FreeRADIUS 0.8.1 ; $Date: 2002/12/11 19:22:08 $, urgency=low * String length checking in the PAP module, to avoid false positives in authentications. * Use proper variable for log/error messages, instead of an uninitialized buffer. * Perform an SQL 'close' on connections, before doing reconnects. This should fix connection leaks. * Make the server better look for the return code from checkrad. * Fixes to better handle Oracle character types from Stocker Gernot. * Link order fixes for problems with crypt() * Added Alteon Web switch dictionary, from Thomas Linden. * Better parsing of dictionary files. FreeRADIUS 0.8 ; Date: 2002/11/18 15:37:24, urgency=low * Added Oracle-specific queries. * Updated SQL queries to match schema. * PostGreSQL reconnect patch. * Added documentation on how to build on MAC OSX. * Allowed SQL module to ignore unknown Acct-Status-Type values. * Updated PostGreSQL queries and schema. * Updated the log rotation configuration files. * Colubris and updated Nomadix dictionaries, from Marko Myllynen. * Normalized error messages from the SQL modules, so that they're more informative. * Added Suse specific directory and configuration files, from Peter Nixon * SQL fail-over patch, so that the module returns FAIL if the back-end database is down. Based on a patch from Thomas Jalsovsky. * Cleaned up the internal handling of the configuration information, in preparation for better handling SIGHUP. * Updated rlm_krb5 configuration to better find it's libraries and include files. * radclient now complains if it receives a reply from a machine other than the one to which it sent the request. * Updated Postgresql SQL queries to get the operator, too. * Added Juniper dictionary. * Added Cisco VPN3000, VPN5000, and BBSM dictionaries. * New platform-neutral 'rc.radiusd' * Configuration files with private information get chmod'd 0600 after installation. * Preliminary support for clean shutdowns when a SIGTERM is received. * SNMP timeouts for checkrad, so there will be fewer situations where it hangs for 30 seconds... * Added code to clean up modules and memory when asked to exit via SIGTERM. * Removed all need for the old-style 'naslist' and 'client' files, and noted that they are deprecated. * Added support for Status-Server packets, stolen shamelessly from Cistron RADIUSD. This is despite the RFC's saying such things are wrong. * Bug fixes to rlm_dbm. * Updates for checkrad, max40xx routine, from Aleksandr Kuzminsky. * Disable caching of passwords for the Unix module. It was causing too much confusion. * Fix a memory leak when proxying Authentication-Request's * Attributes which are not found in the dictionary are now of type 'octets', instead of 'string'. * Support for "round-robin" load balancing, when proxying requests to multiple servers for one realm. * Minor changes for better HPUX support. * Updated the documentation and README's * Made FreeTDS build ONLY after hand-editing, as the FreeTDS libraries are in a state of flux, due to active development. * Fixes to help build the server on MAC OSX * Cisco VPN 3000 dictionary, as posted to the list by Chris Deramus. * Fix EAP problems with retransmission, from Rainer Weikusat. * Updates to the Oracle module, from Andrea Gabellini. * In xlat, Unix timestamps are unsigned ints. * Security fixes for the Kerberos Module. * New 'post-auth' section, to do additional processing of requests after they've been authenticated. * doc/aaa.txt describes how the server works. * More uniform encoding/decoding of passwords, so that they will be seen as clear-text where possible. * radwho and radzap now read 'radiusd.conf' to discover where the radutmp files are located. Patch from Andrea Gabellini. * Preliminary 'expression' module, to allow you to do cool things like: Session-Timeout = `%{expr:3600 - %{sql:SELECT ...}}` * Added ability to do xlat on check items, and reply items, so that the value of the reply attributes can be dynamically generated. * Added MIBs, taken from the RFC's. This makes SNMP queries to the server a little easier to set up. * Don't SEGV when we receive a packet which is larger than the size claimed in the RADIUS portion. Patch from Vaughn Skinner. * SNMP patches from Harrie Hazewinkel. * Added Altiga dictionary, from Calum <calum.aug02@umtstrial.co.uk> * New Rewrite-Rule for rlm_attr_rewrite, to selectively choose which rewrite rule is performed, and when. * Minor bug fixes for radrelay. * Bug fixes in SQL and sub-modules. * Major updates to dialup_admin. * Fixed handling of tagged string attributes, so that the server doesn't go off into never-never land. * Cleaned up experimental rlm_smb, so that it builds on more platforms. * Don't over-write request->reply->vps with the Reply-Message, when doing authentication rejects with Exec-Program-Wait. * Added 'instantiate' section, so that modules like 'expr', with only an 'xlat' function can be registered. * Allow '{' and '}' in xlat'd strings. * C++ compatibility patch from Andrey Kotrekhov, for libradius. * Automatically decrypt/encrypt User-Password, so that