Hello Carla,
for this one, you need to check http://freeradius.org/security.html (quote
below) :
"
We suggest that all administrators upgrade all of their systems to a version of
OpenSSL which is not vulnerable to this attack. Sites which allow random IPs to
connect to a TLS server (e.g. SMTPS or HTTPS) should assume that all
information available to those servers has been stolen from those systems. This
information includes user credentials, keys for private certificates, cookies
sent over HTTPS, etc.
We have updated FreeRADIUS (all versions) so that it refuses to start when it
detects the vulnerable versions of OpenSSL. Administrators can over-ride this
check by setting allow_vulnerable_openssl = yes in the security subsection of
radiusd.conf.
"
So you need to add the this parameter in your radius configuration.
It is set in the radius configuration provided by packetfence 4.2.2, in
/usr/local/conf/radiusd/radiusd.conf
----- Mail original -----
> De: "Carla Nurse" <[email protected]>
> À: [email protected]
> Envoyé: Jeudi 5 Juin 2014 12:53:17
> Objet: Re: [PacketFence-users] Radtest Fail
> OKay, so I think I know why the tests weren't working. The radiusd
> service isn't running.
> [root@pf-zen-esx ~]# service radiusd status
> radiusd is stopped
> [root@pf-zen-esx ~]# service radiusd start
> Starting radiusd: [FAILED]
> When I run the radiusd -X command, the end indicates that it is
> "Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb
> 2013 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160
> (Heartbleed)". I tried to update it using the yum install openssl
> 1.0.1g but that failed. Indicating that the package was not
> available.
> [root@pf-zen-esx ~]# radiusd -X
> radiusd: FreeRADIUS Version 2.2.5, for host x86_64-redhat-linux-gnu,
> built on Apr 29 2014 at 09:18:14
> Copyright (C) 1999-2013 The FreeRADIUS server project and
> contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License.
> For more information about these matters, see the file named
> COPYRIGHT.
> Starting - reading configuration files ...
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> including configuration file /etc/raddb/clients.conf
> including files in directory /etc/raddb/modules/
> including configuration file /etc/raddb/modules/pap
> including configuration file /etc/raddb/modules/pam
> including configuration file /etc/raddb/modules/smsotp
> including configuration file /etc/raddb/modules/sradutmp
> including configuration file /etc/raddb/modules/redis
> including configuration file /etc/raddb/modules/linelog
> including configuration file /etc/raddb/modules/sql_log
> including configuration file /etc/raddb/modules/ippool
> including configuration file /etc/raddb/modules/mac2vlan
> including configuration file /etc/raddb/modules/replicate
> including configuration file /etc/raddb/modules/logintime
> including configuration file /etc/raddb/modules/mschap
> including configuration file /etc/raddb/modules/unix
> including configuration file /etc/raddb/modules/files
> including configuration file /etc/raddb/modules/preprocess
> including configuration file /etc/raddb/modules/always
> including configuration file /etc/raddb/modules/ldap
> including configuration file /etc/raddb/modules/counter
> including configuration file /etc/raddb/modules/etc_group
> including configuration file /etc/raddb/modules/attr_rewrite
> including configuration file /etc/raddb/modules/echo
> including configuration file /etc/raddb/modules/krb5
> including configuration file /etc/raddb/modules/detail.log
> including configuration file /etc/raddb/modules/acct_unique
> including configuration file /etc/raddb/modules/rediswho
> including configuration file /etc/raddb/modules/dynamic_clients
> including configuration file /etc/raddb/modules/policy
> including configuration file
> /etc/raddb/modules/sqlcounter_expire_on_login
> including configuration file /etc/raddb/modules/soh
> including configuration file /etc/raddb/modules/attr_filter
> including configuration file /etc/raddb/modules/cache
> including configuration file /etc/raddb/modules/chap
> including configuration file /etc/raddb/modules/exec
> including configuration file /etc/raddb/modules/smbpasswd
> including configuration file /etc/raddb/modules/otp
> including configuration file /etc/raddb/modules/cui
