient.conf/35LoginRadius | 1 + .../radiusclient.conf/40SeqFile | 1 + .../radiusclient.conf/45MapFile | 1 + .../radiusclient-ng/radiusclient.conf/50Realm | 1 + .../radiusclient.conf/55RadiusTimeout | 1 + .../radiusclient.conf/60RadiusRetry | 1 + .../radiusclient.conf/65LoginLocal | 1 + .../etc/radiusclient-ng/servers/10localhost | 7 + .../templates/etc/rsyslog.conf/32radius | 4 + .../usr/share/radiusclient-ng/dictionary | 242 +++++++++++++ .../radiusclient-ng/dictionary.microsoft | 81 +++++ root/etc/logrotate.d/radiusd-sme | 13 + root/sbin/e-smith/systemd/radiusd-configure | 10 + .../system/radiusd.service.d/50-koozali.conf | 15 + root/usr/lib/tmpfiles.d/radius.conf | 1 + root/var/log/stunnel/ssl/.gitignore | 0 120 files changed, 3736 insertions(+), 2 deletions(-) create mode 100644 .gitignore create mode 100644 Makefile create mode 100644 additional/COPYING create mode 100644 contriborbase create mode 100644 createlinks create mode 100644 e-smith-radiusd.spec create mode 100644 root/etc/e-smith/db/configuration/defaults/radiusd/status create mode 100644 root/etc/e-smith/db/configuration/defaults/radiusd/type create mode 100644 root/etc/e-smith/templates.metadata/etc/raddb/certs/radiusd.pem create mode 100644 root/etc/e-smith/templates.metadata/etc/raddb/clients.conf create mode 100644 root/etc/e-smith/templates.metadata/etc/raddb/mods-available/eap create mode 100644 root/etc/e-smith/templates.metadata/etc/raddb/mods-available/ldap create mode 100644 root/etc/e-smith/templates.metadata/etc/raddb/mods-available/smbpasswd create mode 100644 root/etc/e-smith/templates.metadata/etc/raddb/mods-config/files/authorize create mode 100644 root/etc/e-smith/templates.metadata/etc/raddb/proxy.conf create mode 100644 root/etc/e-smith/templates.metadata/etc/raddb/radiusd.conf create mode 100644 root/etc/e-smith/templates.metadata/etc/raddb/sites-available/default create mode 100644 root/etc/e-smith/templates.metadata/etc/raddb/sites-available/inner-tunnel create mode 100644 root/etc/e-smith/templates.metadata/etc/radiusclient-ng/servers create mode 100644 root/etc/e-smith/templates/etc/ppp/options.pptpd/radius-config-file create mode 100644 root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost create mode 100644 root/etc/e-smith/templates/etc/raddb/clients.conf/20local create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-available/smbpasswd/05init create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-config/files/authorize/10noroot create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-config/files/authorize/20vpnusers create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-config/files/authorize/30eap create mode 100644 root/etc/e-smith/templates/etc/raddb/mods-config/files/authorize/90deny create mode 100644 root/etc/e-smith/templates/etc/raddb/proxy.conf/05init create mode 100644 root/etc/e-smith/templates/etc/raddb/proxy.conf/10null create mode 100644 root/etc/e-smith/templates/etc/raddb/proxy.conf/20default create mode 100644 root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init create mode 100644 root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log create mode 100644 root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security create mode 100644 root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration create mode 100644 root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp create mode 100644 root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init create mode 100644 root/etc/e-smith/templates/etc/raddb/radiusd.conf/30modules99end create mode 100644 root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate create mode 100644 root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy create mode 100644 root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/01init create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate25authPap create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/default/99end create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/01init create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/20listen create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/35authorization00init create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/35authorization40default create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/35authorization99end create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate00setup create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate10AuthMsChap create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate12pap create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate13chap create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate15ldap create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate20authEap create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate99process create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/55preacct create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/70session00init create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/70session40default create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/70session99end create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/80postauth00init create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/80postauth40default create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/80postauth99end create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/85preproxy create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/90postproxy create mode 100644 root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/99end create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/00AuthOrder create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/05LoginTries create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/10LoginTimeout create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/15NoLogin create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/20Issue create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/25Servers create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/30Dictionary create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/35LoginRadius create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/40SeqFile create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/45MapFile create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/50Realm create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/55RadiusTimeout create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/60RadiusRetry create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/65LoginLocal create mode 100644 root/etc/e-smith/templates/etc/radiusclient-ng/servers/10localhost create mode 100644 root/etc/e-smith/templates/etc/rsyslog.conf/32radius create mode 100644 root/etc/e-smith/templates/usr/share/radiusclient-ng/dictionary create mode 100644 root/etc/e-smith/templates/usr/share/radiusclient-ng/dictionary.microsoft create mode 100644 root/etc/logrotate.d/radiusd-sme create mode 100644 root/sbin/e-smith/systemd/radiusd-configure create mode 100644 root/usr/lib/systemd/system/radiusd.service.d/50-koozali.conf create mode 100644 root/usr/lib/tmpfiles.d/radius.conf create mode 100644 root/var/log/stunnel/ssl/.gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e594810 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +*.rpm +*.log +*spec-20* +*.tar.xz diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..a69824e --- /dev/null +++ b/Makefile @@ -0,0 +1,21 @@ +# Makefile for source rpm: e-smith-radiusd +# $Id: Makefile,v 1.1 2016/02/05 21:34:34 stephdl Exp $ +NAME := e-smith-radiusd +SPECFILE = $(firstword $(wildcard *.spec)) + +define find-makefile-common +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +endef + +MAKEFILE_COMMON := $(shell $(find-makefile-common)) + +ifeq ($(MAKEFILE_COMMON),) +# attept a checkout +define checkout-makefile-common +test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 +endef + +MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) +endif + +include $(MAKEFILE_COMMON) diff --git a/README.md b/README.md index 15f2eb8..623b606 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,17 @@ -# e-smith-radiusd +# e-smith-radiusd -SMEServer Koozali developed git repo for e-smith-radiusd smeserver \ No newline at end of file +SMEServer Koozali developed git repo for e-smith-radiusd smeserver + +## Wiki +
https://wiki.koozali.org/ + +## Bugzilla +Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=e-smith-radiusd&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED) + +## Description + +
*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.* +*Once it has been checked, then this comment will be deleted* +
+ +e-smith-radiusd is a versatile open source software that can be used to set up and manage remote access to networks. It is a RADIUS server that supports user authentication, authorization, and accounting for a variety of network protocols. It is an ideal choice for organizations looking to set up and manage their own network infrastructure. It is easy to set up and configure and provides secure, reliable, and scalable network access for users. It also supports a wide variety of authentication methods, including PAP, CHAP, MS-CHAP, and EAP, allowing for a highly customizable user experience. e-smith-radiusd is a reliable and powerful solution for organizations looking to scale their network access needs. diff --git a/additional/COPYING b/additional/COPYING new file mode 100644 index 0000000..eeb586b --- /dev/null +++ b/additional/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) 19yy + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/contriborbase b/contriborbase new file mode 100644 index 0000000..ef36a67 --- /dev/null +++ b/contriborbase @@ -0,0 +1 @@ +sme10 diff --git a/createlinks b/createlinks new file mode 100644 index 0000000..81b1fda --- /dev/null +++ b/createlinks @@ -0,0 +1,96 @@ +#!