debugging mode will print out the text password, and not the random garbage it previously showed. * Cleaned up header files and function prototypes for the SQL sub-modules. FreeRADIUS 0.7 ; Date: 2002/07/26 18:01:50 , urgency=high * Allow attributes of type 'date' to be sent in outgoing packets. Bug found by Loh John Wu <ljwu@sandvine.com> * Add 'Realm' attribute, even if it's a LOCAL realm. Bug noted by Chris Brotsos. * Added experimental SMB authentication module, which uses PAP passwords to authenticate against an NT-Domain. NT/LM-passwords are not currently supported. * More documentation for rlm_passwd, rlm_mschap, and rlm_digest. * 'configure' changes to better find sem_init and friends. * Allow the use of previously installed libtool, and libltdl. This appears to help a lot on FreeBSD. * Fixes to work on non-threaded builds. Patch from Rainer Weikusat. * SQL now re-connects to the server, if the connection is lost. Currently only MySQL is fixed, but other patches will follow. Patch from Todd T. Fries. * Added experimental use of dynamicly translated variables, CallBack-Number = `%{request:Calling-Station-Id}` sets the value of the CallBack-Number attribute to the value of the Calling-Station-Id in the original request. * Cute hack: Allow regex matching on IP addresses, by placing the string representation of the IP address (1.2.3.4) into the internal data structure. This allows things like NAS-IP-Address =~ "^192\.168", which may be useful. * Add documentation for experimental rlm_dbm module. * Added experimental Perl module. * Added the relevant IETF RFC's (standards documents) to 'doc/rfc', along with some simple perl scripts to convert them to cross- referenced HTML. * Updated the experimental Python module. * Added Cisco SSG VSA's * When rejecting authentication due to external Exec-Program, do NOT free the reply pairs, as the server core will take care of doing that. Bug noted by Thomas Jalsovsky * New experimental module: rlm_cram Supports APOP, CRAM-MD5, CRAM-MD4, CRAM-SHA1 with it's own VSA's. This module may be used for SMTP/POP3/IMAP4 server authentication. * Make Exec-Program and Exec-Program-Wait work in debugging mode. * Finalize the radrelay additions, based on Cistron RADIUS Patches from Simon <lists@routemeister.net> * Fix issues with linking, by making libradius shared. * Fix issues with MD4, MD5, SHA1, and use of OpenSSL * Update rlm_x99_token module to compile. FreeRADIUS 0.6.0 ; Date: Date: 2002/07/03 14:16:33 , urgency=high * Many bug fixes. For explicit details, see: http://www.freeradius.org/cvs-log/ * Change to the user/group specified in the config file in all modes ( debug and daemon ). * SQL sockets are rotated so that all are used, to prevent the SQL server timing out and closing unused sockets. Patch from Todd T. Fries * Sybase driver from mattias@nogui.se. * Modules are now versioned. * Delete garbage Proxy-Reply attributes sent by the home server before performing our own reply. * Fix race conditions when duplicate packets resulted in a request being processed by two threads, at the same time. * Add '-d' command-line option to radwho Bug noted by Matthew Schumacher * Corrected issue that when a home server never replied to a proxied request, the server may die. * In SQL, look in radcheck, if not found there, try radgroupcheck. Patch from Thomas Jalsovsky. * Set sql user name for ALIVE accounting packets, too. Patch from Simon <lists@routemeister.net>. * Use port-specific checking for realms, now that we can proxy to different auth/acct servers for the same realms. Patch from Eddie Stassen. * Minor updates to encrypted tunnel passwords. * Default 'run_dir' is now /var/run/radiusd, not var/run. /var/run is writeable only by root, and radiusd may be run suid. * Modules are now versioned, so that upgrading the server ensures that the new modules are installed. * Fix sql code, so that magic SQL characters don't get the SQL server excited. * Remove references to "UNKNOWN-NAS" in log messages. * Properly handle fork() and obtaining child processes exit status when using threads. (pthread is broken w.r.t. signals) * Correct code which would send erroneous reject, when the reject was delayed, and a new request came in. * Fix race condition where proxied requests would sometimes never be re-sent. Bug noted by Eddie Stassen. * Corrected LDAP3 schema * Implemented Digest authentication, as per IETF document draft-sterman-aaa-sip-00.txt, to perform authentication against a Cisco SIP server. * If no password or group files have been specified in the config, use the standard system calls to find them, rather than giving up. Patch from Steve Langasek. * Return Proxy-State attributes in a delated Access-Reject * Corrected 'session zap' logic, when an old and unused session is deleted from the databases. Accounting packets with garbage Client-IP-Address attributes should no longer be a problem. * Bug fixed in LDAP attribute map, for MS-CHAP related attributes. * Fixes to the EAP module to work better with XP. * Support for MS-SQL, using the FreeTDS library, from Dmitri Ageev * New operators =* and !