Commit c68771ef authored by Kolbjørn Barmen's avatar Kolbjørn Barmen
Browse files

Debian-katalogen for radsecproxy 1.6.2

parent ac1ff407
radsecproxy (1.6.2-1) unstable; urgency=high
* Urgency set to high for a security release.
* New upstream release, fixing two security issues:
- When verifying clients, don't consider config blocks with CA settings
('tls') which differ from the one used for verifying the certificate
chain (RADSECPROXY-43, CVE-2012-4523). Reported by Ralf Paffrath.
- Fix the issue with verification of clients when using multiple 'tls'
config blocks for DTLS too (RADSECPROXY-43, CVE-2012-4566). Reported by
Raphael Geissert.
* Drop most of debian/patches/fix_manpages, merged upstream.
-- Faidon Liambotis <paravoid@debian.org> Tue, 06 Nov 2012 12:56:27 +0200
radsecproxy (1.6-1) unstable; urgency=low
* New upstream release.
* Enable F-Ticks, a new upstream feature.
- Add build dependency on nettle-dev.
* Ship upstream's manpages.
- Add build dependency on docbook2x.
- Add debian/patches/fix_manpages to adapt the manpage to our filepaths.
* Ship the radsecproxy-hash binary, used to calculate hashed CSI values.
* Use unapply-patches & abort-on-upstream-changes local-options.
* Bump debhelper compat to 9, mainly to enable hardening flags.
* Bump Standards-Version to 3.9.3, no changes needed.
* Add NORDUnet A/S copyright notice to debian/copyright.
-- Faidon Liambotis <paravoid@debian.org> Mon, 28 May 2012 15:56:52 +0300
radsecproxy (1.5-1) unstable; urgency=low
* New upstream release.
-- Faidon Liambotis <paravoid@debian.org> Wed, 16 Nov 2011 20:49:19 +0200
radsecproxy (1.4.3-1) unstable; urgency=low
* New upstream release.
* Change upstream author to Linus Nordberg in debian/copyright.
* Switch to 3.0 (quilt) source package format.
* Bump debhelper compatibility level to 8.
* Update Standards-Version to 3.9.2, no changes needed.
-- Faidon Liambotis <paravoid@debian.org> Fri, 22 Jul 2011 20:04:47 +0300
radsecproxy (1.4-1) unstable; urgency=low
* New upstream release.
* Add $remote_fs and $syslog to init script's Required-Start and $named to
Should-Start.
* Ship naptr-eduroam.sh script along with the README in examples.
-- Faidon Liambotis <paravoid@debian.org> Sat, 12 Jun 2010 18:30:04 +0300
radsecproxy (1.3.1-1) unstable; urgency=low
* New upstream release.
* Bump Standards-Version to 3.8.2, no changed needed.
* Build-Depend on debhelper >= 7.0.50 because of the use of overrides in dh.
-- Faidon Liambotis <paravoid@debian.org> Wed, 05 Aug 2009 12:49:20 +0300
radsecproxy (1.3-1) unstable; urgency=low
* Initial release. (Closes: #532481)
-- Faidon Liambotis <paravoid@debian.org> Tue, 16 Jun 2009 05:13:48 +0300
Source: radsecproxy
Section: net
Priority: optional
Maintainer: Faidon Liambotis <paravoid@debian.org>
Build-Depends: debhelper (>= 9), autotools-dev, libssl-dev, nettle-dev, docbook2x
Standards-Version: 3.9.3
Homepage: http://software.uninett.no/radsecproxy/
Package: radsecproxy
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
Provides: radius-server
Description: RADIUS protocol proxy supporting RadSec
A generic RADIUS proxy that in addition to usual RADIUS UDP transport also
supports TLS (RadSec). It aims to be flexible while at the same time small in
size and memory footprint, efficient and easy to configure.
.
It can be useful as a proxy on site boundaries or in other complex RADIUS
routing topologies. It supports both IPv4 and IPv6.
This package was debianized by Faidon Liambotis <paravoid@debian.org> on
Sun, 14 Jun 2009 23:17:51 +0300
It was downloaded from: http://software.uninett.no/radsecproxy/
Upstream Author: Linus Nordberg <linus@nordu.net>
Copyright:
Copyright (c) 2006-2009 Stig Venaas <venaas@uninett.no>
Copyright (c) 2006-2010 UNINETT AS
Copyright (c) 2010-2012 NORDUnet A/S
The Debian packaging is:
Copyright (C) 2009-2012 Faidon Liambotis <paravoid@debian.org>
License:
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this package; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
On Debian systems, the complete text of the GNU General
Public License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
Alternatively, you can use the following BSD-like license:
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with distribution.