/usr/bin/perl -w + +use esmith::Build::CreateLinks qw(:all); + +#-------------------------------------------------- +# general radiusd configuration +#-------------------------------------------------- +foreach (qw(raddb/radiusd.conf raddb/mods-config/files/authorize)) +{ + templates2events("/etc/$_", qw( + bootstrap-console-save + console-save + password-modify + remoteaccess-update + user-create + user-delete + user-lock + user-modify + user-modify-admin + e-smith-radiusd-update + )); +} +templates2events("/etc/raddb/radiusd.conf", "bootstrap-ldap-save"); +templates2events("/etc/radiusclient-ng/radiusclient.conf", "bootstrap-console-save"); + +templates2events("/etc/raddb/radiusd.conf", "e-smith-radiusd-update"); +templates2events("/etc/radiusclient-ng/radiusclient.conf", "e-smith-radiusd-update"); + +foreach (qw( + raddb/clients.conf + raddb/mods-available/eap + raddb/mods-available/ldap + raddb/mods-available/smbpasswd + raddb/sites-available/default + raddb/sites-available/inner-tunnel + raddb/proxy.conf + radiusclient-ng/servers + raddb/mods-config/files/authorize)) +{ + templates2events("/etc/$_", qw( + bootstrap-console-save + console-save + domain-modify + remoteaccess-update + ldap-update + e-smith-radiusd-update + )); +} + +foreach (qw( + radiusclient-ng/dictionary + radiusclient-ng/dictionary.microsoft)) +{ + templates2events("/usr/share/$_", qw( + bootstrap-console-save + console-save + domain-modify + remoteaccess-update + ldap-update + e-smith-radiusd-update + )); +} + +foreach $event ( qw( + console-save + domain-modify + ldap-update + password-modify + remoteaccess-update + user-create + user-delete + user-lock + user-modify + user-modify-admin + + ) ) +{ + safe_symlink("sigterm", "root/etc/e-smith/events/$event/services2adjust/radiusd"); +} + +$event="e-smith-radiusd-update"; +safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/radiusd"); +safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/rsyslog"); +templates2events("/etc/rsyslog.conf",$event); +# systemd-specific action mandatory for this package-update event +event_link("systemd-reload", $event, "89"); +event_link("systemd-default", $event, "88"); + +templates2events("/etc/raddb/certs/radiusd.pem", qw( bootstrap-console-save ssl-update e-smith-radiusd-update) ); +safe_symlink("restart", "root/etc/e-smith/events/ssl-update/services2adjust/radiusd"); + +# activate modules +#safe_symlink("../mods-available/realm", "root/etc/raddb/mods-enabled/realm"); +safe_symlink("../mods-available/ldap", "root/etc/raddb/mods-enabled/ldap"); +safe_symlink("../mods-available/smbpasswd", "root/etc/raddb/mods-enabled/smbpasswd"); + diff --git a/e-smith-radiusd.spec b/e-smith-radiusd.spec new file mode 100644 index 0000000..9adfdd1 --- /dev/null +++ b/e-smith-radiusd.spec @@ -0,0 +1,267 @@ +# $Id: e-smith-radiusd.spec,v 1.26 2022/04/17 18:27:00 jpp Exp $ + +Summary: e-smith server and gateway - configure PPTP inbound VPN +%define name e-smith-radiusd +Name: %{name} +%define version 2.6.0 +%define release 24 +Version: %{version} +Release: %{release}%{?dist} +License: GPL +Group: Networking/Daemons +Source: %{name}-%{version}.tar.xz + +BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot +Requires: e-smith-base >= 4.13.16-27 +Requires: e-smith-lib >= 1.15.1-16 +Requires: freeradius >= 2.1.12 +Requires: freeradius-ldap >= 2.1.12 +Requires: radiusclient-ng >= 0.5.6 +Obsoletes: radiusclient <= 0.3.2 +BuildRequires: e-smith-devtools >= 1.13.1-03 +BuildArchitectures: noarch +%define stunnelid 451 + +%description +e-smith server and gateway - configure radius server + +%changelog +* Wed Jul 12 2023 cvs2git.sh aka Brian Read 2.6.0-24.sme +- Roll up patches and move to git repo [SME: 12338] + +* Wed Jul 12 2023 BogusDateBot +- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday, + by assuming the date is correct and changing the weekday. + Tue Oct 27 2010 --> Tue Oct 26 2010 or Wed Oct 27 2010 or Tue Nov 02 2010 or .... + +* Sun Apr 17 2022 Jean-Philippe Pialasse 2.6.0-23.sme +- redirect daemon log to its own file [SME: 11947] + +* Thu Feb 17 2022 Jean-Philippe Pialasse 2.6.0-22.sme +- workaround upstream missing definition of /var/run/radiusd/tmp [SME: 11859] + +* Thu Nov 18 2021 Terry Fage 2.6.0-21.sme +- fix startup informational message Duplicate Auth-Type 'REJECT' [SME: 11736] +- patch was blank, populate and apply [SME: 11736] + +* Mon Nov 15 2021 John H. Bennett III 2.6.0-20.sme +- fix startup informational message Duplicate Auth-Type 'REJECT' [SME: 11736] + +* Mon Nov 08 2021 John H. Bennett III 2.6.0-19.sme +- add db property PAP-auth [SME: 11735] + +* Sat Nov 06 2021 John H. Bennett III 2.6.0-18.sme +- add/fix PAP-auth patch [SME: 11735] + +* Thu Nov 04 2021 John H. Bennett III 2.6.0-17.sme +- fix WAP-auth patch [SME: 11718] +- fix LDAP-auth patch [SME: 11719] + +* Mon Aug 23 2021 Jean-Philippe Pialasse 2.6.0-16.sme +- fix ssl template metadata patch [SME: 11680] + +* Wed Jun 02 2021 Jean-Philippe Pialasse 2.6.0-15.sme +- remove services2adjust in bootstrap-console-save event, this put systemd in a loop [SME: 11602] + +* Mon May 31 2021 Jean-Philippe Pialasse 2.6.0-14.sme +- ssl pem using template in place of copy [SME: 11602] + +* Sun Jan 03 2021 Jean-Philipe Pialasse 2.6.0-13.sme +- radiusd needs ldap started before [SME: 11302] + +* Sat Jan 02 2021 Jean-Philipe Pialasse 2.6.0-12.sme +- add Restart=always [SME: 11113] + change group of pem file to radiusd + +* Tue Dec 08 2020 Jean-Philipe Pialasse 2.6.0-11.sme +- create -update event [SME: 11155] +- move radiusd to systemd {SME: 11113] + remove noise from spec file + +* Thu Dec 19 2019 Jean-Philipe Pialasse 2.6.0-9.sme +- fix server restartting with virtual_server error [SME: 10853] + +* Tue Apr 12 2016 Jean-Philipe Pialasse 2.6.0-8.sme +- escaped {} characters in ldap template [SME: 9434] + +* Sun Apr 10 2016 Jean-Philipe Pialasse 2.6.0-7.sme +- fix typo [SME: 9434] + +* Wed Apr 06 2016 Jean-Philipe Pialasse 2.6.0-6.sme +- more adjustements regarding [SME: 9434] +- e-smith-radiusd-2.6.0-freeradius3bis.patch +- e-smith-radiusd-2.6.0-freeradius3ter.patch + +* Fri Apr 01 2016 Jean-Philipe Pialasse 2.6.0-3.sme +- fix directorie rpm ownership [SME: 9425] + +* Fri Apr 01 2016 Jean-Philipe Pialasse 2.6.0-2.sme +- updated syntax and conf files for freeradius3 server [SME: 9409] + +* Fri Feb 05 2016 stephane de Labrusse 2.6.0-1.sme +- Initial release to sme10 + +* Sat Jun 8 2013 Daniel Berteaud 2.4.0-10.sme +- the config file is radiusclient.conf, not radiusclient-ng.conf [SME: 7546] + +* Thu Jun 6 2013 Daniel Berteaud 2.4.0-9.sme +- Add templates for radiusclient-ng.conf file to remove binaddr + directive [SME: 7546] + +* Sun Apr 14 2013 Charlie Brady 2.4.0-8.sme +- Add directive to options.pptpd so that radius plugin can find the + radiusclient configuration file. [SME: 7546] + +* Sat Apr 13 2013 Charlie Brady 2.4.0-7.sme +- Fix permissions of /etc/radiusclient-ng/servers. [SME: 7548] + +* Mon Mar 11 2013 Shad L. Lords 2.4.0-6.sme +- Obsolete el5 version of radiusclient [SME: 7273] + +* Thu Feb 21 2013 Daniel Berteaud 2.4.0-5.sme +- Use the new listen directive instead of bind_address which is deprecated [SME: 7377] + +* Mon Feb 18 2013 Daniel Berteaud 2.4.0-4.sme +- Send log to stdout [SME: 7251] + +* Thu Feb 14 2013 Shad L. Lords 2.4.0-3.sme +- Add requires for freeradius-ldap module [SME: 7252] + +* Thu Feb 14 2013 Shad L. Lords 2.4.0-2.sme +- Update radiusclient to radiusclient-ng + +* Wed Feb 13 2013 Shad L. Lords 2.4.0-1.sme +- Roll new stream for sme9 + +* Mon Nov 1 2010 Shad L. Lords 2.2.0-4.sme +- Auth against ldap if it is master [SME: 6323] + +* Wed Oct 27 2010 Shad L. Lords 2.2.0-3.sme + Tue Oct 27 2010 --> Tue Oct 26 2010 or Wed Oct 27 2010 or Tue Nov 02 2010 or .... +- Add ldap as an auth type to radius [SME: 6313] + +* Tue Jun 2 2009 Shad L. Lords 2.2.0-2.sme +- Fix owner/perms for radius files [SME: 5317] + +* Tue Oct 7 2008 Shad L. Lords 2.2.0-1.sme +- Roll new stream to separate sme7/sme8 trees [SME: 4633] + +* Wed Aug 20 2008 Jonathan Martens 1.0.0-18 +- Allow for multiple auth modules in radiusd.conf [SME: 4166] + +* Sat Aug 09 2008 Gavin Weight 1.0.0-17 +- Remove the Requires kernel =>2.4 line. [SME: 4483] + +* Fri May 18 2007 Federico Simoncelli 1.0.0-16 +- Added support for fixed ip addresses in the pptp vpn [SME: 1230] + +* Sun Apr 29 2007 Shad L. Lords +- Clean up spec so package can be built by koji/plague + +* Fri Apr 06 2007 Shad L. Lords 1.0.0-14 +- Fix perms on servers file [SME: 2720] + +* Fri Apr 06 2007 Shad L. Lords 1.0.0-14 +- Fix perms on client.conf file [SME: 2708] + +* Wed Mar 07 2007 Shad L. Lords 1.0.0-13 +- Break up auth template to allow customization [SME: 2565] + +* Thu Dec 07 2006 Shad L. Lords +- Update to new release naming. No functional changes. +- Make Packager generic + +* Wed Nov 30 2005 Gordon Rowell 1.0.0-12 +- Bump release number only + +* Tue Sep 27 2005 Charlie Brady +- [1.0.0-11] +- Fix run script so that output actually goes to the logger. [SF: 1280982] + +* Mon Sep 26 2005 Charlie Brady +- [1.0.0-10] +- Make sure that the log/run script is executable, and that + the log directory exists. [SF: 1280982] +- Make sure that stunnel user exists, by making sure that + %pre script works :-) (%stunnelid was not defined). + +* Mon Sep 26 2005 Gordon Rowell +- [1.0.0-9] +- Add a log/run script [SF: 1280982] + +* Fri Sep 2 2005 Charlie Brady +- [1.0.0-8] +- Make sure that stunnel user exists, by %pre script. + +* Mon Jul 18 2005 Charlie Brady +- [1.0.0-7] +- [More updates from Shad.] +- Add accounting into radiusd +- Let radius do its own normal logging + +* Tue Jul 12 2005 Charlie Brady +- [1.0.0-6] +- Expand /etc/raddb/users in user-lock [SF: 1225995] +- Expand sigterm in password-modify, ldap-update [SF: 1225995] + +* Fri Jun 24 2005 Charlie Brady +- [1.0.0-5] +- Expand /etc/raddb/users in password-modify event [SF: 1215401] + +* Fri Jun 24 2005 Charlie Brady +- [1.0.0-4] +- Add missing patch to allow local hosts to be radius clients. [SF: 1215401] + +* Thu Jun 16 2005 Charlie Brady +- [1.0.0-3] +- Use e-smith-services startup symlink for radiusd, so that 'status' + property is honoured. [SF: 1215401] + +* Tue Jun 14 2005 Charlie Brady +- [1.0.0-2] +- Patches from Shad to automate radiusd startup, and to allow local hosts to + be radius clients. [SF: 1215401] + +* Mon Jun 13 2005 Shad L. Lords +- [1.0.0-1] +- initial + +%prep +%setup +rm -rf root/service root/var/service root/var/log/radiusd +mkdir -p root/var/log/stunnel/ssl + +%build +perl createlinks + +%install +rm -rf $RPM_BUILD_ROOT +(cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT) +rm -f %{name}-%{version}-%{release}-filelist +/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ + --file /sbin/e-smith/systemd/radiusd-configure 'attr(0554,root,root)' \ + --file /sbin/e-smith/systemd/radiusd-certificate 'attr(0554,root,root)' \ + --dir /var/service/radiusd 'attr(01755,root,root)' \ + --dir /var/log/stunnel 'attr(0755,stunnel,stunnel)' \ + --dir /var/log/stunnel/ssl 'attr(0755,stunnel,stunnel)' \ + |sed -e '/%dir %attr(0755,root,root) \/etc\/raddb/d' \ + |sed -e '/%dir %attr(0755,root,root) \/etc\/raddb\/mods-enabled/d' \ + > %{name}-%{version}-%{release}-filelist +echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist + +%pre +/sbin/e-smith/create-system-user stunnel %{stunnelid} \ + 'chrooted stunnel user user' /var/log/stunnel/ssl /bin/false +if [ $1 -gt 1 ] ; then + if [ -e /var/service/radiusd/run ] ; then + /usr/bin/sv d radiusd + /usr/bin/sv d radiusd/log + fi +fi + + +%clean +rm -rf $RPM_BUILD_ROOT + +%files -f %{name}-%{version}-%{release}-filelist +%defattr(-,root,root) diff --git a/root/etc/e-smith/db/configuration/defaults/radiusd/status b/root/etc/e-smith/db/configuration/defaults/radiusd/status new file mode 100644 index 0000000..86981e6 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/radiusd/status @@ -0,0 +1 @@ +enabled diff --git a/root/etc/e-smith/db/configuration/defaults/radiusd/type b/root/etc/e-smith/db/configuration/defaults/radiusd/type new file mode 100644 index 0000000..24e1098 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/radiusd/type @@ -0,0 +1 @@ +service diff --git a/root/etc/e-smith/templates.metadata/etc/raddb/certs/radiusd.pem b/root/etc/e-smith/templates.metadata/etc/raddb/certs/radiusd.pem new file mode 100644 index 0000000..27cf1ad --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/raddb/certs/radiusd.pem @@ -0,0 +1,4 @@ +TEMPLATE_PATH="/home/e-smith/ssl.pem" +OUTPUT_FILENAME="/etc/raddb/certs/radiusd.pem" +GID="radiusd" +PERMS=0640 diff --git a/root/etc/e-smith/templates.metadata/etc/raddb/clients.conf b/root/etc/e-smith/templates.metadata/etc/raddb/clients.conf new file mode 100644 index 0000000..6a00fa1 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/raddb/clients.conf @@ -0,0 +1,3 @@ +PERMS=0640 +UID="root" +GID="radiusd" diff --git a/root/etc/e-smith/templates.metadata/etc/raddb/mods-available/eap b/root/etc/e-smith/templates.metadata/etc/raddb/mods-available/eap new file mode 100644 index 0000000..6a00fa1 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/raddb/mods-available/eap @@ -0,0 +1,3 @@ +PERMS=0640 +UID="root" +GID="radiusd" diff --git a/root/etc/e-smith/templates.metadata/etc/raddb/mods-available/ldap b/root/etc/e-smith/templates.metadata/etc/raddb/mods-available/ldap new file mode 100644 index 0000000..6a00fa1 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/raddb/mods-available/ldap @@ -0,0 +1,3 @@ +PERMS=0640 +UID="root" +GID="radiusd" diff --git a/root/etc/e-smith/templates.metadata/etc/raddb/mods-available/smbpasswd b/root/etc/e-smith/templates.metadata/etc/raddb/mods-available/smbpasswd new file mode 100644 index 0000000..6a00fa1 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/raddb/mods-available/smbpasswd @@ -0,0 +1,3 @@ +PERMS=0640 +UID="root" +GID="radiusd" diff --git a/root/etc/e-smith/templates.metadata/etc/raddb/mods-config/files/authorize b/root/etc/e-smith/templates.metadata/etc/raddb/mods-config/files/authorize new file mode 100644 index 0000000..6a00fa1 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/raddb/mods-config/files/authorize @@ -0,0 +1,3 @@ +PERMS=0640 +UID="root" +GID="radiusd" diff --git a/root/etc/e-smith/templates.metadata/etc/raddb/proxy.conf b/root/etc/e-smith/templates.metadata/etc/raddb/proxy.conf new file mode 100644 index 0000000..6a00fa1 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/raddb/proxy.conf @@ -0,0 +1,3 @@ +PERMS=0640 +UID="root" +GID="radiusd" diff --git a/root/etc/e-smith/templates.metadata/etc/raddb/radiusd.conf b/root/etc/e-smith/templates.metadata/etc/raddb/radiusd.conf new file mode 100644 index 0000000..6a00fa1 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/raddb/radiusd.conf @@ -0,0 +1,3 @@ +PERMS=0640 +UID="root" +GID="radiusd" diff --git a/root/etc/e-smith/templates.metadata/etc/raddb/sites-available/default b/root/etc/e-smith/templates.metadata/etc/raddb/sites-available/default new file mode 100644 index 0000000..6a00fa1 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/raddb/sites-available/default @@ -0,0 +1,3 @@ +PERMS=0640 +UID="root" +GID="radiusd" diff --git a/root/etc/e-smith/templates.metadata/etc/raddb/sites-available/inner-tunnel b/root/etc/e-smith/templates.metadata/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 0000000..6a00fa1 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,3 @@ +PERMS=0640 +UID="root" +GID="radiusd" diff --git a/root/etc/e-smith/templates.metadata/etc/radiusclient-ng/servers b/root/etc/e-smith/templates.metadata/etc/radiusclient-ng/servers new file mode 100644 index 0000000..d102826 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/radiusclient-ng/servers @@ -0,0 +1 @@ +PERMS=0600 diff --git a/root/etc/e-smith/templates/etc/ppp/options.pptpd/radius-config-file b/root/etc/e-smith/templates/etc/ppp/options.pptpd/radius-config-file new file mode 100644 index 0000000..1ec40a8 --- /dev/null +++ b/root/etc/e-smith/templates/etc/ppp/options.pptpd/radius-config-file @@ -0,0 +1 @@ +radius-config-file /etc/radiusclient-ng/radiusclient.conf diff --git a/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost b/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost new file mode 100644 index 0000000..d3b4c66 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost @@ -0,0 +1,60 @@ +{ + use esmith::util; + $pw = esmith::util::LdapPassword; + $pw =~ s/^(.{31}).*$/$1/; + ""; +} +client localhost \{ + ipaddr = 127.0.0.1 +{ # + # The shared secret use to "encrypt" and "sign" packets between + # the NAS and FreeRADIUS. You MUST change this secret from the + # default, otherwise it's not a secret any more! + # + # The secret can be any string, up to 32 characters in length. + # + +} secret = { $pw } +{ + # + # The short name is used as an alias for the fully qualified + # domain name, or the IP address. + # +} shortname = localhost +{ + # + # the following three fields are optional, but may be used by + # checkrad.pl for simultaneous use checks + # + + # + # The nastype tells 'checkrad.pl' which NAS-specific method to + # use to query the NAS for simultaneous use. + # + # Permitted NAS types are: + # + # cisco + # computone + # livingston + # max40xx + # multitech + # netserver + # pathras + # patton + # portslave + # tc + # usrhiper + # other # for all other types + + # +} nas_type = other +{ + # + # The following two configurations are for future use. + # The 'naspasswd' file is currently used to store the NAS + # login name and password, which is used by checkrad.pl + # when querying the NAS for simultaneous use. + # +# login = !root +# password = someadminpas +}\} diff --git a/root/etc/e-smith/templates/etc/raddb/clients.conf/20local b/root/etc/e-smith/templates/etc/raddb/clients.conf/20local new file mode 100644 index 0000000..ae4ce9f --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/clients.conf/20local @@ -0,0 +1,25 @@ +{ + use esmith::HostsDB; + my $hostsdb = esmith::HostsDB->open; + + # Handle each defined virtual domain + foreach my $host ($hostsdb->get_all_by_prop(HostType => "Local")) + { + $radiuskey = $host->prop('RadiusKey') || undef; + next unless defined $radiuskey; + + $hostname = $host->key; + $hostname =~ s/\..*//; + $hostip = $host->prop('InternalIP') || '127.0.0.1'; + $nastype = $host->prop('NASType') || 'other'; + + $OUT .= <'. + # 'c_rehash' is OpenSSL's command. + # 3) Add 'CA_path=' + # to radiusd.conf's tls section. + # 4) uncomment the line below. + # 5) Restart radiusd +} #check_crl = yes +{ + # + # If check_cert_cn is set, the value will + # be xlat'ed and checked against the CN + # in the client certificate. If the values + # do not match, the certificate verification + # will fail rejecting the user. + # +} #check_cert_cn = %\{User-Name\} +{ + # + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". +} cipher_list = "DEFAULT" +{ + # + + # + # Elliptical cryptography configuration + # + # Only for OpenSSL >= 0.9.8.f + # +} ecdh_curve = "prime256v1" + +{ + # + # Session resumption / fast reauthentication + # cache. + # + # The cache contains the following information: + # + # session Id - unique identifier, managed by SSL + # User-Name - from the Access-Accept + # Stripped-User-Name - from the Access-Request + # Cached-Session-Policy - from the Access-Accept + # + # The "Cached-Session-Policy" is the name of a + # policy which should be applied to the cached + # session. This policy can be used to assign + # VLANs, IP addresses, etc. It serves as a useful + # way to re-apply the policy from the original + # Access-Accept to the subsequent Access-Accept + # for the cached session. + # + # On session resumption, these attributes are + # copied from the cache, and placed into the + # reply list. + # + # You probably also want "use_tunneled_reply = yes" + # when using fast session resumption. + # +} cache \{ + enable = yes + lifetime = 24 # hours + max_entries = 255 + \} +{ + # + # As of version 2.1.10, client certificates can be + # validated via an external command. This allows + # dynamic CRLs or OCSP to be used. + # + # This configuration is commented out in the + # default configuration. Uncomment it, and configure + # the correct paths below to enable it. + # +} + + + + \} diff --git a/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls b/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls new file mode 100644 index 0000000..e609f05 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls @@ -0,0 +1,21 @@ +{ + ## EAP-TLS + # + # As of Version 3.0, the TLS configuration for TLS-based + # EAP types is above in the "tls-config" section. + # +} + tls \{ +{ + # Point to the common TLS configuration +} tls = tls-common +{ + # + # As part of checking a client certificate, the EAP-TLS + # sets some attributes such as TLS-Client-Cert-CN. This + # virtual server has access to these attributes, and can + # be used to accept or reject the request. + # +} # virtual_server = check-eap-tls + \} + diff --git a/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls b/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls new file mode 100644 index 0000000..08670fb --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls @@ -0,0 +1,90 @@ +{ + ## EAP-TTLS + # + # The TTLS module implements the EAP-TTLS protocol, + # which can be described as EAP inside of Diameter, + # inside of TLS, inside of EAP, inside of RADIUS... + # + # Surprisingly, it works quite well. + # +} ttls \{ +{ + # Which tls-config section the TLS negotiation parameters + # are in - see EAP-TLS above for an explanation. + # + # In the case that an old configuration from FreeRADIUS + # v2.x is being used, all the options of the tls-config + # section may also appear instead in the 'tls' section + # above. If that is done, the tls= option here (and in + # tls above) MUST be commented out. + # +} tls = tls-common +{ + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TTLS tunnel, we recommend + # using EAP-MD5. If the request does not contain an + # EAP conversation, then this configuration entry is + # ignored. + # +} default_eap_type = md5 +{ + # The tunneled authentication request does not usually + # contain useful attributes like 'Calling-Station-Id', + # etc. These attributes are outside of the tunnel, + # and normally unavailable to the tunneled + # authentication request. + # + # By setting this configuration entry to 'yes', + # any attribute which is NOT in the tunneled + # authentication request, but which IS available + # outside of the tunnel, is copied to the tunneled + # request. + # + # allowed values: {no, yes} + # +} copy_request_to_tunnel = no +{ + # The reply attributes sent to the NAS are usually + # based on the name of the user 'outside' of the + # tunnel (usually 'anonymous'). If you want to send + # the reply attributes based on the user name inside + # of the tunnel, then set this configuration entry to + # 'yes', and the reply to the NAS will be taken from + # the reply to the tunneled request. + # + # allowed values: {no, yes} + # +} use_tunneled_reply = no +{ + # + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # If this entry is commented out, the inner + # tunneled request will be sent through + # the virtual server that processed the + # outer requests. + # +} virtual_server = "inner-tunnel" +{ + # This has the same meaning, and overwrites, the + # same field in the "tls" configuration, above. + # The default value here is "yes". + # +} # include_length = yes +{ + # + # Unlike EAP-TLS, EAP-TTLS does not require a client + # certificate. However, you can require one by setting the + # following option. You can also override this option by + # setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # +} # require_client_cert = yes + \} + diff --git a/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap b/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap new file mode 100644 index 0000000..caa4582 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap @@ -0,0 +1,33 @@ +{ + # + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TLS/PEAP tunnel, we + # recommend using EAP-MS-CHAPv2. + # + # The PEAP module needs the