Greetings.
I am using Radiator (was: 2.13.1, now: 2.14.1) under BSDI 4.01 and
have a couple of difficulties:
Safer Authentication:
=====================
- I don't want to run Radiator under uid root, so I run it under 'radius'.
BSDI has very detailed ideas about the correct permissions of the system
password files (/etc/master.passwd and /etc/spwd.db in particular),
and corrects them whenever you run 'passwd' , 'chfn' , 'chpass', etc.
While I have hacked adduser into submission, I still have to rely on
a cronjob that runs every minute and chowns/chmods these files to
root:radius with 0640 permissions.
Naturally, there is a race condition here: change the password for a
user, and the password file is unreadable for Radiator until the
minute is full - Radiator craps out with an error message and DOES NOT
recover.
How can Radiator be configured to keep re-trying to read the password
file indefinitely in case of an error ?
I am considering to point my <AuthBy Unix> realm to a copied
password file with the Filename option, but: how does Radiator deal
with the "widepasswords" (/etc/login.conf class config) option of
BSDI ? does it auto-recognize 3DES and MD5 password hashes without
going through system routines like getpass() ?
Multiple Login protection and SNMP:
===================================
- what SNMP package does Radiator really require ? I have UCD's SNMP
package 3.6.2 and the CPAN SNMP-1.8.2 package installed - which seemed
to horribly fail for 2.13.1 due to the API for SNMP having changed
somewhat.
- I had events where a Lucen^H^H^H^H^H Livingston PM3 would keep
crashing every few days, taking all radius accounting
stop records into the bitgrave with it: when it rebooted, none of
the users that were on during the time of the crash could log
back in because Radiator thought their sessions were still active -
and I saw several weird SNMP messages indicating that SNMP calls
failed (I sniffed the SNMP requests over the wire, they were being
handled correctly).
How does Radiator keep tabs on multiple logins ? I have used ESVA-Radius
(Livingston-derived) for the longest of times, and it kept a list in
a certain file hierarchy, which made it easy to 'peek' into that
file hierarchy and erase 'stuck' users (that would almost never happen).
The file hierarchy made for a nice and easy 'pmwho' tool, too.
Does Radiator clear the perceived user off a port when a new login on
that port occurs ?
Auto-restart from cron:
=======================
- I start radiator on system startup with:
/usr/bin/su -l radius -c "/path/to/radiusd"
Due to the permissions problems, I wish to restart Radiator as a safe-guard
every hour or so, especially in off-hours. When I kill Radiator from
a cron job (/bin/sh script) and try to restart it , su core-dumps with
a segmentation fault. I am almost sure this is related to Radiator's
detaching from the current tty (there isn't any during a cron job).
Can anyone shed some light on this particular behavior ?
Thanks,
bye,Kai
--
[EMAIL PROTECTED] "Just say No" to Spam Kai Schlichting
Palo Alto, New York, You name it Sophisticated Technical Peon
Kai's SpamShield <tm> is FREE! http://SpamShield.Conti.nu
| |
LeasedLines-FrameRelay-IPLs-ISDN-PPP-Cisco-Consulting-VoiceFax-Data-Muxes
WorldWideWebAnything-Intranets-NetAdmin-UnixAdmin-Security-ReallyHardMath
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
