[Fwd: [Fwd: checkrad.pl.in patch for freeradius-0.9.0 ...]]
Hello, Could someone include this patch for me ? or tell me the reason why this is not applicable ? TIA, -- DouRiX Original Message Subject: checkrad.pl.in patch for freeradius-0.9.0 ... Date: Thu, 07 Aug 2003 17:22:26 +0300 From: Do-Risika RAFIEFERANTSIARONJY [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Organization: Simicro Internet To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Hello, I am a freeradius patton user. I already submitted this patch several months ago, but I've noticed that it's not applied yet, so I *re-submit* (as you said Don't get discouraged :). It's a patch to the src/main/checkrad.pl.in file, for the current version 0.9.0. It's due to _MIB_structure_changes_ on new patton RAS (2960 boxes, you could contact [EMAIL PROTECTED] to confirm). I've added a _new_function_ for patton 2960 (thus a new ras type 'patton2960'), because as Alan advised, modifying directly the patton_snmp() sub could break compatibility with old hardwares (patton 28xx). I have also added _community_string_lookup_ in naspasswd file, as users could use a non 'public' community name, and I think it'll be more convenient. Though, it should always work with 'public' community name. Here is my previous exchange with Alan about this issue : Alan DeKok wrote: Do-Risika RAFIEFERANTSIARONJY [EMAIL PROTECTED] wrote: You've deleted the support for older Patton hardware, and replace it with support for the 2960. Why? because as i know, they don't sell it anymore. Do people still use it? Probably. It won't be if I can add a new function and a new nas type, for example patton2960. Is there a problem if I do that ? if not, I'll to submit the new patch, Sounds good to me. I wish you would apply, I'm always obliged to patch my source before each upgrade. Please notify if/when it'll be applied or not, Thanks in advance, _here_is_the_patch_ : --- checkrad.pl.in.orig.freeradius-0.9.0Thu Aug 7 16:07:05 2003 +++ checkrad.pl.in.new.freeradius-0.9.0 Thu Aug 7 16:13:38 2003 @@ -31,6 +31,7 @@ # cisco_l2tp 1.14 Author: [EMAIL PROTECTED] # mikrotik_telnet 1.0Author: Evren Yurtesen [EMAIL PROTECTED] # redback_telnet Author: Eduardo Roldan +# patton2960_snmp 1.0Author: [EMAIL PROTECTED] # # Config: $debug is the file you want to put debug messages in # $snmpget is the location of your ``snmpget'' program @@ -850,6 +851,54 @@ } # +# Check a Patton 2960 via SNMP +# Version: 1.0, based on patton_snmp(), +# new patton model with new MIBS structures +# Author: DouRiX [EMAIL PROTECTED] +# +sub patton2960_snmp { + my($oid); + + # Look up community string in naspasswd file. + my ($login, $pass) = naspasswd($ARGV[1], 1); + if ($login eq '') { + $pass = 'public'; + } + elsif ($login ne 'SNMP') { + if ($debug) { + print LOG + Error: Need SNMP community string for $ARGV[1]\n; + } + return 2; + } + + # formule : sessionid = auRadiusRunningId . callid + my $auRadiusRunningId = snmpget($ARGV[1], $pass, .1.3.6.1.4.1.1768.3.32); + $auRadiusRunningId =~ s/\s//g; + + my $callid = $ARGV[4]; + $callid =~ s/^$auRadiusRunningId//; + + if ($callid eq $ARGV[4]) { + # error ... + print LOGError: sessionId differs to auRadiusRunningId . callId !!!\n if $debug; + return 2; + } + + $oid = '.1.3.6.1.4.1.1768.5.100.1.56.' . hex $callid; + + # + # Check if the session still active + # + if (snmpget($ARGV[1], $pass, $oid) == 0) { + print LOG Session $ARGV[4] still active on NAS . +$ARGV[1], port $ARGV[2], for user $ARGV[3].\n if ($debug); + return 1; + } + 0; +} + +# # Check a Digitro BXS via rusers # # Version: 1.1 @@ -1332,6 +1381,8 @@ $ret = cyclades_snmp; } elsif ($ARGV[0] eq 'patton') { $ret = patton_snmp; +} elsif ($ARGV[0] eq 'patton2960') { + $ret = patton2960_snmp; } elsif ($ARGV[0] eq 'digitro') { $ret = digitro_rusers; } elsif ($ARGV[0] eq 'usrhiper') { -- DouRiX [Good men must not obey the laws too well. -- Ralph Waldo Emerson] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group-Simultaneous-Use
Hi, I want to have a simultaneous-use limit for groups. E.g., I have, say, 50 users in group1 and I want to set limit for group1 to, say, 20... If there are already 20 online dialup users at any given time, 21st users will be denied access. (user-group relation is already set up in database) Is there an attribute to achieve this or should I go for writing a small script to execute externally upon every request?? Thanks.. Ali gunduz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[pam_radius_auth] Doc
Hi, I'm searching documentation about pam_radius_auth, especially how to send back posixAccount attr (uidNumber, gidNumber, homeDirectory) to the client via radius in order to be used for user login. Thanks, Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting and Acct-Session-Time