TLS module to be installed + # and configured, in order to use the TLS tunnel + # inside of the EAP packet. You will still need to + # configure the TLS module, even if you do not want + # to deploy EAP-TLS in your network. Users will not + # be able to request EAP-TLS, as it requires them to + # have a client certificate. EAP-PEAP does not + # require a client certificate. + # +} + peap \{ + tls = tls-common + virtual_server = "inner-tunnel" +{ # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # PEAP tunnel, we recommend using MS-CHAPv2, + # as that is the default type supported by + # Windows clients. +} default_eap_type = mschapv2 + + + copy_request_to_tunnel = no + use_tunneled_reply = no + + \} diff --git a/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 b/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 new file mode 100644 index 0000000..3567e09 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 @@ -0,0 +1,18 @@ +{ + # + # This takes no configuration. + # + # Note that it is the EAP MS-CHAPv2 sub-module, not + # the main 'mschap' module. + # + # Note also that in order for this sub-module to work, + # the main 'mschap' module MUST ALSO be configured. + # + # This module is the *Microsoft* implementation of MS-CHAPv2 + # in EAP. There is another (incompatible) implementation + # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not + # currently support. + # +} + mschapv2 \{ + \} diff --git a/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end b/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end new file mode 100644 index 0000000..dbea7aa --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end @@ -0,0 +1 @@ +\} diff --git a/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap b/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap new file mode 100644 index 0000000..fc97d0d --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap @@ -0,0 +1,291 @@ +{ + + use esmith::util; + $OUT = ''; + + $pw = esmith::util::LdapPassword(); + $base = esmith::util::ldapBase ($DomainName); + +} ldap \{ + server = "localhost" + identity = "cn=root,{ $base }" + password = { $pw } + base_dn = "{ $base }" + filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))" + ldap_connections_number = 5 + timeout = 4 + timelimit = 3 + net_timeout = 3 + tls \{ + start_tls = no + \} + groupname_attribute = cn + groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))" + + update \{ + control:Password-With-Header += 'userPassword' + + \} + user \{ + # Where to start searching in the tree for users + base_dn = "$\{..base_dn\}" + + # Filter for user objects, should be specific enough + # to identify a single user object. + filter = "(uid=%\{%\{Stripped-User-Name\}:-%\{User-Name\}\})" + \} + group \{ + # Where to start searching in the tree for groups +# base_dn = "$\{..base_dn\}" + + # Filter for group objects, should match all available + # group objects a user might be a member of. +# filter = "(objectClass=posixGroup)" +# membership_attribute = "memberOf" + \} + + profile \{ + # Filter for RADIUS profile objects +# filter = "(objectclass=radiusprofile)" + + # The default profile applied to all users. +# default = "cn=radprofile,dc=example,dc=org" + + # The list of profiles which are applied (after the default) + # to all users. + # The "User-Profile" attribute in the control list + # will override this setting at run-time. +# attribute = "radiusProfileDn" + \} + + + client \{ + # Where to start searching in the tree for clients +# base_dn = "$\{..base_dn\}" + + # + # Filter to match client objects + # +# filter = '(objectClass=frClient)' + + # Search scope, may be 'base', 'one', 'sub' or 'children' +# scope = 'sub' + + # + # Client attribute mappings are in the format: + # = + # + # Arbitrary attributes (accessible by %\{client:\}) are not yet supported. + # + # The following attributes are required: + # * identifier - IPv4 address, or IPv4 address with prefix, or hostname. + # * secret - RADIUS shared secret. + # + # The following attributes are optional: + # * shortname - Friendly name associated with the client + # * nas_type - NAS Type + # * virtual_server - Virtual server to associate the client with + # * require_message_authenticator - Whether we require the Message-Authenticator + # attribute to be present in requests from the client. + # + # Schemas are available in doc/schemas/ldap for openldap and eDirectory + # + attribute \{ +# identifier = 'radiusClientIdentifier' +# secret = 'radiusClientSecret' +# shortname = 'radiusClientShortname' +# nas_type = 'radiusClientType' +# virtual_server = 'radiusClientVirtualServer' +# require_message_authenticator = 'radiusClientRequireMa' + \} + \} + + + + # Useful for recording things like the last time the user logged + # in, or the Acct-Session-ID for CoA/DM. + # + # LDAP modification items are in the format: + # + # + # Where: + # : The LDAP attribute to add modify or delete. + # : One of the assignment operators: + # (:=, +=, -=, ++). + # Note: '=' is *not* supported. + # : The value to add modify or delete. + # + # WARNING: If using the ':=' operator with a multi-valued LDAP + # attribute, all instances of the attribute will be removed and + # replaced with a single attribute. + accounting \{ + reference = "%\{tolower:type.%\{Acct-Status-Type\}\}" + + type \{ + start \{ + update \{ + description := "Online at %S" + \} + \} + + interim-update \{ + update \{ + description := "Last seen at %S" + \} + \} + + stop \{ + update \{ + description := "Offline at %S" + \} + \} + \} + \} + + + + + # + # Post-Auth can modify LDAP objects too + # + post-auth \{ + update \{ + description := "Authenticated at %S" + \} + \} + + + + + + # LDAP connection-specific options. + # + # These options set timeouts, keep-alives, etc. for the connections. + # + options \{ + # Control under which situations aliases are followed. + # May be one of 'never', 'searching', 'finding' or 'always' + # default: libldap's default which is usually 'never'. + # + # LDAP_OPT_DEREF is set to this value. +# dereference = 'always' + + # + # The following two configuration items control whether the + # server follows references returned by LDAP directory. + # They are mostly for Active Directory compatibility. + # If you set these to "no", then searches will likely return + # "operations error", instead of a useful result. + # + chase_referrals = yes + rebind = yes + + # Seconds to wait for LDAP query to finish. default: 20 + timeout = 10 + + # Seconds LDAP server has to process the query (server-side + # time limit). default: 20 + # + # LDAP_OPT_TIMELIMIT is set to this value. + timelimit = 3 + + # Seconds to wait for response of the server. (network + # failures) default: 10 + # + # LDAP_OPT_NETWORK_TIMEOUT is set to this value. + net_timeout = 1 + + # LDAP_OPT_X_KEEPALIVE_IDLE + idle = 60 + + # LDAP_OPT_X_KEEPALIVE_PROBES + probes = 3 + + # LDAP_OPT_X_KEEPALIVE_INTERVAL + interval = 3 + + # ldap_debug: debug flag for LDAP SDK + # (see OpenLDAP documentation). Set this to enable + # huge amounts of LDAP debugging on the screen. + # You should only use this if you are an LDAP expert. + # + # default: 0x0000 (no debugging messages) + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) + ldap_debug = 0x0028 + \} + + + # The connection pool is new for 3.0, and will be used in many + # modules, for all kinds of connection-related activity. + # + # When the server is not threaded, the connection pool + # limits are ignored, and only one connection is used. + pool \{ + # Number of connections to start + start = 5 + + # Minimum number of connections to keep open + min = 4 + + # Maximum number of connections + # + # If these connections are all in use and a new one + # is requested, the request will NOT get a connection. + # + # Setting 'max' to LESS than the number of threads means + # that some threads may starve, and you will see errors + # like "No connections available and at max connection limit" + # + # Setting 'max' to MORE than the number of threads means + # that there are more connections than necessary. + max = $\{thread[pool].max_servers\} + + # Spare connections to be left idle + # + # NOTE: Idle connections WILL be closed if "idle_timeout" + # is set. + spare = 3 + + # Number of uses before the connection is closed + # + # 0 means "infinite" + uses = 0 + + # The lifetime (in seconds) of the connection + lifetime = 0 + + # Idle timeout (in seconds). A connection which is + # unused for this length of time will be closed. + idle_timeout = 60 + + # NOTE: All configuration settings are enforced. If a + # connection is closed because of "idle_timeout", + # "uses", or "lifetime", then the total number of + # connections MAY fall below "min". When that + # happens, it will open a new connection. It will + # also log a WARNING message. + # + # The solution is to either lower the "min" connections, + # or increase lifetime/idle_timeout. + \} + + + + + + + + + + + + + + + + + + + + + \} diff --git a/root/etc/e-smith/templates/etc/raddb/mods-available/smbpasswd/05init b/root/etc/e-smith/templates/etc/raddb/mods-available/smbpasswd/05init new file mode 100644 index 0000000..cc7fe74 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/mods-available/smbpasswd/05init @@ -0,0 +1,19 @@ +{ +# -*- text -*- +# +# $Id: e-smith-radiusd-2.6.0-freeradius3bis.patch,v 1.2 2016/04/07 05:52:20 unnilennium Exp $ + +# An example configuration for using /etc/smbpasswd. +# +# See the "passwd" file for documentation on the configuration items +# for this module. +# +} +passwd smbpasswd \{ + filename = /etc/samba/smbpasswd + format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" + hash_size = 100 + ignore_nislike = no + allow_multiple_keys = no +\} + diff --git a/root/etc/e-smith/templates/etc/raddb/mods-config/files/authorize/10noroot b/root/etc/e-smith/templates/etc/raddb/mods-config/files/authorize/10noroot new file mode 100644 index 0000000..da01490 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/mods-config/files/authorize/10noroot @@ -0,0 +1,2 @@ +root Auth-Type := Reject + diff --git a/root/etc/e-smith/templates/etc/raddb/mods-config/files/authorize/20vpnusers b/root/etc/e-smith/templates/etc/raddb/mods-config/files/authorize/20vpnusers new file mode 100644 index 0000000..fb024e5 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/mods-config/files/authorize/20vpnusers @@ -0,0 +1,29 @@ +{ + use esmith::AccountsDB; + + my $adb = esmith::AccountsDB->open_ro() + or die "Couldnt' open AccountsDB\n"; + + my @accounts = $adb->get('admin'); + push @accounts, $adb->users; + + foreach my $account (@accounts) + { + next unless (($account->prop('VPNClientAccess') || 'no') eq 'yes'); + + next unless (($account->prop('PasswordSet') || 'no') eq 'yes'); + + my $name = $account->key; + + $OUT .= <prop('PPTPIP'); + next unless ($pptpip); + + $OUT .= <Load virtual servers. +# +#<----->This next $INCLUDE line loads files in the directory that +#<----->match the regular expression: /[a-zA-Z0-9_.]