* Neither the name of the UNINETT AS nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY UNINETT AS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL UNINETT AS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Please note that for the purpose of this distribution, only the BSD license
applies. This is due to the fact that this package is linking against the
OpenSSL library, which has conflicting terms with the GNU GPL and thus would
render the combined binaries as undistributable. The BSD license has no such
problems and hence this work can be legally distributed.
radsecproxy.conf-example
tools/*
#! /bin/sh
### BEGIN INIT INFO
# Provides: radsecproxy
# Required-Start: $remote_fs $syslog $network
# Required-Stop: $remote_fs $syslog
# Should-Start: $time $named
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: RADIUS proxy
# Description: RADIUS protocol proxy supporting RadSec
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/radsecproxy
NAME="radsecproxy"
DESC="RadSec proxy"
PIDFILE=/var/run/$NAME.pid
. /lib/lsb/init-functions
test -x $DAEMON || exit 0
DAEMON_OPTS="-i $PIDFILE"
case "$1" in
start)
if pidofproc -p $PIDFILE $DAEMON > /dev/null; then
log_failure_msg "Starting $DESC (already started)"
exit 0
fi
if ! $DAEMON -p $DAEMON_OPTS 2> /dev/null; then
log_failure_msg "Checking $DESC config syntax"
exit 1
fi
log_daemon_msg "Starting $DESC" "$NAME"
start-stop-daemon --start --quiet --pidfile $PIDFILE \
--exec $DAEMON -- $DAEMON_OPTS
log_end_msg $?
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
start-stop-daemon --stop --quiet --pidfile $PIDFILE \
--exec $DAEMON
case "$?" in
0) log_end_msg 0 ;;
1) log_progress_msg "(already stopped)"
log_end_msg 0 ;;
*) log_end_msg 1 ;;
esac
;;
force-reload|restart)
if ! $DAEMON -p $DAEMON_OPTS 2> /dev/null; then
log_failure_msg "Checking $DESC config syntax"
exit 1
fi
$0 stop
$0 start
;;
status)
status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $?
;;
*)
echo "Usage: ${0} {start|stop|restart|force-reload|status}" >&2
exit 1
;;
esac
radsecproxy: possible-gpl-code-linked-with-openssl
radsecproxy.1
radsecproxy.conf.5
Description: Minor fixes to the manpages (paths)
Author: Faidon Liambotis <paravoid@debian.org>
Last-Update: 2012-11-06
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -23,7 +23,7 @@
When the proxy server starts, it will first check the command
line arguments, and then read the configuration file. Normally
radsecproxy will read the configuration file
- <filename>/usr/local/etc/radsecproxy.conf</filename>. The command line
+ <filename>/etc/radsecproxy.conf</filename>. The command line
<option>-c</option> option can be used to instead read an
alternate file (see
<citerefentry>
@@ -103,7 +103,7 @@ blocktype name {
shell globbing to specify multiple files, e.g.:
<blockquote>
<para>
- include /usr/local/etc/radsecproxy.conf.d/*.conf
+ include /etc/radsecproxy.conf.d/*.conf
</para>
</blockquote>
The files are sorted alphabetically. Included files are read in
# Master config file for radsecproxy
# First you may define any global options, these are:
#
# You can optionally specify addresses and ports to listen on
# Multiple statements can be used for multiple ports/addresses
#ListenUDP *:1814
#ListenUDP localhost
#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812
#ListenTLS 10.10.10.10:2084
#ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084
#ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084
# To specify a certain address/port for UDP/TLS requests you can use e.g.
#SourceUDP 127.0.0.1:33000
#SourceTCP *:33000
#SourceTLS *:33001
#SourceDTLS *:33001
# Optional log level. 3 is default, 1 is less, 5 is more
#LogLevel 3
# Optional LogDestination, else stderr used for logging
# Logging to file
#LogDestination file:///tmp/rp.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7
