Release of 3.0.2 is imminent
Please test. One major cosmetic change is the hiding of secret keys when using "radiusd -X" ... client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> ... They still show up when using "radiusd -Xx". I've historically opposed this. The reason has been that the keys are needed for debugging, which is correct. However, the number of people who've screwed up and posted their secrets publicly is growing. In the interest of not letting people hurt themselves, the secrets are now secret by default. If anyone objects, please let me know. Alan DeKok.
On 17 Feb 2014, at 15:32, Alan DeKok <aland@deployingradius.com> wrote:
Please test.
One major cosmetic change is the hiding of secret keys when using "radiusd -X"
... client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> ...
They still show up when using "radiusd -Xx".
I've historically opposed this. The reason has been that the keys are needed for debugging, which is correct. However, the number of people who've screwed up and posted their secrets publicly is growing.
In the interest of not letting people hurt themselves, the secrets are now secret by default.
If anyone objects, please let me know.
Logging levels in rlm_pap have also been increased so that sensitive information is not output there either (unless -Xx). The server will, however, still print out User-Password values when printing a list of attributes in the request, and when forwarding requests. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Mon, Feb 17, 2014 at 10:32:50AM -0500, Alan DeKok wrote:
Please test.
Basic tests seem OK - builds as a debian package on wheezy/amd64, and works. Haven't exercised much else though. There's a warning about potentially unused variable compare in src/lib/valuepair.c:2651, but it can't happen looking at the code. Maybe needs a compare=compare to silence it?
One major cosmetic change is the hiding of secret keys when using "radiusd -X" ... They still show up when using "radiusd -Xx".
Seems reasonable - agree that User-Password should continue to show. Need enough to show that people have the wrong shared secret (corrupt user-password) or the user-password is wrong, which I think this will do. I don't think that it's a good thing to start mangling or blanking out attributes in debug output.
If anyone objects, please let me know.
Looks OK as is now. Just need to stop people posting -Xx by default, which a reasonable number still seem to do :( Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Matthew Newton wrote:
Basic tests seem OK - builds as a debian package on wheezy/amd64, and works. Haven't exercised much else though. There's a warning about potentially unused variable compare in src/lib/valuepair.c:2651, but it can't happen looking at the code. Maybe needs a compare=compare to silence it?
Weird. Arran saw that, too. Different compilers produce different warning messages. And from what I can tell, that warning message isn't true. Coverity doesn't complain, and it does more in-depth checks than gcc.
Seems reasonable - agree that User-Password should continue to show. Need enough to show that people have the wrong shared secret (corrupt user-password) or the user-password is wrong, which I think this will do. I don't think that it's a good thing to start mangling or blanking out attributes in debug output.
Exactly.
If anyone objects, please let me know.
Looks OK as is now. Just need to stop people posting -Xx by default, which a reasonable number still seem to do :(
Yes. It's hard to get people to follow the documentation. Alan DeKok.
On 18 Feb 2014, at 17:14, Alan DeKok <aland@deployingradius.com> wrote:
Matthew Newton wrote:
Basic tests seem OK - builds as a debian package on wheezy/amd64, and works. Haven't exercised much else though. There's a warning about potentially unused variable compare in src/lib/valuepair.c:2651, but it can't happen looking at the code. Maybe needs a compare=compare to silence it?
Unused or uninitialised? I got the latter. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Tue, Feb 18, 2014 at 05:29:27PM +0000, Arran Cudbard-Bell wrote:
On 18 Feb 2014, at 17:14, Alan DeKok <aland@deployingradius.com> wrote:
Matthew Newton wrote:
Basic tests seem OK - builds as a debian package on wheezy/amd64, and works. Haven't exercised much else though. There's a warning about potentially unused variable compare in src/lib/valuepair.c:2651, but it can't happen looking at the code. Maybe needs a compare=compare to silence it?
Unused or uninitialised? I got the latter.
Sorry yes, the latter. Looking at the code it can't ever happen afaict, but the warning is the only one I saw in the whole build. m. -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Unused or uninitialised? I got the latter.
Sorry yes, the latter. Looking at the code it can't ever happen afaict, but the warning is the only one I saw in the whole build.
"warning: 'compare' may be used uninitialized in this function" That's what I see... :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
On 19 Feb 2014, at 10:48, <stefan.paetow@diamond.ac.uk> <stefan.paetow@diamond.ac.uk> wrote:
Unused or uninitialised? I got the latter.
Sorry yes, the latter. Looking at the code it can't ever happen afaict, but the warning is the only one I saw in the whole build.
"warning: 'compare' may be used uninitialized in this function"
switch to clang :) Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Matthew Newton -
stefan.paetow@diamond.ac.uk