debian/0000775000000000000000000000000012167000212007157 5ustar debian/manpages0000664000000000000000000000004111757007135010707 0ustar radsecproxy.1 radsecproxy.conf.5 debian/control0000664000000000000000000000152412167000224010567 0ustar Source: radsecproxy Section: net Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Faidon Liambotis Build-Depends: debhelper (>= 9), autotools-dev, libssl-dev, nettle-dev, docbook2x Standards-Version: 3.9.3 Homepage: http://software.uninett.no/radsecproxy/ Package: radsecproxy Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Provides: radius-server Description: RADIUS protocol proxy supporting RadSec A generic RADIUS proxy that in addition to usual RADIUS UDP transport also supports TLS (RadSec). It aims to be flexible while at the same time small in size and memory footprint, efficient and easy to configure. . It can be useful as a proxy on site boundaries or in other complex RADIUS routing topologies. It supports both IPv4 and IPv6. debian/docs0000664000000000000000000000000711215255676010052 0ustar README debian/examples0000664000000000000000000000004111404722331010721 0ustar radsecproxy.conf-example tools/* debian/changelog0000664000000000000000000000546012167000212011036 0ustar radsecproxy (1.6.2-1ubuntu1) saucy; urgency=low * add --retry to --stop to fix spurious restart issue (LP: #1199348) -- Michael Vogt Tue, 09 Jul 2013 14:22:34 +0200 radsecproxy (1.6.2-1) unstable; urgency=high * Urgency set to high for a security release. * New upstream release, fixing two security issues: - When verifying clients, don't consider config blocks with CA settings ('tls') which differ from the one used for verifying the certificate chain (RADSECPROXY-43, CVE-2012-4523). Reported by Ralf Paffrath. - Fix the issue with verification of clients when using multiple 'tls' config blocks for DTLS too (RADSECPROXY-43, CVE-2012-4566). Reported by Raphael Geissert. * Drop most of debian/patches/fix_manpages, merged upstream. -- Faidon Liambotis Tue, 06 Nov 2012 12:56:27 +0200 radsecproxy (1.6-1) unstable; urgency=low * New upstream release. * Enable F-Ticks, a new upstream feature. - Add build dependency on nettle-dev. * Ship upstream's manpages. - Add build dependency on docbook2x. - Add debian/patches/fix_manpages to adapt the manpage to our filepaths. * Ship the radsecproxy-hash binary, used to calculate hashed CSI values. * Use unapply-patches & abort-on-upstream-changes local-options. * Bump debhelper compat to 9, mainly to enable hardening flags. * Bump Standards-Version to 3.9.3, no changes needed. * Add NORDUnet A/S copyright notice to debian/copyright. -- Faidon Liambotis Mon, 28 May 2012 15:56:52 +0300 radsecproxy (1.5-1) unstable; urgency=low * New upstream release. -- Faidon Liambotis Wed, 16 Nov 2011 20:49:19 +0200 radsecproxy (1.4.3-1) unstable; urgency=low * New upstream release. * Change upstream author to Linus Nordberg in debian/copyright. * Switch to 3.0 (quilt) source package format. * Bump debhelper compatibility level to 8. * Update Standards-Version to 3.9.2, no changes needed. -- Faidon Liambotis Fri, 22 Jul 2011 20:04:47 +0300 radsecproxy (1.4-1) unstable; urgency=low * New upstream release. * Add $remote_fs and $syslog to init script's Required-Start and $named to Should-Start. * Ship naptr-eduroam.sh script along with the README in examples. -- Faidon Liambotis Sat, 12 Jun 2010 18:30:04 +0300 radsecproxy (1.3.1-1) unstable; urgency=low * New upstream release. * Bump Standards-Version to 3.8.2, no changed needed. * Build-Depend on debhelper >= 7.0.50 because of the use of overrides in dh. -- Faidon Liambotis Wed, 05 Aug 2009 12:49:20 +0300 radsecproxy (1.3-1) unstable; urgency=low * Initial release. (Closes: #532481) -- Faidon Liambotis Tue, 16 Jun 2009 05:13:48 +0300 debian/radsecproxy.conf0000664000000000000000000001554511756776667012450 0ustar # Master config file for radsecproxy # First you may define any global options, these are: # # You can optionally specify addresses and ports to listen on # Multiple statements can be used for multiple ports/addresses #ListenUDP *:1814 #ListenUDP localhost #ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812 #ListenTLS 10.10.10.10:2084 #ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 #ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 # To specify a certain address/port for UDP/TLS requests you can use e.g. #SourceUDP 127.0.0.1:33000 #SourceTCP *:33000 #SourceTLS *:33001 #SourceDTLS *:33001 # Optional log level. 3 is default, 1 is less, 5 is more #LogLevel 3 # Optional LogDestination, else stderr used for logging # Logging to file #LogDestination file:///tmp/rp.log # Or logging with Syslog. LOG_DAEMON used if facility not specified # The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and # LOG_LOCAL0, ..., LOG_LOCAL7 #LogDestination x-syslog:/// #LogDestination x-syslog:///log_local2 # For generating log entries conforming to the F-Ticks system, specify # FTicksReporting with one of the following values. # None -- Do not log in F-Ticks format. This is the default. # Basic -- Do log in F-Ticks format but do not log VISINST. # Full -- Do log in F-Ticks format and do log VISINST. # Please note that in order to get F-Ticks logging for a given client, # its matching client configuration block has to