Bugs installing 2.0pre1
Hi, guys! After successfully building a FreeRadius 2.0pre1 package with "dpkg-buildpackage -us -uc", I had many errors installing and running it. In the end it worked, but I decided to document every error so that they won't appear again when I try 2.0pre2. :) # "freeradius -x" should be "freeradius -X" root@caju-test:/etc# dpkg -i /usr/local/src/freeradius- postgresql_2.0.0-pre0_i386.deb Selecting previously deselected package freeradius-postgresql. (Reading database ... 49070 files and directories currently installed.) Unpacking freeradius-postgresql (from .../freeradius-postgresql_2.0.0- pre0_i386.deb) ... Setting up freeradius-postgresql (2.0.0-pre0) ... Restarting FreeRADIUS daemon... Stopping FreeRADIUS daemon: freeradius. Starting FreeRADIUS daemon: (failed! run '/usr/sbin/freeradius -x' to find out why.) # No exec permission Exec-Program output: Exec-Program: FAILED to execute /etc/freeradius/ certs/bootstrap: Permission denied Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /etc/ freeradius/certs/bootstrap: Permission denied root@caju-test:/etc# ls freeradius/certs/ -l -rw-r----- 1 root freerad 297 2007-08-18 02:22 bootstrap (...) # chmod +x certs/bootstrap # After that: Generating a 2048 bit RSA private key ........................................................................ .................................................+++ ......................+++ unable to write 'random state' writing new private key to 'ca.key' # Fixing it: chmod g+w certs freeradius -X # Creates certificates OK # After that, wrong permissions for new files: root@caju-test:/etc/freeradius/certs# ls -la total 54 drwxr-s--x 2 root freerad 1024 2007-08-18 02:37 . drwxr-s--x 4 root freerad 1024 2007-08-18 02:33 .. -rw-r--r-- 1 freerad freerad 4210 2007-08-18 02:36 01.pem -rwxr-x--- 1 root freerad 297 2007-08-18 02:22 bootstrap -rw-r----- 1 root freerad 1155 2007-08-18 02:22 ca.cnf (...) -rw-r--r-- 1 freerad freerad 5120 2007-08-18 02:37 random -rw-r----- 1 root freerad 4063 2007-08-18 02:22 README -rw-r--r-- 1 freerad freerad 3 2007-08-18 02:36 serial -rw-r--r-- 1 freerad freerad 3 2007-08-18 02:36 serial.old -rw-r----- 1 root freerad 1123 2007-08-18 02:22 server.cnf (...) -rw-r--r-- 1 freerad freerad 3503 2007-08-18 02:36 server.pem # Fixing permissions: root@caju-test:/etc/freeradius/certs# chown root * root@caju-test:/etc/freeradius/certs# chmod o= * # /doc/examples/postgresql.sql # radusergroup comes without primary key CREATE TABLE radusergroup ( id SERIAL PRIMARY KEY, -- this line is missing UserName VARCHAR(64) NOT NULL DEFAULT '', GroupName VARCHAR(64) NOT NULL DEFAULT '', priority INTEGER NOT NULL DEFAULT 0 ); # What does this mean? # (output of freeradius -X after simple authentication with radtest) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!! !!! Replacing User-Password in config items with Cleartext- Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User- Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!! And that's all. -- Humberto Diógenes http://humberto.digi.com.br
Hi,
After successfully building a FreeRadius 2.0pre1 package with "dpkg-buildpackage -us -uc", I had many errors installing and running it. In the end it worked, but I decided to document every error so that they won't appear again when I try 2.0pre2. :)
ah. you should checkout the CVS to be on-the-ball with fixes since pre1
# "freeradius -x" should be "freeradius -X"
i think '-x' should be deprecated...