Hi, RFC2866 (RADIUS Accounting) provides the following description of attribute type 46, Acct-Session-Time: This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. Maybe slightly off-topic questions (in which case, apologies), but I've trawled back through various IETF mailing-lists (I can't find the oldest radius-wg ones as the group finished in 2000 or so) looking for the answer to: Why you can only use this with Stop records? Not knowing this generates the following questions: 1. Does FreeRADIUS behave in accordance with the RFC? If so, would it just ignore an Interim-Update Acct-Session-Time packet coming in? 2. How do other people set up so that a session being active for a certain period of time generates an alarm (in a management system, say, so it can be investigated manually), rather than just has the NAS close the session down? 3. Or is there some other RADIUS accounting attribute that I'm short-sightedly overlooking which can tell you this? Thanks, Sam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and Acct-Session-Time
On Tue, Sep 02, 2003 at 01:49:54PM +0200, Sam Critchley wrote: 1. Does FreeRADIUS behave in accordance with the RFC? If so, would it just ignore an Interim-Update Acct-Session-Time packet coming in? No. It is there and you should be able to work with it. 2. How do other people set up so that a session being active for a certain period of time generates an alarm (in a management system, say, so it can be investigated manually), rather than just has the NAS close the session down? I just do detail logs and the app which processes these logs will raise me an alarm 3. Or is there some other RADIUS accounting attribute that I'm short-sightedly overlooking which can tell you this? I think not. You can always calculate the difference between start und update... Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [pam_radius_auth] Doc
Frederic KIENY USEI Est [EMAIL PROTECTED] wrote: I'm searching documentation about pam_radius_auth, especially how to send back posixAccount attr (uidNumber, gidNumber, homeDirectory) to the client via radius in order to be used for user login. It isn't documented because the module doesn't do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Advantage Esafe Alert
DIKKAT, Virus veya Girisine Izin Verilmeyen Dosya Tipi!! HSBC Bank A.S'ye gonderdiginiz bir e-mail mesajinda virus veya HSBC Bank A.S Guvenlik Politikalari geregi izin verilmeyen dosya tipine rastlanmistir. Lutfen kontrol ediniz. VIRUS ALERT The mail that you sent to HSBC Bank A.S was infected or have a restricted file type. Please check it. Aciklama- Details: -- Time: 16:55:27 09/02/03 Scan result: Mail modified to remove malicious content Protocol: SMTP in File Name / Mail Subject: mail_1061691341 Source: [EMAIL PROTECTED] Destination: [EMAIL PROTECTED] Details: application.pif Msg #705 - The file type pif,APPLICATION/OCTET-STREAM is on the Restricted List. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting and Acct-Session-Time
From: Sam Critchley Sent: Tuesday, 2 September 2003 9:50 PM RFC2866 (RADIUS Accounting) provides the following description of attribute type 46, Acct-Session-Time: This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. Why you can only use this with Stop records? Heh. If I recall correctly, the (later) RFC that describes Interim-Update says that Interim-Update can contain anything that can go in a Stop record. *greps a little* Aha! RFC 2869 RADIUS Extensions, Page 4, Section 2.1 It is envisioned that an Interim Accounting record (with Acct- Status-Type = Interim-Update (3)) would contain all of the attributes normally found in an Accounting Stop message with the exception of the Acct-Term-Cause attribute. Interim-Update says If we stopped now, this is where we'd be. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ALERT - GroupShield ticket number OA5099_1062520582_PVDEX01_3 was generated
Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: [EMAIL PROTECTED] [EMAIL PROTECTED] From: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: -1112860928,29585742 Subject: Re: Wicked screensaver Attachment Details:- Attachment Name: movie0045.pif File: movie0045.pif Infected? No Repaired? No Blocked? Yes Deleted? No Virus Name: application/ms-tnef
RE: Reply-Message from external authorization doesn't work
From: Thor Spruyt Sent: Monday, 1 September 2003 11:29 PM - Original Message - From: [EMAIL PROTECTED] Hi. I'm using FreeRadius 0.9.0 on RedHat Linux 9. I'm using external program for authorizing users. When authorization is not allowed, I'd like to inform my user about reason of failure so I'm returning Reply-Message:=Some reason in output from my program. But, Free Radius always returns external check failed. The auth.c code always adds a reply-message attribute to the Auth-Reject when the external program returns something else than 0. I have patched the source code so it doesn't do this anymore. Why? I preferred the solution where it added the message, unless another Reply-Message had already been set. Is there some reason you don't want the Reply-Message set at all in this curcumstance? I guess I can see that you may not want people to know your RADIUS server's on the blink... Given the discussion about external programs returning 0 for ACCEPT, and anything else being reject (with error message)... Would it be better to only add the message if we get a -1 back from the exec call, and let the script take care of it if we get a 0 and hence reject the call? If the script fails (as opposed to rejects the request), will it return anything other than -1? Alternatively, convert to rlm_exec. Cases where it can't match Exec-Program{,-Wait} are probably interesting to the developers, since rlm_exec is (apparently) intended to replace Exec-Program{,-Wait}. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with radiusclient plugin from pppd 2.4.2b3