+/ +# +#<----->It allows you to define new virtual servers simply by placing +#<----->a file into the raddb/sites-enabled/ directory. +# +}$INCLUDE sites-enabled/ +{ +###################################################################### +# +#<----->All of the other configuration sections like "authorize {}", +#<----->"authenticate {}", "accounting {}", have been moved to the +#<----->the file: +# +#<-----><------>raddb/sites-available/default +# +#<----->This is the "default" virtual server that has the same +#<----->configuration as in version 1.0.x and 1.1.x. The default +#<----->installation enables this virtual server. You should +#<----->edit it to create policies for your local site. +# +#<----->For more documentation on virtual servers, see: +# +#<-----><------>raddb/sites-available/README +# +###################################################################### + +} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init b/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init new file mode 100644 index 0000000..19e7541 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init @@ -0,0 +1,49 @@ +{ +###################################################################### +# +# As of 2.0.0, FreeRADIUS supports virtual hosts using the +# "server" section, and configuration directives. +# +# Virtual hosts should be put into the "sites-available" +# directory. Soft links should be created in the "sites-enabled" +# directory to these files. This is done in a normal installation. +# +# If you are using 802.1X (EAP) authentication, please see also +# the "inner-tunnel" virtual server. You will likely have to edit +# that, too, for authentication to work. +# +# $Id: e-smith-radiusd-2.6.0-freeradius3.patch,v 1.3 2016/04/12 10:16:09 unnilennium Exp $ +# +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. See also "man unlang", which documents the format +# of this file. +# +# This configuration is designed to work in the widest possible +# set of circumstances, with the widest possible number of +# authentication methods. This means that in general, you should +# need to make very few changes to this file. +# +# The best way to configure the server for your local system +# is to CAREFULLY edit this file. Most attempts to make large +# edits to this file will BREAK THE SERVER. Any edits should +# be small, and tested by running the server with "radiusd -X". +# Once the edits have been verified to work, save a copy of these +# configuration files somewhere. (e.g. as a "tar" file). Then, +# make more edits, and test, as above. +# +# There are many "commented out" references to modules such +# as ldap, sql, etc. These references serve as place-holders. +# If you need the functionality of that module, then configure +# it in radiusd.conf, and un-comment the references to it in +# this file. In most cases, those small changes will result +# in the server being able to connect to the DB, and to +# authenticate users. +# +###################################################################### +} +server default \{ + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen b/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen new file mode 100644 index 0000000..c46b1db --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen @@ -0,0 +1,90 @@ +{ +# listen: Make the server listen on a particular IP address, and send +# replies out from that address. This directive is most useful for +# hosts with multiple IP addresses on one interface. +# +# If you want the server to listen on additional addresses, or on +# additionnal ports, you can use multiple "listen" sections. +# +# Each section make the server listen for only one type of packet, +# therefore authentication and accounting have to be configured in +# different sections. +# +# The server ignore all "listen" section if you are using '-i' and '-p' +# on the command line. +} +# auth +listen \{ + type = auth +{ + # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. + # Out of several options the first one will be used. + # + # Allowed values are: + # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr) + # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr) + # hostname (radius.example.com, + # A record for ipv4addr, + # AAAA record for ipv6addr, + # A or AAAA record for ipaddr) + # wildcard (*) + # + # ipv4addr = * + # ipv6addr = * +} + ipaddr = * + port = 0 +# interface = eth0 +# clients = per_socket_clients +{ + # + # Connection limiting for sockets with "proto = tcp". + # + # This section is ignored for other kinds of sockets. + # +} limit \{ +{ + # + # Limit the number of simultaneous TCP connections to the socket + # + # The default is 16. + # Setting this to 0 means "no limit" +} max_connections = 16 +{ + # The per-socket "max_requests" option does not exist. + + # + # The lifetime, in seconds, of a TCP connection. After + # this lifetime, the connection will be closed. + # + # Setting this to 0 means "forever". +} lifetime = 0 +{ + # + # The idle timeout, in seconds, of a TCP connection. + # If no packets have been received over the connection for + # this time, the connection will be closed. + # + # Setting this to 0 means "no timeout". + # + # We STRONGLY RECOMMEND that you set an idle timeout. + # +} idle_timeout = 30 + \} + +\} + +# +# This second "listen" section is for listening on the accounting +# port, too. +# +listen \{ + type = acct + ipaddr = * + port = 0 +\} + + + + + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init b/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init new file mode 100644 index 0000000..5ab778a --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init @@ -0,0 +1,11 @@ +{ +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +} +authorize \{ diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default b/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default new file mode 100644 index 0000000..6c9d64c --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default @@ -0,0 +1,106 @@ +{ + # + # Take a User-Name, and perform some checks on it, for spaces and other + # invalid characters. If the User-Name appears invalid, reject the + # request. + # + # See policy.d/filter for the definition of the filter_username policy. + # +}# filter_username +{ + # The preprocess module takes care of sanitizing some bizarre + # attributes in the request, and turning them into attributes + # which are more standard. + # + # It takes care of processing the 'raddb/hints' and the + # 'raddb/huntgroups' files. + # + # It also adds the %\{Client-IP-Address\} attribute to the request. +} preprocess +{ + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. +} suffix + ntdomain +{ + # This module takes care of EAP-PEAP authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. +} eap \{ + ok = return + \} + +{ + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. +} mschap +{ + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'smbpasswd' module, above. + ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd'; +} + +{ + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module in radiusd.conf. + # +}# unix + + +{ + # Read the 'users' file +} files + +{ + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf +}# -sql +{ + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'smbpasswd' module. +}# smbpasswd +{ + # + # The ldap module reads passwords from the LDAP database. +} -ldap + if ((ok || updated) && User-Password) \{ + update control \{ + Auth-Type := ldap + \} + \} +{ # + # Enforce daily limits on time spent logged in. +# daily + + # +} expiration + logintime +{ + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # +} pap + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end b/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end new file mode 100644 index 0000000..dbea7aa --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end @@ -0,0 +1 @@ +\} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup b/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup new file mode 100644 index 0000000..6a22d2b --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup @@ -0,0 +1,5 @@ +{ + my @authModules = ''; + $OUT = ''; +} + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap b/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap new file mode 100644 index 0000000..daa9f4a --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap @@ -0,0 +1,5 @@ +{ + push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n"); + $OUT = ''; +} + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap b/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap new file mode 100644 index 0000000..9a6cd47 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap @@ -0,0 +1,5 @@ +{ + push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n"); + $OUT = ''; +} + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap b/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap new file mode 100644 index 0000000..3fb50e3 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap @@ -0,0 +1,4 @@ +{ + push(@authModules, "\tAuth-Type EAP\{\n\t\teap\n\t\}\n"); + $OUT = ''; +} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate25authPap b/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate25authPap new file mode 100644 index 0000000..e1fd8a5 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate25authPap @@ -0,0 +1,7 @@ +{ + if (($radiusd{'PAP'} || 'disabled') eq 'enabled') + { + push(@authModules, "\tAuth-Type PAP\{\n\t\tpap\n\t\}\n"); + $OUT = ''; + } +} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process b/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process new file mode 100644 index 0000000..cb446ea --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process @@ -0,0 +1,23 @@ +{ +# Authentication. +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user, or forcibly accept him. + + $OUT = "authenticate \{\n"; + $OUT .= "$_\n" foreach @authModules; + $OUT .= "\}\n"; + +} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct b/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct new file mode 100644 index 0000000..a4264a1 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct @@ -0,0 +1,47 @@ +{ +# +# Pre-accounting. Decide which accounting type to use. +# +}preacct \{ + preprocess +{ + # + # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets + # into a single 64bit counter Acct-[Input|Output]-Octets64. + # +}# acct_counters64 +{ + # + # Session start times are *implied* in RADIUS. + # The NAS never sends a "start time". Instead, it sends + # a start packet, *possibly* with an Acct-Delay-Time. + # The server is supposed to conclude that the start time + # was "Acct-Delay-Time" seconds in the past. + # + # The code below creates an explicit start time, which can + # then be used in other modules. It will be *mostly* correct. + # Any errors are due to the 1-second resolution of RADIUS, + # and the possibility that the time on the NAS may be off. + # + # The start time is: NOW - delay - session_length + # +} +# update request { +# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" +# } + +{ + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. +} + + acct_unique +{ + # Accounting requests are generally proxied to the same + # home server as authentication requests. +} suffix + ntdomain + files + +\} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init b/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init new file mode 100644 index 0000000..aff8776 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init @@ -0,0 +1,5 @@ +{ +# +# Accounting. Log the accounting data. +# +}accounting \{ diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default