contain the # fticksVISCOUNTRY option. # You can optionally specify FTicksMAC in order to determine if and # how Calling-Station-Id (users Ethernet MAC address) is being logged. # Static -- Use a static string as a placeholder for # Calling-Station-Id. # Original -- Log Calling-Station-Id as-is. # VendorHashed -- Keep first three segments as-is, hash the rest. # VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. This # is the default. # FullyHashed -- Hash the entire string. # FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key. # In order to use FTicksMAC with one of VendorKeyHashed or # FullyKeyHashed, specify a key with FTicksKey. # FTicksKey # Default F-Ticks configuration: #FTicksReporting None #FTicksMAC Static # You can optionally specify FTicksSyslogFacility to use a dedicated # syslog facility for F-Ticks messages. This allows for easier filtering # of F-Ticks messages. # F-Ticks messages are always logged using the log level LOG_DEBUG. # Note that specifying a file (using the file:/// prefix) is not supported. #FTicksSyslogFacility log_local1 #FTicksSyslogFacility x-syslog:///log_local1 # There is an option for doing some simple loop prevention. Note that # the LoopPrevention directive can be used in server blocks too, # overriding what's set here in the basic settings. #LoopPrevention on # Add TTL attribute with value 20 if not present (prevents endless loops) #AddTTL 20 # If we have TLS clients or servers we must define at least one tls block. # You can name them whatever you like and then reference them by name when # specifying clients or servers later. There are however three special names # "default", "defaultclient" and "defaultserver". If no name is defined for # a client, the "defaultclient" block will be used if it exists, if not the # "default" will be used. For a server, "defaultserver" followed by "default" # will be checked. # # The simplest configuration you can do is: #tls default { # You must specify at least one of CACertificateFile or CACertificatePath # for TLS to work. We always verify peer certificate (client and server) # CACertificateFile /etc/ssl/certs/ca-certificates.crt # CACertificatePath /etc/ssl/certs # You must specify the below for TLS, we always present our certificate # CertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem # CertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # Optionally specify password if key is encrypted (not very secure) # CertificateKeyPassword "follow the white rabbit" # # Optionally enable CRL checking # CRLCheck on # Optionally specify how long CAs and CRLs are cached, default forever # CacheExpiry 3600 # # Optionally require that peer certs have one of the specified policyOIDs # policyoid 1.2.3 # this option can be used multiple times # policyoid 1.3.4 #} # If you want one cert for all clients and another for all servers, use # defaultclient and defaultserver instead of default. If we wanted some # particular server to use something else you could specify a block # "tls myserver" and then reference that for that server. If you always # name the tls block in the client/server config you don't need a default # Now we configure clients, servers and realms. Note that these and # also the lines above may be in any order, except that a realm # can only be configured to use a server that is previously configured. # A realm can be a literal domain name, * which matches all, or a # regexp. A regexp is specified by the character prefix / # For regexp we do case insensitive matching of the entire username string. # The matching of realms is done in the order they are specified, using the # first match found. Some examples are # "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$". # To treat local users separately you might try first specifying "@" # and after that "*". # Configure a rewrite block if you want to add/remove/modify attributes # rewrite example { # # Remove NAS-Port. # removeAttribute 5 # # Remove vendor attribute 100. # removeVendorAttribute 99:100 # # Called-Station-Id = "123456" # addAttribute 30:123456 # # Vendor-99-Attr-101 = 0x0f # addVendorAttribute 99:101:%0f # # Change users @local to @example.com. # modifyAttribute 1:/^(.*)@local$/\1@example.com/ # } # An example client #client [2001:db8::1] { # # type can be one of tcp, udp, tls, dtls # type udp # # secret is optional for TLS/DTLS # secret secret # # Might do rewriting of incoming messages using rewrite block example # rewriteIn example # # Can also do rewriting of outgoing messages # rewriteOut example # # if also want to use this server for accounting, specify # accountingServer 127.0.0.1 # # statusserver is optional, can be on or off. Off is default # StatusServer on #} # Equivalent to example.com #realm /@example\.com$ { # server 2001:db8::1 #} # One can define a realm without servers, the proxy will then reject # and requests matching this. Optionally one can specify ReplyMessage # attribute to be included in the reject message. One can also use # AccountingResponse option to specify that the proxy should send such. #realm /\.com$ { #} # #realm /^anonymous$ { # replymessage "No Access" # AccountingResponse On #} # example config for localhost, rejecting all users client 127.0.0.1 { type udp secret testing123 } realm * { replymessage "User