I am trying to setup pptp to use pppd 2.4.2b3 and radius authentication. Currently I am using RH8, but I am not tied to it, RH9 is a possibility if things just work. Problem 1) the radiusclient will not compile out of the box for me. I have hand hacked my makefile so it compiles all of the .c files into the .so. The default makefile blows up trying to run autoheader. (I know, not freeradius's fault, but maybe one of you has seen it) Problem 2) ok, so I got it compiled. Now when I try to connect pppd segfaults. I can not figure out a way to diagnose this. I tried replacing pppd with this: ulimit -c unlimited /usr/sbin/pppd.real $@ exit $? but I still did not get a core. Problem 2b) I thought maybe the radius plugin was a bad idea so I grabbed the pam radius module. However I can not get pppd to start because it wants pap/chap info and what not. All of this info should be coming from ldap (Active Directory) via PAM. The plus side is I had no problem getting freeradius built and setup (-: Using radtest I can login with my active directory account which is part of why I watned radius in the first place. The other is logging. Sorry if this is too far off topic the archives had other people seeking pppd + radius help. If you know a better list, please tell me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radiusclient plugin from pppd 2.4.2b3
Sean Perry [EMAIL PROTECTED] wrote: Problem 1) the radiusclient will not compile out of the box for me. I have hand hacked my makefile so it compiles all of the .c files into the .so. The default makefile blows up trying to run autoheader. That's what 'configure' is for. The *developer* is supposed to run autoheader autoconf, to create 'configure'. The average user should NEVER run 'autoheader'. Problem 2) ok, so I got it compiled. Now when I try to connect pppd segfaults. I can not figure out a way to diagnose this. I tried replacing pppd with this: ulimit -c unlimited /usr/sbin/pppd.real $@ exit $? but I still did not get a core. Run pppd by hand, inside of gdb. PPPd is probably changing UID's, in which case the kernel won't allow it to core dump. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant failover failure
Hi all, I have been running FreeRadius is a redundant failover with LDAP for about two years now. This weekend, my primary LDAP server hiccuped so my failover config should have picked up the slack. This did not happen. I could swear that I tested this after setup, but maybe not as it did not work. Do I have a config error or is there something that I am missing here? I did shoot an 'ldapsearch' at my secondary LDAP server just to ensure that it is indeed servicing the LDAP queries. Below are the relevant portions of my radiusd.conf: - snip - # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap ldap1 { server = 10.0.4.24 # identity = cn=admin,o=My Org,c=UA # password = mypass basedn = o=X filter = (uid=%{Stripped-User-Name:-%{User-Name}}) #filter = (uid=%u) # set this to 'yes' to use TLS encrypted connections # to the LDAP database. start_tls = no # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn #access_group = cn=clients,ou=dialup,o=My Org,c=UA #access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 5 # password_header = {clear} # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) timeout = 5 timelimit = 4 net_timeout = 2 # compare_check_items = yes # access_attr_used_for_allow = yes } ldap ldap2 { server = 10.0.4.106 # identity = cn=admin,o=My Org,c=UA # password = mypass basedn = o=X filter = (uid=%{Stripped-User-Name:-%{User-Name}}) #filter = (uid=%u) # set this to 'yes' to use TLS encrypted connections # to the LDAP database. start_tls = no # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn #access_group = cn=clients,ou=dialup,o=My Org,c=UA #access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 5 # password_header = {clear} # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames$ timeout = 5 timelimit = 4 net_timeout = 2 # compare_check_items = yes # access_attr_used_for_allow = yes } missing lines. authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds a Client-IP-Address attribute to the request. # preprocess # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set # # chap # counter # attr_filter # eap suffix files # etc_smbpasswd # # Uncomment 'mschap' if the users are logging in with an # MS-CHAP-Challenge attribute for authentication. The mschap # module will find the MS-CHAP-Challenge attribute, and add # 'Auth-Type := MS-CHAP' to the request, which makes it use # the mschap module for authentication. # # mschap # The ldap module will set Auth-Type to LDAP if it has not already been set # ldap redundant { ldap1 ldap2 }