b/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default new file mode 100644 index 0000000..a85caea --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default @@ -0,0 +1,5 @@ +{ # + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. +} detail diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end b/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end new file mode 100644 index 0000000..dbea7aa --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end @@ -0,0 +1 @@ +\} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init b/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init new file mode 100644 index 0000000..1c7836b --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init @@ -0,0 +1,6 @@ +{ +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +}session \{ + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end b/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end new file mode 100644 index 0000000..dbea7aa --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end @@ -0,0 +1 @@ +\} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init b/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init new file mode 100644 index 0000000..b7c9b26 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init @@ -0,0 +1,8 @@ +{ +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +}post-auth \{ + # Get an address from the IP Pool. +# main_pool + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end b/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end new file mode 100644 index 0000000..fb8b465 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end @@ -0,0 +1,26 @@ +{ + # Remove reply message if the response contains an EAP-Message +} remove_reply_message_if_eap +{ + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # +} Post-Auth-Type REJECT \{ + # log failed authentications in SQL, too. + #-sql + attr_filter.access_reject + + # Insert EAP-Failure message if the request was + # rejected by policy instead of because of an + # authentication failure + eap + + # Remove reply message if the response contains an EAP-Message + remove_reply_message_if_eap + \} +\} + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy b/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy new file mode 100644 index 0000000..10cb972 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy @@ -0,0 +1,28 @@ +pre-proxy \{ +{ + # Before proxing the request add an Operator-Name attribute identifying + # if the operator-name is found for this client. + # No need to uncomment this if you have already enabled this in + # the authorize section. +}# operator-name +{ + # The client requests the CUI by sending a CUI attribute + # containing one zero byte. + # Uncomment the line below if *requesting* the CUI. +}# cui +{ + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +}# files +{ + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +}# attr_filter.pre-proxy +{ + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +}# pre_proxy_log +\} + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy b/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy new file mode 100644 index 0000000..27bc000 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy @@ -0,0 +1,54 @@ +{ +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +} +post-proxy \{ +{ + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +}# post_proxy_log +{ + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +}# attr_filter.post-proxy +{ + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # +} eap +{ + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +}# Post-Proxy-Type Fail \{ +# detail +# \} +\} + + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end b/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end new file mode 100644 index 0000000..49ff208 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end @@ -0,0 +1,7 @@ + +\} +{ +# +#end of default server +# +} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/01init b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/01init new file mode 100644 index 0000000..496a5e4 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/01init @@ -0,0 +1,13 @@ +{ +# -*- text -*- +###################################################################### +# +# This is a virtual server that handles *only* inner tunnel +# requests for EAP-TTLS and PEAP types. +# +# $Id: e-smith-radiusd-2.6.0-freeradius3ter.patch,v 1.2 2016/04/10 07:30:52 unnilennium Exp $ +# +###################################################################### +} +server inner-tunnel \{ + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/20listen b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/20listen new file mode 100644 index 0000000..a7ab0ce --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/20listen @@ -0,0 +1,27 @@ +{ +# +# This next section is here to allow testing of the "inner-tunnel" +# authentication methods, independently from the "default" server. +# It is listening on "localhost", so that it can only be used from +# the same machine. +# +# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123 +# +# If it works, you have configured the inner tunnel correctly. To check +# if PEAP will work, use: +# +# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123 +# +# If that works, PEAP should work. If that command doesn't work, then +# +# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS. +# +# Do NOT do any PEAP tests. It won't help. Instead, concentrate +# on fixing the inner tunnel configuration. DO NOTHING ELSE. +# +} +listen \{ + ipaddr = 127.0.0.1 + port = 18120 + type = auth +\} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/35authorization00init b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/35authorization00init new file mode 100644 index 0000000..5ab778a --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/35authorization00init @@ -0,0 +1,11 @@ +{ +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +} +authorize \{ diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/35authorization40default b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/35authorization40default new file mode 100644 index 0000000..63995c4 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/35authorization40default @@ -0,0 +1,117 @@ +{ + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set +} chap +{ + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. +} mschap +{ + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module, above. + # +}# unix +{ + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +}# IPASS +{ + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + # Note that proxying the inner tunnel authentication means + # that the user MAY use one identity in the outer session + # (e.g. "anonymous", and a different one here + # (e.g. "user@example.com"). The inner session will then be + # proxied elsewhere for authentication. If you are not + # careful, this means that the user can cause you to forward + # the authentication to another RADIUS server, and have the + # accounting logs *not* sent to the other server. This makes + # it difficult to bill people for their network activity. + # +} suffix +# ntdomain +{ + # + # The "suffix" module takes care of stripping the domain + # (e.g. "@example.com") from the User-Name attribute, and the + # next few lines ensure that the request is not proxied. + # + # If you want the inner tunnel request to be proxied, delete + # the next few lines. + # + +} update control \{ + Proxy-To-Realm := LOCAL + \} +{ + # + # This module takes care of EAP-MSCHAPv2 authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # +} eap \{ + ok = return + \} +{ + # + # Read the 'users' file +} files +{ + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf +}# -sql + -ldap + if ((ok || updated) && User-Password) \{ + update control \{ + Auth-Type := ldap + \} + \} +{ + # + # Enforce daily limits on time spent logged in. +}# daily + expiration + logintime +{ + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, then un-comment this line, and + # enable the "smbpasswd" module. +} smbpasswd +{ + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # +} pap + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/35authorization99end b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/35authorization99end new file mode 100644 index 0000000..dbea7aa --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/35authorization99end @@ -0,0 +1 @@ +\} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate00setup b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate00setup new file mode 100644 index 0000000..6a22d2b --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate00setup @@ -0,0 +1,5 @@ +{ + my @authModules = ''; + $OUT = ''; +} + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate10AuthMsChap b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate10AuthMsChap new file mode 100644 index 0000000..daa9f4a --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate10AuthMsChap @@ -0,0 +1,5 @@ +{ + push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n"); + $OUT = ''; +} + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate12pap b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate12pap new file mode 100644 index 0000000..52a5071 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate12pap @@ -0,0 +1,5 @@ +{ + push(@authModules, "\tAuth-Type PAP\{\n\t\tpap\n\t\}\n"); + $OUT = ''; +} + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate13chap b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate13chap new file mode 100644 index 0000000..98f681b --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate13chap @@ -0,0 +1,5 @@ +{ + push(@authModules, "\tAuth-Type CHAP\{\n\t\tchap\n\t\}\n"); + $OUT = ''; +} + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate15ldap b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate15ldap new file mode 100644 index 0000000..9a6cd47 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate15ldap @@ -0,0 +1,5 @@ +{ + push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n"); + $OUT = ''; +} + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate20authEap b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate20authEap new file mode 100644 index 0000000..3fb50e3 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate20authEap @@ -0,0 +1,4 @@ +{ + push(@authModules, "\tAuth-Type EAP\{\n\t\teap\n\t\}\n"); + $OUT = ''; +} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate99process b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate99process new file mode 100644 index 0000000..cb446ea --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/40authenticate99process @@ -0,0 +1,23 @@ +{ +# Authentication. +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user, or forcibly accept him. + + $OUT = "authenticate \{\n"; + $OUT .= "$_\n" foreach @authModules; + $OUT .