unknown" } debian/source/0000775000000000000000000000000011756777647010523 5ustar debian/source/format0000664000000000000000000000001411612326655011705 0ustar 3.0 (quilt) debian/patches/0000775000000000000000000000000012046155270010621 5ustar debian/patches/series0000664000000000000000000000001511757000345012032 0ustar fix_manpages debian/patches/fix_manpages0000664000000000000000000000172512046155266013217 0ustar Description: Minor fixes to the manpages (paths) Author: Faidon Liambotis Last-Update: 2012-11-06 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -23,7 +23,7 @@ When the proxy server starts, it will first check the command line arguments, and then read the configuration file. Normally radsecproxy will read the configuration file - /usr/local/etc/radsecproxy.conf. The command line + /etc/radsecproxy.conf. The command line option can be used to instead read an alternate file (see @@ -103,7 +103,7 @@ blocktype name { shell globbing to specify multiple files, e.g.:
- include /usr/local/etc/radsecproxy.conf.d/*.conf + include /etc/radsecproxy.conf.d/*.conf
The files are sorted alphabetically. Included files are read in debian/rules0000775000000000000000000000124311760672624010263 0ustar #!/usr/bin/make -f #export DH_VERBOSE=1 %: dh $@ override_dh_auto_configure: dh_auto_configure -- --enable-fticks override_dh_auto_install: dh_auto_install # remove useless/sparsely used binary rm -f debian/radsecproxy/usr/bin/radsecproxy-conf # while they don't need root, they're not really users' material mv -n debian/radsecproxy/usr/bin/* debian/radsecproxy/usr/sbin/ rmdir --ignore-fail-on-non-empty debian/radsecproxy/usr/bin # remove the example config with the wrong filename # and install a prepared config that works by default rm -f debian/radsecproxy/etc/radsecproxy.conf-example cp debian/radsecproxy.conf debian/radsecproxy/etc/radsecproxy.conf debian/dirs0000664000000000000000000000000511404722112010041 0ustar /etc debian/init.d0000664000000000000000000000304412167000156010277 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: radsecproxy # Required-Start: $remote_fs $syslog $network # Required-Stop: $remote_fs $syslog # Should-Start: $time $named # Should-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: RADIUS proxy # Description: RADIUS protocol proxy supporting RadSec ### END INIT INFO PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DAEMON=/usr/sbin/radsecproxy NAME="radsecproxy" DESC="RadSec proxy" PIDFILE=/var/run/$NAME.pid . /lib/lsb/init-functions test -x $DAEMON || exit 0 DAEMON_OPTS="-i $PIDFILE" case "$1" in start) if pidofproc -p $PIDFILE $DAEMON > /dev/null; then log_failure_msg "Starting $DESC (already started)" exit 0 fi if ! $DAEMON -p $DAEMON_OPTS 2> /dev/null; then log_failure_msg "Checking $DESC config syntax" exit 1 fi log_daemon_msg "Starting $DESC" "$NAME" start-stop-daemon --start --quiet --pidfile $PIDFILE \ --exec $DAEMON -- $DAEMON_OPTS log_end_msg $? ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" start-stop-daemon --stop --retry 5 --quiet --pidfile $PIDFILE \ --exec $DAEMON case "$?" in 0) log_end_msg 0 ;; 1) log_progress_msg "(already stopped)" log_end_msg 0 ;; *) log_end_msg 1 ;; esac ;; force-reload|restart) if ! $DAEMON -p $DAEMON_OPTS 2> /dev/null; then log_failure_msg "Checking $DESC config syntax" exit 1 fi $0 stop $0 start ;; status) status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? ;; *) echo "Usage: ${0} {start|stop|restart|force-reload|status}" >&2 exit 1 ;; esac debian/copyright0000664000000000000000000000615411757004513011134 0ustar This package was debianized by Faidon Liambotis on Sun, 14 Jun 2009 23:17:51 +0300 It was downloaded from: http://software.uninett.no/radsecproxy/ Upstream Author: Linus Nordberg Copyright: Copyright (c) 2006-2009 Stig Venaas Copyright (c) 2006-2010 UNINETT AS Copyright (c) 2010-2012 NORDUnet A/S The Debian packaging is: Copyright (C) 2009-2012 Faidon Liambotis License: This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA On Debian systems, the complete text of the GNU General Public License version 2 can be found in `/usr/share/common-licenses/GPL-2'. Alternatively, you can use the following BSD-like license: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with distribution. * Neither the name of the UNINETT AS nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY UNINETT AS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL UNINETT AS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Please note that for the purpose of this distribution, only the BSD license applies. This is due to the fact that this package is linking against the OpenSSL library, which has conflicting terms with the GNU GPL and thus would render the combined binaries as undistributable. The BSD license has no such problems and hence this work can be legally distributed. debian/compat0000664000000000000000000000000211757000543010370 0ustar 9 debian/watch0000664000000000000000000000027511215256553010232 0ustar # Compulsory line, this is a version 3 file version=3 opts="uversionmangle=s/-(alpha|beta)/~$1/" \ http://software.uninett.no/radsecproxy/index.php?page=download radsecproxy-(.*)\.tar\.gz debian/lintian-overrides0000664000000000000000000000006311215577767012572 0ustar radsecproxy: possible-gpl-code-linked-with-openssl