Re: Reply-Message from external authorization doesn't work
- Original Message - From: Paul Hampson [EMAIL PROTECTED] From: Thor Spruyt Sent: Monday, 1 September 2003 11:29 PM - Original Message - From: [EMAIL PROTECTED] Hi. I'm using FreeRadius 0.9.0 on RedHat Linux 9. I'm using external program for authorizing users. When authorization is not allowed, I'd like to inform my user about reason of failure so I'm returning Reply-Message:=Some reason in output from my program. But, Free Radius always returns external check failed. The auth.c code always adds a reply-message attribute to the Auth-Reject when the external program returns something else than 0. I have patched the source code so it doesn't do this anymore. Why? I preferred the solution where it added the message, unless another Reply-Message had already been set. Is there some reason you don't want the Reply-Message set at all in this curcumstance? I noticed that even though my program was giving a Reply-Message, auth.c was still adding its own Reply-Message. In the Auth-Reject packet, there were two Reply-Message attributes, 1 from the External script and 1 added by from auth.c and my NAS was only interpreting the latter. So, since my program always returns a Reply-Message and I'm not that good in C programming, the best solution for me was to comment out the code that added the unneeded Reply-Message. I guess I can see that you may not want people to know your RADIUS server's on the blink... Indeed. Or even knowing that there's an external program executed. Given the discussion about external programs returning 0 for ACCEPT, and anything else being reject (with error message)... I don't think returning non-zero is always an error, since the script might decide to deny access. Would it be better to only add the message if we get a -1 back from the exec call, and let the script take care of it if we get a 0 and hence reject the call? If the script fails (as opposed to rejects the request), will it return anything other than -1? Maybe the best thing to do is make it configurable in radiusd.conf, sort of a default Reply-Message when the external program didn't supply one. Also, I would make auth.c aware of the difference between an error and a Reject by the external program. I don't know enough about exit codes to decide which exit code should mean a Reject and which should indicate an error. Alternatively, convert to rlm_exec. Cases where it can't match Exec-Program{,-Wait} are probably interesting to the developers, since rlm_exec is (apparently) intended to replace Exec-Program{,-Wait}. I wouldn't replace Exec-Program{,-Wait} with rlm_exec, since Exec-Program{,-Wait} has certain advantages over rlm_exec, but I'm certainly looking at the option. This whole thing is just a minor issue for me, but I think that *not* having to patch the source code is better :) Regards, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radiusclient plugin from pppd 2.4.2b3
Alan DeKok wrote: Sean Perry [EMAIL PROTECTED] wrote: Problem 1) the radiusclient will not compile out of the box for me. I have hand hacked my makefile so it compiles all of the .c files into the .so. The default makefile blows up trying to run autoheader. That's what 'configure' is for. The *developer* is supposed to run autoheader autoconf, to create 'configure'. The average user should NEVER run 'autoheader'. Which is what confused me. It has a configure script, which runs and then the make process tries to run it again. The m4 files apparently are too far out of date for recent aclocal and friends so I could not easily fix them. Problem 2) ok, so I got it compiled. Now when I try to connect pppd segfaults. I can not figure out a way to diagnose this. I tried replacing pppd with this: ulimit -c unlimited /usr/sbin/pppd.real $@ exit $? but I still did not get a core. Run pppd by hand, inside of gdb. PPPd is probably changing UID's, in which case the kernel won't allow it to core dump. I was trying to setup a pptp config with poptop, not sure how to test the pppd by hand. Do you have any pointers? Other websites, howtos, etc welcomed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radiusclient plugin from pppd 2.4.2b3
Sean Perry [EMAIL PROTECTED] wrote: Which is what confused me. It has a configure script, which runs and then the make process tries to run it again. Then edit the 'Makefile' so it doesn't do such a stupid thing. I was trying to setup a pptp config with poptop, not sure how to test the pppd by hand. Do you have any pointers? Other websites, howtos, etc welcomed. Sorry, I can't helo you there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unknown NULL file