> including configuration file /etc/raddb/modules/realm
> including configuration file /etc/raddb/modules/radutmp
> including configuration file /etc/raddb/modules/expr
> including configuration file /etc/raddb/modules/inner-eap
> including configuration file /etc/raddb/modules/opendirectory
> including configuration file /etc/raddb/modules/dhcp_sqlippool
> including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf
> including configuration file /etc/raddb/modules/passwd
> including configuration file /etc/raddb/modules/perl
> including configuration file /etc/raddb/modules/mac2ip
> including configuration file /etc/raddb/modules/ detail.example.com
> including configuration file /etc/raddb/modules/digest
> including configuration file /etc/raddb/modules/wimax
> including configuration file /etc/raddb/modules/radrelay
> including configuration file /etc/raddb/modules/detail
> including configuration file /etc/raddb/modules/expiration
> including configuration file /etc/raddb/modules/checkval
> including configuration file /etc/raddb/modules/ntlm_auth
> including configuration file /etc/raddb/eap.conf
> including configuration file /etc/raddb/policy.conf
> including files in directory /etc/raddb/sites-enabled/
> including configuration file /etc/raddb/sites-enabled/inner-tunnel
> including configuration file /etc/raddb/sites-enabled/control-socket
> including configuration file /etc/raddb/sites-enabled/default
> main {
> user = "radiusd"
> group = "radiusd"
> allow_core_dumps = no
> }
> including dictionary file /etc/raddb/dictionary
> main {
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/radius"
> run_dir = "/var/run/radiusd"
> libdir = "/usr/lib64/freeradius"
> radacctdir = "/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> pidfile = "/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> }
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> allow_vulnerable_openssl = no
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = "testing123"
> response_window = 20
> max_outstanding = 65536
> require_message_authenticator = yes
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> num_answers_to_alive = 3
> num_pings_to_alive = 3
> revive_interval = 120
> status_check_timeout = 4
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = "testing123"
> nastype = "other"
> }
> Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013
> (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160
> (Heartbleed)
> For more information see http://heartbleed.com
> I am now officially stumped. Are there any other files that I should
> be checking in order to get this sorted?
> Rich:
> I do not know enough about Linux or Samba for the error messages to
> be much use. Is there something in particular that I should be
> looking for?
> Carla
> On Wed, Jun 4, 2014 at 4:30 PM, Louis Munro < [email protected] >
> wrote:
> > Hi Carla,
>
> > No, this file is not part of PacketFence.
>
> > I doubt that is really the issue. That file is mostly used to
> > authenticate local users.
>
> > I believe pam.d/common-auth is only on Debian (and maybe Ubuntu) so
> > if you have a RedHat based system that will not apply in any case.
>
> > What you are trying to achieve is authentication of external (i.e.
> > RADIUS) users via ntlm_auth.
>
> > All FreeRadius really cares about is the return code from
> > ntlm_auth.
>
> > I have never had to change pam settings to get ntlm_auth working.
>
> > Regards,
>
> > --
>
> > Louis Munro
>
> > [email protected] :: www.inverse.ca
>
> > +1.514.447.4918 *125 :: +1 (866) 353-6153
>
> > Inverse inc. :: Leaders behind SOGo ( www.sogo.nu ) and PacketFence
> > (
> > www.packetfence.org )
>
> > On 2014-06-04, at 15:27 , Carla Nurse < [email protected] >
> > wrote:
>
> > > Louis,
> >
>
> > > I am currently working with the Samba mail list. One person has
> > > indicated it may be a lack of a file /etc/pam.d/common-auth.
> >
>
> > > Is this file usually found on PacketFence? And if so, can you
> > > give
> > > me
> > > an idea of the configuration required for it?
> >
>
> > > Carla
> >
>
> > > On Mon, Jun 2, 2014 at 5:17 PM, Carla Nurse <
> > > [email protected]
> > > >
> > > wrote:
> >
>
> > > > Louis,
> > >
> >
>
> > > > I will check with them and see if there is anything that can be
> > > > done.
> > > > I will continue to work on the configuration during that time.