# What does this mean? # (output of freeradius -X after simple authentication with radtest) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!! !!! Replacing User-Password in config items with Cleartext- Password. !!!
exactly what it says ont he tin. 'User-Password' is now deprecated. use 'Cleartext-Password' instead as the value. its in the main docs (and i think the wiki got updated. comparison Cleartext-Password := "h4ppy_-_ch1ck3n" alan
On 18/08/2007, at 07:58, A.L.M.Buxey@lboro.ac.uk wrote:
ah. you should checkout the CVS to be on-the-ball with fixes since pre1
Yeah, I thought that, but when trying to get the repository URL from www.freeradius.org it wasn't accessible. I still can't open it now. It seems to be a problem with the web server only - FTP is in the same IP address and is working fine. Anyway, got the url now from google cache.
# What does this mean? !!! Replacing User-Password in config items with Cleartext- Password. !!!
exactly what it says ont he tin.
'User-Password' is now deprecated. use 'Cleartext-Password' instead as the value. its in the main docs (and i think the wiki got updated. comparison
(Did any text disappear here?)
Cleartext-Password := "h4ppy_-_ch1ck3n"
There isn't much about it in /doc: $ grep -r Cleartext . ./cisco: !root Cleartext-Password := "somepass" ./ldap_howto.txt:# Cleartext passwords, especially for the rootdn, should ./rfc/rfc3748.txt: 7.14. Cleartext Passwords . . . . . . . . . . . . . . . . . . 55 ./rfc/rfc3748.txt:7.14. Cleartext Passwords ./rlm_sql: joeuser Cleartext-Password := somepassword But I found it in the wiki. Gonna read it and try again later. Thanks! -- Humberto Diógenes http://humberto.digi.com.br
Humberto Diogenes wrote:
Starting FreeRADIUS daemon: (failed! run '/usr/sbin/freeradius -x' to find out why.)
I just fixed that.
# No exec permission Exec-Program output: Exec-Program: FAILED to execute /etc/freeradius/ certs/bootstrap: Permission denied
You installed the server as root, and are not running it as root. That is wrong. The permissions are set to be secure, so that no one else can read the private configuration files.
unable to write 'random state' writing new private key to 'ca.key'
# Fixing it: chmod g+w certs
No. The RADIUS server should NOT have permission to write to its configuration files. This is for security.
# After that, wrong permissions for new files: root@caju-test:/etc/freeradius/certs# ls -la total 54 drwxr-s--x 2 root freerad 1024 2007-08-18 02:37 . drwxr-s--x 4 root freerad 1024 2007-08-18 02:33 .. -rw-r--r-- 1 freerad freerad 4210 2007-08-18 02:36 01.pem
While those permissions *look* insecure, they're not. The permissions for '.', above, ensure that unwanted people can't access the files.
# Fixing permissions: root@caju-test:/etc/freeradius/certs# chown root * root@caju-test:/etc/freeradius/certs# chmod o= *
And the server SHOULD be run as "root" the first time to generate the certificates. You should then fix the permissions to match your local policy. Alan DeKok.
Alan DeKok wrote:
And the server SHOULD be run as "root" the first time to generate the certificates. You should then fix the permissions to match your local policy.
The Debian policy is to run FreeRADIUS as non-root user. I'm going to fix the Debian post-install script (which runs as root) to create the default certificates for a new install. BTW I noticed that "bootstrap" creates by default world-readable certificates. Perhaps the following patch may be useful: Index: raddb/certs/bootstrap =================================================================== RCS file: /source/radiusd/raddb/certs/bootstrap,v retrieving revision 1.2 diff -u -r1.2 bootstrap --- raddb/certs/bootstrap 18 Aug 2007 13:34:31 -0000 1.2 +++ raddb/certs/bootstrap 19 Aug 2007 12:20:56 -0000 @@ -10,5 +10,6 @@ # # $Id: bootstrap,v 1.2 2007/08/18 13:34:31 aland Exp $ # +umask 027 cd `dirname $0` make ca server dh random -- Nicolas Baradakis
Nicolas Baradakis wrote:
The Debian policy is to run FreeRADIUS as non-root user. I'm going to fix the Debian post-install script (which runs as root) to create the default certificates for a new install.
Yes, that's the correct thing to do.
BTW I noticed that "bootstrap" creates by default world-readable certificates. Perhaps the following patch may be useful:
Yes to that, too. Alan DeKok.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Humberto Diogenes -
Nicolas Baradakis