Currently running 1.1.3 on CentOS 5.x. I am currently using the flat file option and it works just fine as long as the permissions on the file are: 664 RW-RW-R- Record in the file looks like: Tom <tab> Auth-Type := Local, User-Password := "tompass" This allows everyone to read the file - not good security. If I change the permissions to 660 RW-RW---- then freeRADIUS will not restart. I started setting up freeRADIUS to use MySQL DB for access but I must have something setup incorrectly. I tried to follow the How-To but still must be missing something in the setup. I have inserted a record into DB=radius and TALBE=radcheck where: Id = selected by the MySQL as the next index number UserName = tom Attribute = 'Cleartext-Password' Op = ':=' Value = tompass is the password So my questions are: 1. Is there a way to just secure the flatfile permissions? 2. Is there a complete How-To for using MySQL with freeRADIUS? Thanks, Tom Schmitt Senior IT Staff - R&D L-3 Communication Systems West Phone (801) 594-3030 \\\\||//// \ ~ ~ / | @ @ | --oOo---(_)---oOo-- Have A Nice Day !
So my questions are:
There REALLY needs to be a good reason that you are running any 1.X version or else your question should be, Why haven't I upgraded to the latest and most secure FreeRADIUS release. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] On Behalf Of d.tom.schmitt@L-3com.com Sent: Monday, August 01, 2011 4:09 PM To: freeradius-users@lists.freeradius.org Subject: Security issues with 1.1.3 flatfile Currently running 1.1.3 on CentOS 5.x. I am currently using the flat file option and it works just fine as long as the permissions on the file are: 664 RW-RW-R- Record in the file looks like: Tom <tab> Auth-Type := Local, User-Password := "tompass" This allows everyone to read the file - not good security. If I change the permissions to 660 RW-RW---- then freeRADIUS will not restart. I started setting up freeRADIUS to use MySQL DB for access but I must have something setup incorrectly. I tried to follow the How-To but still must be missing something in the setup. I have inserted a record into DB=radius and TALBE=radcheck where: Id = selected by the MySQL as the next index number UserName = tom Attribute = 'Cleartext-Password' Op = ':=' Value = tompass is the password So my questions are: 1. Is there a way to just secure the flatfile permissions? 2. Is there a complete How-To for using MySQL with freeRADIUS? Thanks, Tom Schmitt Senior IT Staff - R&D L-3 Communication Systems West Phone (801) 594-3030 \\\\||//// \ ~ ~ / | @ @ | --oOo---(_)---oOo-- Have A Nice Day !
Because that is what is installed when you do 'yum -y install freeradius' on the CentOS 5.x PBX-in-a-Flash (PiaF) platform. Otherwise, you have to explain to everyone how to manually install 2.1.7. Does the problem not exist in 2.1.7? Also, that was the How-To for MySQL that I was able to find. Do you have a newer link to a How-To? What is the latest release of freeRADIUS that I should try to use and is it already configured to run MySQL? Thanks, Tom Schmitt Senior IT Staff - R&D L-3 Communication Systems West 640 North 2200 West P.O. Box 16850 Salt Lake City, UT 84116 Phone (801) 594-3030 Cell (801) 231-7230 From: freeradius-users-bounces+d.tom.schmitt=l-3com.com@lists.freeradius.org [mailto:freeradius-users-bounces+d.tom.schmitt=l-3com.com@lists.freeradi us.org] On Behalf Of Sallee, Stephen (Jake) Sent: Monday, August 01, 2011 3:16 PM To: FreeRadius users mailing list Subject: RE: Security issues with 1.1.3 flatfile
So my questions are:
There REALLY needs to be a good reason that you are running any 1.X version or else your question should be, Why haven't I upgraded to the latest and most secure FreeRADIUS release. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.o rg] On Behalf Of d.tom.schmitt@L-3com.com Sent: Monday, August 01, 2011 4:09 PM To: freeradius-users@lists.freeradius.org Subject: Security issues with 1.1.3 flatfile Currently running 1.1.3 on CentOS 5.x. I am currently using the flat file option and it works just fine as long as the permissions on the file are: 664 RW-RW-R- Record in the file looks like: Tom <tab> Auth-Type := Local, User-Password := "tompass" This allows everyone to read the file - not good security. If I change the permissions to 660 RW-RW---- then freeRADIUS will not restart. I started setting up freeRADIUS to use MySQL DB for access but I must have something setup incorrectly. I tried to follow the How-To but still must be missing something in the setup. I have inserted a record into DB=radius and TALBE=radcheck where: Id = selected by the MySQL as the next index number UserName = tom Attribute = 'Cleartext-Password' Op = ':=' Value = tompass is the password So my questions are: 1. Is there a way to just secure the flatfile permissions? 2. Is there a complete How-To for using MySQL with freeRADIUS? Thanks, Tom Schmitt Senior IT Staff - R&D L-3 Communication Systems West Phone (801) 594-3030 \\\\||//// \ ~ ~ / | @ @ | --oOo---(_)---oOo-- Have A Nice Day !
Because that is what is installed when you do 'yum -y install freeradius' on the CentOS 5.x PBX-in-a-Flash (PiaF) platform.
That is a fair statement, however I will say the installing FR from source is the easiest source installation I have ever done. And as for staying up to date, a two line script can pull the latest source and build the new version, and if you're really crazy a third line can restart the service with your new binary. Sorry, didn't mean to hijack your thread. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] On Behalf Of d.tom.schmitt@L-3com.com Sent: Monday, August 01, 2011 4:45 PM To: FreeRadius users mailing list Subject: RE: Security issues with 1.1.3 flatfile Because that is what is installed when you do 'yum -y install freeradius' on the CentOS 5.x PBX-in-a-Flash (PiaF) platform. Otherwise, you have to explain to everyone how to manually install 2.1.7. Does the problem not exist in 2.1.7? Also, that was the How-To for MySQL that I was able to find. Do you have a newer link to a How-To? What is the latest release of freeRADIUS that I should try to use and is it already configured to run MySQL? Thanks, Tom Schmitt Senior IT Staff - R&D L-3 Communication Systems West 640 North 2200 West P.O. Box 16850 Salt Lake City, UT 84116 Phone (801) 594-3030 Cell (801) 231-7230 From: freeradius-users-bounces+d.tom.schmitt=l-3com.com@lists.freeradius.org [mailto:freeradius-users-bounces+d.tom.schmitt=l-3com.com@lists.freeradius.org] On Behalf Of Sallee, Stephen (Jake) Sent: Monday, August 01, 2011 3:16 PM To: FreeRadius users mailing list Subject: RE: Security issues with 1.1.3 flatfile
So my questions are:
There REALLY needs to be a good reason that you are running any 1.X version or else your question should be, Why haven't I upgraded to the latest and most secure FreeRADIUS release. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] On Behalf Of d.tom.schmitt@L-3com.com Sent: Monday, August 01, 2011 4:09 PM To: freeradius-users@lists.freeradius.org Subject: Security issues with 1.1.3 flatfile Currently running 1.1.3 on CentOS 5.x. I am currently using the flat file option and it works just fine as long as the permissions on the file are: 664 RW-RW-R- Record in the file looks like: Tom <tab> Auth-Type := Local, User-Password := "tompass" This allows everyone to read the file - not good security. If I change the permissions to 660 RW-RW---- then freeRADIUS will not restart. I started setting up freeRADIUS to use MySQL DB for access but I must have something setup incorrectly. I tried to follow the How-To but still must be missing something in the setup. I have inserted a record into DB=radius and TALBE=radcheck where: Id = selected by the MySQL as the next index number UserName = tom Attribute = 'Cleartext-Password' Op = ':=' Value = tompass is the password So my questions are: 1. Is there a way to just secure the flatfile permissions? 2. Is there a complete How-To for using MySQL with freeRADIUS? Thanks, Tom Schmitt Senior IT Staff - R&D L-3 Communication Systems West Phone (801) 594-3030 \\\\||//// \ ~ ~ / | @ @ | --oOo---(_)---oOo-- Have A Nice Day !
On 08/01/2011 05:50 PM, Sallee, Stephen (Jake) wrote:
Because that is what is installed when you do ‘yum –y install freeradius’ on the CentOS 5.x PBX-in-a-Flash (PiaF) platform.
That is a fair statement, however I will say the installing FR from source is the easiest source installation I have ever done. And as for staying up to date, a two line script can pull the latest source and build the new version, and if you’re really crazy a third line can restart the service with your new binary.
FWIW the following FAQ explains how to build FreeRADIUS rpms as well as a lot of other useful info for FreeRADIUS on Fedora/RHEL/CentOS http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On 01/08/2011 22:08, d.tom.schmitt@L-3com.com wrote:
Currently running 1.1.3 on CentOS 5.x.
Upgrade
I am currently using the flat file option and it works just fine as long as the permissions on the file are:
664 RW-RW-R—
Record in the file looks like:
Tom <tab> Auth-Type := Local, User-Password := “tompass”
This allows everyone to read the file – not good security.
If I change the permissions to 660 RW-RW---- then freeRADIUS will not restart.
Who owns the file? Which user does FR run as? If FR runs as 'radiusd' and the file is owned by root:root, then it's not surprising that FR cant read the file unless it is chmod o+r. [upgrade and] fix the permissions and it will work. -James
On 08/01/2011 05:08 PM, d.tom.schmitt@L-3com.com wrote:
Currently running 1.1.3 on CentOS 5.x.
You really should upgrade to 2.x. In RHEL 5 the package name of the 2.x version of FreeRADIUS is freeradius2. The reason why the package name is different is because the configuration of FreeRADIUS versions 1.x are not the same as 2.x therefore we can't replace the 1.x version with 2.x because that would break existing installations, thus in RHEL5 we added new FreeRADIUS packages under the freeradius2 package name. Of course that's RHEL, I can only presume CentOS is tracking us and picked up the new freeradius2. In RHEL 6 we didn't have the conflict, the 2.x version of FreeRADIUS is the expected package name of freeradius. FWIW a number of the permission and other issues were cleaned up in the 2.x package versions. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
d.tom.schmitt@L-3com.com wrote:
Currently running 1.1.3 on CentOS 5.x.
I am currently using the flat file option and it works just fine as long as the permissions on the file are:
664 RW-RW-R-
Is the file owner the same as the user as which freeradius is running? If it is, I would expect 400 or at worst 600 to work. That will probably make editting a job for root. Or make it 660 where the group is user management. Andrew -- REALITY.SYS not found: Universe halted.
participants (5)
-
Andrew Hood -
d.tom.schmitt@L-3com.com -
James J J Hooper -
John Dennis -
Sallee, Stephen (Jake)