> > >
> >
>
> > > > Thank you for your assistance.
> > >
> >
>
> > > > Carla
> > >
> >
>
> > > > On Mon, Jun 2, 2014 at 5:04 PM, Louis Munro < [email protected]
> > > > >
> > > > wrote:
> > >
> >
>
> > > > > wbinfo -u should return the list of users in the domain.
> > > >
> > >
> >
>
> > > > > This would seem to indicate an issue with either the rights
> > > > > of
> > > > > the
> > > > > user doing the query or the AD configuration.
> > > >
> > >
> >
>
> > > > > You might be better helped by the samba mailing list as this
> > > > > issue
> > > > > is
> > > > > really more with winbind/AD than with PacketFence.
> > > >
> > >
> >
>
> > > > > Best regards,
> > > >
> > >
> >
>
> > > > > --
> > > >
> > >
> >
>
> > > > > Louis Munro
> > > >
> > >
> >
>
> > > > > [email protected] :: www.inverse.ca
> > > >
> > >
> >
>
> > > > > +1.514.447.4918 *125 :: +1 (866) 353-6153
> > > >
> > >
> >
>
> > > > > Inverse inc. :: Leaders behind SOGo ( www.sogo.nu ) and
> > > > > PacketFence
> > > > > (
> > > > > www.packetfence.org )
> > > >
> > >
> >
>
> > > > > On 2014-06-02, at 16:50 , Carla Nurse < [email protected]
> > > > > >
> > > > > wrote:
> > > >
> > >
> >
>
> > > > > > Hi Louis,
> > > > >
> > > >
> > >
> >
>
> > > > > > When I run wbinfo -u it goes straight back to prompt. I
> > > > > > tried
> > > > > > wbinfo
> > > > > > -p and the ping to winbindd succeeded.
> > > > >
> > > >
> > >
> >
>
> > > > > > On Mon, Jun 2, 2014 at 4:36 PM, Louis Munro <
> > > > > > [email protected]
> > > > > > >
> > > > > > wrote:
> > > > >
> > > >
> > >
> >
>
> > > > > ------------------------------------------------------------------------------
> > > >
> > >
> >
>
> > > > > Learn Graph Databases - Download FREE O'Reilly Book
> > > >
> > >
> >
>
> > > > > "Graph Databases" is the definitive new guide to graph
> > > > > databases
> > > > > and
> > > > > their
> > > >
> > >
> >
>
> > > > > applications. Written by three acclaimed leaders in the
> > > > > field,
> > > >
> > >
> >
>
> > > > > this first edition is now available. Download your free book
> > > > > today!
> > > >
> > >
> >
>
> > > > > http://p.sf.net/sfu/NeoTech
> > > >
> > >
> >
>
> > > > > _______________________________________________
> > > >
> > >
> >
>
> > > > > PacketFence-users mailing list
> > > >
> > >
> >
>
> > > > > [email protected]
> > > >
> > >
> >
>
> > > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > > >
> > >
> >
>
> > > ------------------------------------------------------------------------------
> >
>
> > > Learn Graph Databases - Download FREE O'Reilly Book
> >
>
> > > "Graph Databases" is the definitive new guide to graph databases
> > > and
> > > their
> >
>
> > > applications. Written by three acclaimed leaders in the field,
> >
>
> > > this first edition is now available. Download your free book
> > > today!
> >
>
> > > http://p.sf.net/sfu/NeoTech_______________________________________________
> >
>
> > > PacketFence-users mailing list
> >
>
> > > [email protected]
> >
>
> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
>
> > ------------------------------------------------------------------------------
>
> > Learn Graph Databases - Download FREE O'Reilly Book
>
> > "Graph Databases" is the definitive new guide to graph databases
> > and
> > their
>
> > applications. Written by three acclaimed leaders in the field,
>
> > this first edition is now available. Download your free book today!
>
> > http://p.sf.net/sfu/NeoTech
>
> > _______________________________________________
>
> > PacketFence-users mailing list
>
> > [email protected]
>
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
