Bug#709086: freeradius: logrotate causes mschap module to fail
Hello all,
We have the same problem, not only on mschap, but also with ttls+pap and
peap+pap. The problem was seen from the wheezy version of freeradius
[1], but when upgraded to wheezy-backports [2] (freeradius 2.2.5) the
issue was not seen anymore, even with logrotate doing a daemon reload
(20 times, for now).
So, a workaround to this issue is to upgrade freeradius to
wheezy-backports. Pay attention to openssl Heartbleed check, because
from 2014.04.08 [3], freeradius refuse to start when find a supposedly
vulnerable version (actually it is not, because was fixed on
1.0.1e-2+deb7u17). Then you need to change radiusd.conf and include:
diff --git a/freeradius/radiusd.conf b/freeradius/radiusd.conf
index 8feb3e2..cd5d18d 100644
--- a/freeradius/radiusd.conf
+++ b/freeradius/radiusd.conf
@@ -524,6 +524,9 @@ security {
# See also raddb/sites-available/status
#
status_server = yes
+
+
+ allow_vulnerable_openssl = yes
}
# PROXY CONFIGURATION
Regards, Italo
[1] versions of freeradius before update (with problem)
ii freeradius 2.1.12+dfsg-1.2
amd64high-performance and highly configurable RADIUS server
ii freeradius-common 2.1.12+dfsg-1.2 all
FreeRADIUS common files
ii freeradius-ldap2.1.12+dfsg-1.2
amd64LDAP module for FreeRADIUS server
ii freeradius-utils 2.1.12+dfsg-1.2
amd64FreeRADIUS client utilities
ii libfreeradius2 2.1.12+dfsg-1.2
amd64FreeRADIUS shared library
[2] upgraded freeradius to wheezy-backports
ii freeradius 2.2.5+dfsg-0.1~bpo70+1
amd64high-performance and highly configurable RADIUS server
ii freeradius-common 2.2.5+dfsg-0.1~bpo70+1all
FreeRADIUS common files
ii freeradius-ldap2.2.5+dfsg-0.1~bpo70+1
amd64LDAP module for FreeRADIUS server
ii freeradius-utils 2.2.5+dfsg-0.1~bpo70+1
amd64FreeRADIUS client utilities
ii libfreeradius2 2.2.5+dfsg-0.1~bpo70+1
amd64FreeRADIUS shared library
[3] http://freeradius.org/security.html
Bug#709086: freeradius: logrotate causes mschap module to fail
On Mon, Dec 09, 2013 at 02:59:50PM +0100, Rolf Wojtech wrote: This is a critical problem because it makes all installations based on mschap unstable. Not everyone uses mschap, thankfully :) Whoever is interested should investigate and do an NMU. -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#709086: freeradius: logrotate causes mschap module to fail
Wheezy is still affected and I assume so is sid. Maybe I am missing something but I would like to call into question if the debian package freeradius is still maintained? This is a critical problem because it makes all installations based on mschap unstable. It could be fixed by the maintainer very easily as mentioned above. The proper fix for this problem has been released in September 2012 (Freeradius Version 2.2.0), current 2.2.x is 2.2.2 and head is 3.0. None of these releases have made it into wheezy, jessie or sid. Does anyone know if Josip Rodin, Stephen Gran or Mark Hymers are still working on this package (all listed as maintainers)? I'll set them as CC to this message. My knowledge of freeradius is limited to the user perspective and I have not much experience with package building, but maybe one of the old maintainers could package a new release for a future debian. For now I patched the logrotate command to restart instead of reload by the way. Regards, Rolf Wojtech -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#709086: freeradius: logrotate causes mschap module to fail
What's the status of this? Adding a simple 'restart' instead of 'reload' works, do you need any help? would be nice to get this fixed in sid (and later on in wheezy too). -- Address:Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern Email: daniel.baum...@progress-technologies.net Internet: http://people.progress-technologies.net/~daniel.baumann/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#709086: freeradius: logrotate causes mschap module to fail
Dear maintainers We have to same problem and would like to see this fixed soon, thanks! Regards Tom -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#709086: freeradius: logrotate causes mschap module to fail
Package: freeradius Version: 2.1.12+dfsg-1.2 Severity: important Tags: upstream Dear Maintainer, I just spent a few minutes looking at an issue we've been having with a debian- based FreeRADIUS server we're running. After some closer investigation, it turned out that the weekly logrotate was causing the mschap modules to fail in FreeRADIUS. This effectively breaks authentication for us, as the mschap modules are what we rely on to make the wireless 802.1x authentication work. Digging deeper, I found this mailing list post on lists.freeradius.org (http://lists.freeradius.org/pipermail/freeradius-users/2012-April/060090.html) which details the issue exactly. Alan DeKok appears to have fixed this in the source tree as of 2012-04-13, however, the fix hasn't made it into Debian (squeeze or wheezy). Could you please consider either making the logrotate command restart freeradius, not kill -HUP it, or bring commit d3504e1766ae965c2983f6ea4c8aa17bb840f4a4 in as a patch? Link to commit in original source is: https://github.com/FreeRADIUS/freeradius- server/commit/d3504e1766ae965c2983f6ea4c8aa17bb840f4a4 Either of this will fix - and I don't know which one you'd prefer to take. As it stands, I'm adding a cron job to restart FreeRADIUS at 06:40 each Sunday morning to ensure it comes back up again after a logrotate. Thanks in advance. Regards, Chris Malton -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
