Re: Radius Client UDP port selection
I am talking about pam_radius_client. I want this pam_radius_auth.so client to select a particular UDP port to communicate with external radius server. so that server can send authentication responce on the same port back to client.
On Sun, Feb 06, 2011 at 10:06:01AM -0000, vijay s sheelavantar wrote:
I am talking about pam_radius_client. I want this pam_radius_auth.so client to select a particular UDP port to communicate with external radius server. so that server can send authentication responce on the same port back to client.
Of course, the server will always send the authentication response back to whatever port the client selected. Your options are: 1. If pam_radius_client doesn't have the ability to bind to a particular port, then you can modify the source code to do so. The call you need is bind() after the socket has been created. Warning: hacking C code in security-sensitive modules (especially those running as root) is a risky business. Get an expert to make this change for you, or become an expert first. (Recommended reading: Unix Network Programming vol 1, and Advanced Programming in the Unix Environment, both by Richard Stevens) 2. I think you said before you only wanted to make sure that the port was
32768. So you can configure your OS so that *all* outbound connections bind to ports >32768.
Google "linux ephemeral port range" for details. On my system: $ cat /proc/sys/net/ipv4/ip_local_port_range 32768 61000 So in fact, all connections from my machine would be >=32768 anyway. Regards, Brian.
On Sun, Feb 06, 2011 at 11:11:58AM +0000, Brian Candler wrote:
1. If pam_radius_client doesn't have the ability to bind to a particular port, then you can modify the source code to do so. The call you need is bind() after the socket has been created.
Ah, it turns out the code to do this is already there: (pam_radius_auth.c) /* * Use our process ID as a local port for RADIUS. */ local_port = (getpid() & 0x7fff) + 1024; do { local_port++; s_in->sin_port = htons(local_port); } while ((bind(conf->sockfd, &salocal, sizeof (struct sockaddr_in)) < 0) && (local_port < 64000)); if (local_port >= 64000) { close(conf->sockfd); _pam_log(LOG_ERR, "No open port we could bind to."); return PAM_AUTHINFO_UNAVAIL; } As you can see, the initial local_port is currently chosen in the range 1024 to 33791 (1024+32767), essentially at random, and if that one is in use then it keeps incrementing until it finds a free one under 64000. Adjust to use whatever range you like.
2. I think you said before you only wanted to make sure that the port was
32768. So you can configure your OS so that *all* outbound connections bind to ports >32768.
Sorry, that won't work here, because the code is choosing its local port explicitly. Regards, Brian.
participants (2)
-
Brian Candler -
vijay s sheelavantar