#LogDestination x-syslog:///
#LogDestination x-syslog:///log_local2
# For generating log entries conforming to the F-Ticks system, specify
# FTicksReporting with one of the following values.
# None -- Do not log in F-Ticks format. This is the default.
# Basic -- Do log in F-Ticks format but do not log VISINST.
# Full -- Do log in F-Ticks format and do log VISINST.
# Please note that in order to get F-Ticks logging for a given client,
# its matching client configuration block has to contain the
# fticksVISCOUNTRY option.
# You can optionally specify FTicksMAC in order to determine if and
# how Calling-Station-Id (users Ethernet MAC address) is being logged.
# Static -- Use a static string as a placeholder for
# Calling-Station-Id.
# Original -- Log Calling-Station-Id as-is.
# VendorHashed -- Keep first three segments as-is, hash the rest.
# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. This
# is the default.
# FullyHashed -- Hash the entire string.
# FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key.
# In order to use FTicksMAC with one of VendorKeyHashed or
# FullyKeyHashed, specify a key with FTicksKey.
# FTicksKey <key>
# Default F-Ticks configuration:
#FTicksReporting None
#FTicksMAC Static
# You can optionally specify FTicksSyslogFacility to use a dedicated
# syslog facility for F-Ticks messages. This allows for easier filtering
# of F-Ticks messages.
# F-Ticks messages are always logged using the log level LOG_DEBUG.
# Note that specifying a file (using the file:/// prefix) is not supported.
#FTicksSyslogFacility log_local1
#FTicksSyslogFacility x-syslog:///log_local1
# There is an option for doing some simple loop prevention. Note that
# the LoopPrevention directive can be used in server blocks too,
# overriding what's set here in the basic settings.
#LoopPrevention on
# Add TTL attribute with value 20 if not present (prevents endless loops)
#AddTTL 20
# If we have TLS clients or servers we must define at least one tls block.
# You can name them whatever you like and then reference them by name when
# specifying clients or servers later. There are however three special names
# "default", "defaultclient" and "defaultserver". If no name is defined for
# a client, the "defaultclient" block will be used if it exists, if not the
# "default" will be used. For a server, "defaultserver" followed by "default"
# will be checked.
#
# The simplest configuration you can do is:
#tls default {
# You must specify at least one of CACertificateFile or CACertificatePath
# for TLS to work. We always verify peer certificate (client and server)
# CACertificateFile /etc/ssl/certs/ca-certificates.crt
# CACertificatePath /etc/ssl/certs
# You must specify the below for TLS, we always present our certificate
# CertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
# CertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# Optionally specify password if key is encrypted (not very secure)
# CertificateKeyPassword "follow the white rabbit"
#
# Optionally enable CRL checking
# CRLCheck on
# Optionally specify how long CAs and CRLs are cached, default forever
# CacheExpiry 3600
#
# Optionally require that peer certs have one of the specified policyOIDs
# policyoid 1.2.3 # this option can be used multiple times
# policyoid 1.3.4
#}
# If you want one cert for all clients and another for all servers, use
# defaultclient and defaultserver instead of default. If we wanted some
# particular server to use something else you could specify a block
# "tls myserver" and then reference that for that server. If you always
# name the tls block in the client/server config you don't need a default
# Now we configure clients, servers and realms. Note that these and
# also the lines above may be in any order, except that a realm
# can only be configured to use a server that is previously configured.
# A realm can be a literal domain name, * which matches all, or a
# regexp. A regexp is specified by the character prefix /
# For regexp we do case insensitive matching of the entire username string.
# The matching of realms is done in the order they are specified, using the
# first match found. Some examples are
# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
# To treat local users separately you might try first specifying "@"
# and after that "*".
# Configure a rewrite block if you want to add/remove/modify attributes
# rewrite example {
# # Remove NAS-Port.
# removeAttribute 5
# # Remove vendor attribute 100.
# removeVendorAttribute 99:100
# # Called-Station-Id = "123456"
# addAttribute 30:123456
# # Vendor-99-Attr-101 = 0x0f
# addVendorAttribute 99:101:%0f
# # Change users @local to @example.com.
# modifyAttribute 1:/^(.*)@local$/\1@example.com/
# }
# An example client
#client [2001:db8::1] {
# # type can be one of tcp, udp, tls, dtls
# type udp
# # secret is optional for TLS/DTLS
# secret secret
# # Might do rewriting of incoming messages using rewrite block example
# rewriteIn example
# # Can also do rewriting of outgoing messages
# rewriteOut example
# # if also want to use this server for accounting, specify
# accountingServer 127.0.0.1
# # statusserver is optional, can be on or off. Off is default
# StatusServer on
#}
# Equivalent to example.com
#realm /@example\.com$ {
# server 2001:db8::1
#}
# One can define a realm without servers, the proxy will then reject
# and requests matching this. Optionally one can specify ReplyMessage
# attribute to be included in the reject message. One can also use
# AccountingResponse option to specify that the proxy should send such.
#realm /\.com$ {
#}
#
#realm /^anonymous$ {
# replymessage "No Access"
# AccountingResponse On
#}
# example config for localhost, rejecting all users
client 127.0.0.1 {
type udp
secret testing123
}
realm * {
replymessage "User unknown"
}
#!/usr/bin/make -f
#export DH_VERBOSE=1
%:
dh $@
override_dh_auto_configure:
dh_auto_configure -- --enable-fticks
override_dh_auto_install:
dh_auto_install
# remove useless/sparsely used binary
rm -f debian/radsecproxy/usr/bin/radsecproxy-conf
# while they don't need root, they're not really users' material
mv -n debian/radsecproxy/usr/bin/* debian/radsecproxy/usr/sbin/
rmdir --ignore-fail-on-non-empty debian/radsecproxy/usr/bin
# remove the example config with the wrong filename
# and install a prepared config that works by default
rm -f debian/radsecproxy/etc/radsecproxy.conf-example
cp debian/radsecproxy.conf debian/radsecproxy/etc/radsecproxy.conf
# Compulsory line, this is a version 3 file
version=3
opts="uversionmangle=s/-(alpha|beta)/~$1/" \
http://software.uninett.no/radsecproxy/index.php?page=download radsecproxy-(.*)\.tar\.gz
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment