Date: Wed, 1 Nov 2006 16:40:28 GMT From: David Wood <david@wood2.org.uk> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/105025: [maintainer-update] Remove unnecessary patch files/patch-ab from net/freeradius Message-ID: <200611011640.kA1GeSi9020708@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/105025; it has been noted by GNATS.
From: David Wood <david@wood2.org.uk>
To: bug-followup@FreeBSD.org, david@wood2.org.uk
Cc:
Subject: Re: ports/105025: [maintainer-update] Remove unnecessary patch files/patch-ab from net/freeradius
Date: Wed, 1 Nov 2006 16:34:53 +0000
Let's have another crack at formatting the proposed wording for
/usr/ports/UPDATED - it looks pretty ugly in the web version of the PR:
Please add the following warning to /usr/ports/UPDATED:
AFFECTS: Users of net/freeradius
AUTHOR: David Wood <david@wood2.org.uk>
FreeBSD used to patch FreeRADIUS's rlm_mschap.c to strip all domain names when calculating the hash of an MS-CHAP challenge (a requirement
specified in RFC 2759 paragraph 4 and amplified in paragraph 8.2). FreeRADIUS now offers its own solution to discard a domain name before hashing
in the MS-CHAP code, which can be enabled via a configuration option. As there is no longer any need for the FreeBSD patch, it has been removed,
leaving the MS-CHAP code behaving as supplied by the FreeRADIUS team.
If the previous behaviour of the MS-CHAP code is required, add:
with_ntdomain_hack = yes
to the mschap { } section of your FreeRADIUS configuration. There should be a commented out line that can be modified around line 696 of /usr/local/
etc/raddb/radiusd.conf if your configuration is based on the sample FreeRADIUS configuration.
This option is not set by default in the sample FreeRADIUS configuration. Only those who have clients sending a domain name as part of the user
name when using MS-CHAP will be affected by this change; they will need to set this option to allow FreeRADIUS to authenticate their clients
successfully. This may only affect those with older Windows clients, but I cannot be sure.
Some sources suggest setting this configuration option anyway to prevent FreeRADIUS from breaching RFC 2759 inadvertently, leading to
authentication failure. It is left to the user whether to set this configuration option anyway, or only to set it in the event of authentication failures
stemming from MS-CHAP.
Debug output from radiusd that reads "rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?" suggests that this
configuration option should be enabled.
Formatting:
This should be a total of five paragraphs. The paragraph breaks come:
...FreeRADIUS team.[para]If the previous behaviour ...
...sample FreeRADIUS configuration.[para]This option is not ...
...I cannot be sure.[para]Some sources ...
... stemming from MS-CHAP.[para]Debug output from ...
In the second paragraph, "with_ntdomain_hack = yes" should be on a line
by itself.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200611011640.kA1GeSi9020708>