Hi, Got the server running (great product!) and have noticed a file named NULL that gets generated each time that radiusd gets started. It mostly has unprintable characters in it and can grow to a rather large size. The server maintains a lock on the file, so I must shutdown the server in order to delete the file. Does anyone know what this file is and what causes it to get generated? I am not running in debug mode. Also, the file seems to get created in the directory that radiusd is started from. Thanks in advance, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exec module question
How can I control Access-Accept or Access-Reject based on what is returned From the authUser.sh shell script ? I can have the shell script to return 1 or 0 or what Ever to make it work but need an example of the syntax. exec my_exec_postauth { wait = yes program = /usr/local/etc/raddb/authUser.sh input_pairs = reply } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AP 1200 Errors
Hi all, We are having a problem with a cluster of Cisco AP1200's which are all on the same subnet. They all have identical configurations and are set to do Static WEP and MAC Authentication to a Freeradius 0.9 server. When I turn MAC Auth off they all work finebut when I turn it on, certain APs will not let clients get an address. I am thinking that these errors might give me a clue. Could someone please explain what they mean? Tue Sep 2 06:02:24 2003 : Error: rlm_radutmp: Logout entry for NAS NorthGate-D2 port 37 has wrong ID Tue Sep 2 06:43:48 2003 : Error: rlm_radutmp: Login entry for NAS NorthGate-D2 port 38 wrong order Thanks! Mike Hall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: did you get readhat 9.0 / PAM / Radius working?
FYI I was able to get some very good assistance from Reliable Penguin (www.reliablepenguin.com). Please see their response below. Looks like there may be a compile issue under Redhat 9.0. Anybody have any ideas? Eric Ferguson -Original Message- From: Lee Blakely [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2003 8:49 AM To: Eric Ferguson Subject: RE: FW: Pam and Radius 9.0 Eric, Here's a summary of my troubleshooting efforts with pam_radius_auth. Feel free to post this to the mailing list. The conclusion was that there are memory allocation problems in the pam_radius_auth code that are resulting in heap corruption when compiled and run under RedHat 9. The code works on RedHat 8. The difference between 8 and 9 is the glibc version - 9 is newer and includes new malloc routines that may not be as forgiving as the older version. Compiling on RH9 works. There is an warning about an invalid token after a endif directive but this is not a problem - the extra token is a misplaced comment. When pam_radius_auth is installed and configured to run from an application as root then it works. For testing purposes, I used the su command. I was able to su from root to a user account sucessfully. But when I tried to su from a non-root account to root the command would hang before prompting for a password. In the debug log I would see a message Got user name root but no further messages. Next I tried activating the malloc debug functions in glibc by setting the MALLOC_CHECK_ environment variable to 1. With this set an su from root to a user account gave an invalid pointer warning. An su from non-root to root still hung. With MALLOC_CHECK_ set to 2 the su command segfaulted in all cases. Next I tried testing with the MPatrol memory debugger. It reported memory allocation errors but was not able to localize the error in a way that was meaningful to me. Looking at the code it appears that the failure is happening in the initialize() function - it looks like su is hanging when it tries to read from the config file. I added a few debugging lines and found that the pointer address for the file handle cooresponded to the invalid pointer address returned by MALLOC_CHECK_. This leads me to conclude that the heap is being corrupted at point prior to the call to initialize(). This was a far as I was able to track the problem. I've got only limited C experience. Hopefully somebody that is more familiar with the code will be able to make more progress. -- Lee Blakely Senior Support Engineer Reliable Penguin Consulting Phone: 704-996-3241 [EMAIL PROTECTED] http://www.reliablepenguin.com Just curious - has anyone been able to get 1.3.15 to work with RedHat 9? It compiles with the following warning on my system: pam_radius_auth.h:91:8: warning: extra tokens at end of #endif directive Authentication does not work. login simply hangs. The RADIUS server (IAS) doesn't log anything. I have tested the RADIUS server with other applications. Unfortunately I can't run it on RH8.0 because of issues compiling a needed hardware driver. -- Thanks, Alan Lehman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html