= "\}\n"; + +} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/55preacct b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/55preacct new file mode 100644 index 0000000..a4264a1 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/55preacct @@ -0,0 +1,47 @@ +{ +# +# Pre-accounting. Decide which accounting type to use. +# +}preacct \{ + preprocess +{ + # + # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets + # into a single 64bit counter Acct-[Input|Output]-Octets64. + # +}# acct_counters64 +{ + # + # Session start times are *implied* in RADIUS. + # The NAS never sends a "start time". Instead, it sends + # a start packet, *possibly* with an Acct-Delay-Time. + # The server is supposed to conclude that the start time + # was "Acct-Delay-Time" seconds in the past. + # + # The code below creates an explicit start time, which can + # then be used in other modules. It will be *mostly* correct. + # Any errors are due to the 1-second resolution of RADIUS, + # and the possibility that the time on the NAS may be off. + # + # The start time is: NOW - delay - session_length + # +} +# update request { +# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" +# } + +{ + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. +} + + acct_unique +{ + # Accounting requests are generally proxied to the same + # home server as authentication requests. +} suffix + ntdomain + files + +\} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/70session00init b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/70session00init new file mode 100644 index 0000000..1c7836b --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/70session00init @@ -0,0 +1,6 @@ +{ +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +}session \{ + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/70session40default b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/70session40default new file mode 100644 index 0000000..2b5ceef --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/70session40default @@ -0,0 +1,3 @@ + radutmp +# sql + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/70session99end b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/70session99end new file mode 100644 index 0000000..dbea7aa --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/70session99end @@ -0,0 +1 @@ +\} diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/80postauth00init b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/80postauth00init new file mode 100644 index 0000000..b7c9b26 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/80postauth00init @@ -0,0 +1,8 @@ +{ +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +}post-auth \{ + # Get an address from the IP Pool. +# main_pool + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/80postauth40default b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/80postauth40default new file mode 100644 index 0000000..5722677 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/80postauth40default @@ -0,0 +1,31 @@ +{ + # If you want privacy to remain, see the + # Chargeable-User-Identity attribute from RFC 4372. + # If you want to use it just uncomment the line below. +}# cui-inner +{ + # + # If you want to have a log of authentication replies, + # un-comment the following line, and enable the + # 'detail reply_log' module. +}# reply_log +{ + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in sql.conf +}# -sql +{ + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +}# sql_log +{ + # + # Un-comment the following if you have set + # 'edir_account_policy_check = yes' in the ldap module sub-section of + # the 'modules' section. + # +}# ldap + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/80postauth99end b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/80postauth99end new file mode 100644 index 0000000..fb8b465 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/80postauth99end @@ -0,0 +1,26 @@ +{ + # Remove reply message if the response contains an EAP-Message +} remove_reply_message_if_eap +{ + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # +} Post-Auth-Type REJECT \{ + # log failed authentications in SQL, too. + #-sql + attr_filter.access_reject + + # Insert EAP-Failure message if the request was + # rejected by policy instead of because of an + # authentication failure + eap + + # Remove reply message if the response contains an EAP-Message + remove_reply_message_if_eap + \} +\} + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/85preproxy b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/85preproxy new file mode 100644 index 0000000..937e814 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/85preproxy @@ -0,0 +1,17 @@ +pre-proxy \{ +{ + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +}# files +{ + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +}# attr_filter.pre-proxy +{ + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +}# pre_proxy_log +\} + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/90postproxy b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/90postproxy new file mode 100644 index 0000000..27bc000 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/90postproxy @@ -0,0 +1,54 @@ +{ +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +} +post-proxy \{ +{ + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +}# post_proxy_log +{ + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +}# attr_filter.post-proxy +{ + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # +} eap +{ + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +}# Post-Proxy-Type Fail \{ +# detail +# \} +\} + + diff --git a/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/99end b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/99end new file mode 100644 index 0000000..49ff208 --- /dev/null +++ b/root/etc/e-smith/templates/etc/raddb/sites-available/inner-tunnel/99end @@ -0,0 +1,7 @@ + +\} +{ +# +#end of default server +# +} diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/00AuthOrder b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/00AuthOrder new file mode 100644 index 0000000..7ca4ed8 --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/00AuthOrder @@ -0,0 +1 @@ +auth_order radius,local diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/05LoginTries b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/05LoginTries new file mode 100644 index 0000000..35011cc --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/05LoginTries @@ -0,0 +1 @@ +login_tries 4 diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/10LoginTimeout b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/10LoginTimeout new file mode 100644 index 0000000..6328b1c --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/10LoginTimeout @@ -0,0 +1 @@ +login_timeout 60 diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/15NoLogin b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/15NoLogin new file mode 100644 index 0000000..c6d64a0 --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/15NoLogin @@ -0,0 +1 @@ +nologin /etc/nologin diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/20Issue b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/20Issue new file mode 100644 index 0000000..69be14f --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/20Issue @@ -0,0 +1 @@ +issue /etc/radiusclient-ng/issue diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/25Servers b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/25Servers new file mode 100644 index 0000000..5c05194 --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/25Servers @@ -0,0 +1,3 @@ +authserver localhost +acctserver localhost +servers /etc/radiusclient-ng/servers diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/30Dictionary b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/30Dictionary new file mode 100644 index 0000000..b2d34b6 --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/30Dictionary @@ -0,0 +1 @@ +dictionary /usr/share/radiusclient-ng/dictionary diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/35LoginRadius b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/35LoginRadius new file mode 100644 index 0000000..b5191a0 --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/35LoginRadius @@ -0,0 +1 @@ +login_radius /usr/sbin/login.radius diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/40SeqFile b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/40SeqFile new file mode 100644 index 0000000..089dc25 --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/40SeqFile @@ -0,0 +1 @@ +seqfile /var/run/radius.seq diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/45MapFile b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/45MapFile new file mode 100644 index 0000000..f522d95 --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/45MapFile @@ -0,0 +1 @@ +mapfile /etc/radiusclient-ng/port-id-map diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/50Realm b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/50Realm new file mode 100644 index 0000000..0fd9876 --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/50Realm @@ -0,0 +1 @@ +default_realm diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/55RadiusTimeout b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/55RadiusTimeout new file mode 100644 index 0000000..3fa9dde --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/55RadiusTimeout @@ -0,0 +1 @@ +radius_timeout 10 diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/60RadiusRetry b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/60RadiusRetry new file mode 100644 index 0000000..6697be8 --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/60RadiusRetry @@ -0,0 +1 @@ +radius_retries 3 diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/65LoginLocal b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/65LoginLocal new file mode 100644 index 0000000..fef4d67 --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/radiusclient.conf/65LoginLocal @@ -0,0 +1 @@ +login_local /bin/login diff --git a/root/etc/e-smith/templates/etc/radiusclient-ng/servers/10localhost b/root/etc/e-smith/templates/etc/radiusclient-ng/servers/10localhost new file mode 100644 index 0000000..3827a6b --- /dev/null +++ b/root/etc/e-smith/templates/etc/radiusclient-ng/servers/10localhost @@ -0,0 +1,7 @@ +{ + use esmith::util; + $pw = esmith::util::LdapPassword; + $pw =~ s/^(.{31}).