Radius Client UDP port selection

Brian Candler B.Candler at pobox.com
Sun Feb 6 12:17:40 CET 2011


On Sun, Feb 06, 2011 at 11:11:58AM +0000, Brian Candler wrote:
> 1. If pam_radius_client doesn't have the ability to bind to a particular
> port, then you can modify the source code to do so. The call you need is
> bind() after the socket has been created.

Ah, it turns out the code to do this is already there: (pam_radius_auth.c)

  /*
   *  Use our process ID as a local port for RADIUS.
   */
  local_port = (getpid() & 0x7fff) + 1024;
  do {
    local_port++;
    s_in->sin_port = htons(local_port);
  } while ((bind(conf->sockfd, &salocal, sizeof (struct sockaddr_in)) < 0) && 
           (local_port < 64000));
  
  if (local_port >= 64000) {
    close(conf->sockfd);
    _pam_log(LOG_ERR, "No open port we could bind to.");
    return PAM_AUTHINFO_UNAVAIL;
  }

As you can see, the initial local_port is currently chosen in the range 1024
to 33791 (1024+32767), essentially at random, and if that one is in use then
it keeps incrementing until it finds a free one under 64000.

Adjust to use whatever range you like.

> 2. I think you said before you only wanted to make sure that the port was
> >32768. So you can configure your OS so that *all* outbound connections bind
> to ports >32768.

Sorry, that won't work here, because the code is choosing its local port
explicitly.

Regards,

Brian.



More information about the Freeradius-Users mailing list