*$/$1/; + ""; +} +localhost { $pw; } diff --git a/root/etc/e-smith/templates/etc/rsyslog.conf/32radius b/root/etc/e-smith/templates/etc/rsyslog.conf/32radius new file mode 100644 index 0000000..f1da35b --- /dev/null +++ b/root/etc/e-smith/templates/etc/rsyslog.conf/32radius @@ -0,0 +1,4 @@ +#radiusd daemon +:programname, startswith, "radiusd" /var/log/radius/daemon.log +& stop + diff --git a/root/etc/e-smith/templates/usr/share/radiusclient-ng/dictionary b/root/etc/e-smith/templates/usr/share/radiusclient-ng/dictionary new file mode 100644 index 0000000..40381b9 --- /dev/null +++ b/root/etc/e-smith/templates/usr/share/radiusclient-ng/dictionary @@ -0,0 +1,242 @@ +# +# Updated 97/06/13 to livingston-radius-2.01 miquels@cistron.nl +# +# This file contains dictionary translations for parsing +# requests and generating responses. All transactions are +# composed of Attribute/Value Pairs. The value of each attribute +# is specified as one of 4 data types. Valid data types are: +# +# string - 0-253 octets +# ipaddr - 4 octets in network byte order +# integer - 32 bit value in big endian order (high byte first) +# date - 32 bit value in big endian order - seconds since +# 00:00:00 GMT, Jan. 1, 1970 +# +# Enumerated values are stored in the user file with dictionary +# VALUE translations for easy administration. +# +# Example: +# +# ATTRIBUTE VALUE +# --------------- ----- +# Framed-Protocol = PPP +# 7 = 1 (integer encoding) +# + +# +# Following are the proper new names. Use these. +# +ATTRIBUTE User-Name 1 string +ATTRIBUTE Password 2 string +ATTRIBUTE CHAP-Password 3 string +ATTRIBUTE NAS-IP-Address 4 ipaddr +ATTRIBUTE NAS-Port-Id 5 integer +ATTRIBUTE Service-Type 6 integer +ATTRIBUTE Framed-Protocol 7 integer +ATTRIBUTE Framed-IP-Address 8 ipaddr +ATTRIBUTE Framed-IP-Netmask 9 ipaddr +ATTRIBUTE Framed-Routing 10 integer +ATTRIBUTE Filter-Id 11 string +ATTRIBUTE Framed-MTU 12 integer +ATTRIBUTE Framed-Compression 13 integer +ATTRIBUTE Login-IP-Host 14 ipaddr +ATTRIBUTE Login-Service 15 integer +ATTRIBUTE Login-TCP-Port 16 integer +ATTRIBUTE Reply-Message 18 string +ATTRIBUTE Callback-Number 19 string +ATTRIBUTE Callback-Id 20 string +ATTRIBUTE Framed-Route 22 string +ATTRIBUTE Framed-IPX-Network 23 ipaddr +ATTRIBUTE State 24 string +ATTRIBUTE Class 25 string +ATTRIBUTE Vendor-Specific 26 string +ATTRIBUTE Session-Timeout 27 integer +ATTRIBUTE Idle-Timeout 28 integer +ATTRIBUTE Termination-Action 29 integer +ATTRIBUTE Called-Station-Id 30 string +ATTRIBUTE Calling-Station-Id 31 string +ATTRIBUTE NAS-Identifier 32 string +ATTRIBUTE Proxy-State 33 string +ATTRIBUTE Login-LAT-Service 34 string +ATTRIBUTE Login-LAT-Node 35 string +ATTRIBUTE Login-LAT-Group 36 string +ATTRIBUTE Framed-AppleTalk-Link 37 integer +ATTRIBUTE Framed-AppleTalk-Network 38 integer +ATTRIBUTE Framed-AppleTalk-Zone 39 string +ATTRIBUTE Acct-Status-Type 40 integer +ATTRIBUTE Acct-Delay-Time 41 integer +ATTRIBUTE Acct-Input-Octets 42 integer +ATTRIBUTE Acct-Output-Octets 43 integer +ATTRIBUTE Acct-Session-Id 44 string +ATTRIBUTE Acct-Authentic 45 integer +ATTRIBUTE Acct-Session-Time 46 integer +ATTRIBUTE Acct-Input-Packets 47 integer +ATTRIBUTE Acct-Output-Packets 48 integer +ATTRIBUTE Acct-Terminate-Cause 49 integer +ATTRIBUTE Acct-Multi-Session-Id 50 string +ATTRIBUTE Acct-Link-Count 51 integer +ATTRIBUTE Event-Timestamp 55 integer +ATTRIBUTE CHAP-Challenge 60 string +ATTRIBUTE NAS-Port-Type 61 integer +ATTRIBUTE Port-Limit 62 integer +ATTRIBUTE Login-LAT-Port 63 integer +ATTRIBUTE Connect-Info 77 string + +# +# RFC3162 IPv6 attributes +# +ATTRIBUTE NAS-IPv6-Address 95 string +ATTRIBUTE Framed-Interface-Id 96 string +ATTRIBUTE Framed-IPv6-Prefix 97 string +ATTRIBUTE Login-IPv6-Host 98 string +ATTRIBUTE Framed-IPv6-Route 99 string +ATTRIBUTE Framed-IPv6-Pool 100 string + +# +# Experimental Non Protocol Attributes used by Cistron-Radiusd +# +ATTRIBUTE Huntgroup-Name 221 string +ATTRIBUTE User-Category 1029 string +ATTRIBUTE Group-Name 1030 string +ATTRIBUTE Simultaneous-Use 1034 integer +ATTRIBUTE Strip-User-Name 1035 integer +ATTRIBUTE Fall-Through 1036 integer +ATTRIBUTE Add-Port-To-IP-Address 1037 integer +ATTRIBUTE Exec-Program 1038 string +ATTRIBUTE Exec-Program-Wait 1039 string +ATTRIBUTE Hint 1040 string + +# +# Non-Protocol Attributes +# These attributes are used internally by the server +# +ATTRIBUTE Expiration 21 date +ATTRIBUTE Auth-Type 1000 integer +ATTRIBUTE Menu 1001 string +ATTRIBUTE Termination-Menu 1002 string +ATTRIBUTE Prefix 1003 string +ATTRIBUTE Suffix 1004 string +ATTRIBUTE Group 1005 string +ATTRIBUTE Crypt-Password 1006 string +ATTRIBUTE Connect-Rate 1007 integer + +# +# Integer Translations +# + +# User Types + +VALUE Service-Type Login-User 1 +VALUE Service-Type Framed-User 2 +VALUE Service-Type Callback-Login-User 3 +VALUE Service-Type Callback-Framed-User 4 +VALUE Service-Type Outbound-User 5 +VALUE Service-Type Administrative-User 6 +VALUE Service-Type NAS-Prompt-User 7 + +# Framed Protocols + +VALUE Framed-Protocol PPP 1 +VALUE Framed-Protocol SLIP 2 + +# Framed Routing Values + +VALUE Framed-Routing None 0 +VALUE Framed-Routing Broadcast 1 +VALUE Framed-Routing Listen 2 +VALUE Framed-Routing Broadcast-Listen 3 + +# Framed Compression Types + +VALUE Framed-Compression None 0 +VALUE Framed-Compression Van-Jacobson-TCP-IP 1 + +# Login Services + +VALUE Login-Service Telnet 0 +VALUE Login-Service Rlogin 1 +VALUE Login-Service TCP-Clear 2 +VALUE Login-Service PortMaster 3 + +# Status Types + +VALUE Acct-Status-Type Start 1 +VALUE Acct-Status-Type Stop 2 +VALUE Acct-Status-Type Alive 3 +VALUE Acct-Status-Type Accounting-On 7 +VALUE Acct-Status-Type Accounting-Off 8 + +# Authentication Types + +VALUE Acct-Authentic RADIUS 1 +VALUE Acct-Authentic Local 2 +VALUE Acct-Authentic PowerLink128 100 + +# Termination Options + +VALUE Termination-Action Default 0 +VALUE Termination-Action RADIUS-Request 1 + +# NAS Port Types, available in 3.3.1 and later + +VALUE NAS-Port-Type Async 0 +VALUE NAS-Port-Type Sync 1 +VALUE NAS-Port-Type ISDN 2 +VALUE NAS-Port-Type ISDN-V120 3 +VALUE NAS-Port-Type ISDN-V110 4 + +# Acct Terminate Causes, available in 3.3.2 and later + +VALUE Acct-Terminate-Cause User-Request 1 +VALUE Acct-Terminate-Cause Lost-Carrier 2 +VALUE Acct-Terminate-Cause Lost-Service 3 +VALUE Acct-Terminate-Cause Idle-Timeout 4 +VALUE Acct-Terminate-Cause Session-Timeout 5 +VALUE Acct-Terminate-Cause Admin-Reset 6 +VALUE Acct-Terminate-Cause Admin-Reboot 7 +VALUE Acct-Terminate-Cause Port-Error 8 +VALUE Acct-Terminate-Cause NAS-Error 9 +VALUE Acct-Terminate-Cause NAS-Request 10 +VALUE Acct-Terminate-Cause NAS-Reboot 11 +VALUE Acct-Terminate-Cause Port-Unneeded 12 +VALUE Acct-Terminate-Cause Port-Preempted 13 +VALUE Acct-Terminate-Cause Port-Suspended 14 +VALUE Acct-Terminate-Cause Service-Unavailable 15 +VALUE Acct-Terminate-Cause Callback 16 +VALUE Acct-Terminate-Cause User-Error 17 +VALUE Acct-Terminate-Cause Host-Request 18 + +# +# Non-Protocol Integer Translations +# + +VALUE Auth-Type Local 0 +VALUE Auth-Type System 1 +VALUE Auth-Type SecurID 2 +VALUE Auth-Type Crypt-Local 3 +VALUE Auth-Type Reject 4 + +# +# Cistron extensions +# +VALUE Auth-Type Pam 253 +VALUE Auth-Type Accept 254 + +# +# Experimental Non-Protocol Integer Translations for Cistron-Radiusd +# +VALUE Fall-Through No 0 +VALUE Fall-Through Yes 1 +VALUE Add-Port-To-IP-Address No 0 +VALUE Add-Port-To-IP-Address Yes 1 + +# +# Configuration Values +# uncomment these two lines to turn account expiration on +# + +#VALUE Server-Config Password-Expiration 30 +#VALUE Server-Config Password-Warning 5 + +INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft + diff --git a/root/etc/e-smith/templates/usr/share/radiusclient-ng/dictionary.microsoft b/root/etc/e-smith/templates/usr/share/radiusclient-ng/dictionary.microsoft new file mode 100644 index 0000000..ad2163e --- /dev/null +++ b/root/etc/e-smith/templates/usr/share/radiusclient-ng/dictionary.microsoft @@ -0,0 +1,81 @@ +# +# Microsoft's VSA's, from RFC 2548 +# +# $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $ +# + +VENDOR Microsoft 311 Microsoft + +ATTRIBUTE MS-CHAP-Response 1 string Microsoft +ATTRIBUTE MS-CHAP-Error 2 string Microsoft +ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft +ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft +ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft +ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft +ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft +# This is referred to as both singular and plural in the RFC. +# Plural seems to make more sense. +ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft +ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft +ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft +ATTRIBUTE MS-CHAP-Domain 10 string Microsoft +ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft +ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft +ATTRIBUTE MS-BAP-Usage 13 integer Microsoft +ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft +ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft +ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft +ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft +ATTRIBUTE MS-RAS-Version 18 string Microsoft +ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft +ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft +ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft + +ATTRIBUTE MS-Filter 22 string Microsoft +ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft +ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft + +ATTRIBUTE MS-CHAP2-Response 25 string Microsoft +ATTRIBUTE MS-CHAP2-Success 26 string Microsoft +ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft + +ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft +ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft +ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft +ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft + +#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft + + +# +# Integer Translations +# + +# MS-BAP-Usage Values + +VALUE MS-BAP-Usage Not-Allowed 0 +VALUE MS-BAP-Usage Allowed 1 +VALUE MS-BAP-Usage Required 2 + +# MS-ARAP-Password-Change-Reason Values + +VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1 +VALUE MS-ARAP-PW-Change-Reason Expired-Password 2 +VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3 +VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 + +# MS-Acct-Auth-Type Values + +VALUE MS-Acct-Auth-Type PAP 1 +VALUE MS-Acct-Auth-Type CHAP 2 +VALUE MS-Acct-Auth-Type MS-CHAP-1 3 +VALUE MS-Acct-Auth-Type MS-CHAP-2 4 +VALUE MS-Acct-Auth-Type EAP 5 + +# MS-Acct-EAP-Type Values + +VALUE MS-Acct-EAP-Type MD5 4 +VALUE MS-Acct-EAP-Type OTP 5 +VALUE MS-Acct-EAP-Type Generic-Token-Card 6 +VALUE MS-Acct-EAP-Type TLS 13 + diff --git a/root/etc/logrotate.d/radiusd-sme b/root/etc/logrotate.d/radiusd-sme new file mode 100644 index 0000000..ac66561 --- /dev/null +++ b/root/etc/logrotate.d/radiusd-sme @@ -0,0 +1,13 @@ +/var/log/radius/daemon.log { + monthly + rotate 4 + create + missingok + compress + delaycompress + sharedscripts + postrotate + /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true + endscript +} + diff --git a/root/sbin/e-smith/systemd/radiusd-configure b/root/sbin/e-smith/systemd/radiusd-configure new file mode 100644 index 0000000..75f48ff --- /dev/null +++ b/root/sbin/e-smith/systemd/radiusd-configure @@ -0,0 +1,10 @@ +#!/bin/sh + +# Ensure that PRNG is adequately seeded. +[ -s /etc/raddb/certs/dh ] ||\ + /usr/local/bin/envuidgid stunnel \ + /usr/bin/openssl gendh > /etc/raddb/certs/dh +[ -s /etc/raddb/certs/random ] ||\ + /usr/local/bin/envuidgid stunnel \ + /bin/dd if=/dev/urandom of=/etc/raddb/certs/random bs=1k count=1 + diff --git a/root/usr/lib/systemd/system/radiusd.service.d/50-koozali.conf b/root/usr/lib/systemd/system/radiusd.service.d/50-koozali.conf new file mode 100644 index 0000000..c2bc928 --- /dev/null +++ b/root/usr/lib/systemd/system/radiusd.service.d/50-koozali.conf @@ -0,0 +1,15 @@ +[Unit] +After=ldap.service + +[Service] +ExecStartPre= +ExecStartPre=/sbin/e-smith/service-status radiusd +ExecStartPre=/sbin/e-smith/systemd/radiusd-configure +ExecStartPre=/sbin/e-smith/expand-template /etc/raddb/certs/radiusd.pem +ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd +ExecStartPre=/usr/sbin/radiusd -C +Restart=always + +[Install] +WantedBy=sme-server.target + diff --git a/root/usr/lib/tmpfiles.d/radius.conf b/root/usr/lib/tmpfiles.d/radius.conf new file mode 100644 index 0000000..a89b10e --- /dev/null +++ b/root/usr/lib/tmpfiles.d/radius.conf @@ -0,0 +1 @@ +D /var/run/radiusd/tmp 0700 radiusd radiusd - diff --git a/root/var/log/stunnel/ssl/.gitignore b/root/var/log/stunnel/ssl/.gitignore new file mode 100644 index 0000000..e69de29