*. See 'man 5 users' for details. * Added translation for %{config:section.subsection.item}, to allow run-time translation of internal configuration parameters. * New rlm_sqlcounter module, to keep counters based on SQL data. * Fix rlm_realm, to allow seperate proxying of accounting and authentication requests. * Bug fixes in PostgreSQL back-end, from Andrew Kukhta. * Increase internal buffers, to allow large SQL query strings. * Added debug level 3 (-xxx), where debug messages have time stamps. * Fix 'radwho' to use the correct radutmp file, as found by 'configure' (but radwho still doesn't read radiusd.conf) * Fix bugs in tunnel (tagged attribute) code, which would prevent tagged attributes from being generated correctly in a packet. * Build only 'stable' modules by default. Experimental modules require --with-experimental-modules to be passed to 'configure' * New module rlm_ippool, to do server-side IP pooling. * Fix rlm_eap module for portability, to work on non-x86 platforms. * Re-connect to the LDAP server if the connection idles out * Increased the visibility of the warning messages when doing 'make install' * Fixed EAP module to use 16-bit integers, so that it will work on big-endian architectures. FreeRADIUS 0.5.0 ; Date: 2002/03/14 22:18:22, urgency=medium * Many bug fixes. For explicit details, see: http://www.freeradius.org/cvs-log/ * Added Foundry dictionary, from Thomas Keitel * Fix a logic bug in the 'walk over request list' code, which would sometimes result in a request being deleted while it was still being processed. Found by Rainer Clasen * New 'tuning' guide, for optimizing the server's speed. * The default ports are now 1812/1813, which is the standard. * Fix a bug which would hang the server when many SQL connections were open. Found by Cvetan Ivanov <zezo@spnet.net> * Updated MySQL schema, with sanity checks, based on a schema from Thomas Huehn <huehn@eozaen.net> * Added 'Aptis' (Nortel CVX) dictionary. * Added Ipv6 attributes (as 'octets' type for now) * 'xlat' capability for SQL, so other modules can do SQL queries. * We don't need a shared secret for LOCAL realms. * Added better description of internal variables. * Configurable fail-over to DEFAULT realm. Sometimes we don't want to use the DEFAULT realm, if all configured realms are marked dead. From Rainer Clasen. * new configuration items 'max_attributes' and 'reject_delay' If the packet contains too many attributes, it can be rejected. We can also delay sending an Access-Reject, which slows down certain DoS attacks. * Updates to redhat scripts and spec file, from Marko Myllynen. * Python module (EXPERIMENTAL) from migs paraz <mparaz@yahoo.com> * Add ability to find *best* match when comparing attributes. If there is more than one attribute in a request and the first one doesn't match, go check the second one, instead of failing. * unixODBC support for SQL, from Dmitri Ageev <d_ageev@ortcc.ru> * Use thread-safe versions of library calls. This work is still on-going. * New rlm_passwd module, to allow general parsing of passwd-style files. * Preliminary EAP-TLS support. * Updated LDAPv3 schema * Correct checks for Odbc, and fix bugs in the module. Andreas Kainz <aka@maxxio.at> * MAN page fixes and updates * Added PHP web interface 'dialup_admin' * Password = "UNIX" or "PAM" backwards compatibility removed. * Use the operators in the SQL schema and queries, and bug fixes in the SQL module. Randy Moore <ramoore@axion-it.net> * fgetpwent() compatibility, for systems without it, from Daniel Carroll <freeradius@defiant.mesastate.edu> * Added PAP authentication module, as a step to removing most authentication handlers in other modules. * Send a Access-Reject after max_request_time * Multiple fixes in the LDAP module. * Quintum dictionary by Jeremy McNamara <jj@indie.org> * Preliminary EAP Module with MD5 support Contributed by Raghu <raghud@hereuare.com> * Better sanity checking for bad VSA's when receiving a packet * new 'xlat register' so that attribute values may be pulled out of configurable databases at run-time. e.g. %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u} * Minor fixes to debian package rules * Attribute 'Password' deprecated in favor of 'User-Password'. * MS-CHAP and MS-CHAPv2 MPPE support added. Contributed by Takahiro Wagatsuma <waga@sic.shibaura-it.ac.jp>. * X9.9 token enhancements (several). -- Alan DeKok <aland@ox.org> FreeRADIUS 0.4.0 ; urgency=low * Allow the MS-CHAP module to work, and to read /etc/smbpass 3APA3A <3APA3A@SECURITY.NNOV.RU> * Remove the server requirement that one of User-Password or CHAP-Password exist when doing authentication. These checks should be handled by the modules. This change also prepares us for EAP. Patch from Raghu <raghud@hereuare.com> * Make NAS-Port-ID in radwho, raduse, etc. unsigned, instead of signed. Patch from John Morrissey <jwm@horde.net> * Allow \t and \n inside of configuration strings. Frank Cusack <fcusack@fcusack.com> * X9.9 Challenge-Response token card support. For now, only CRYPTOCard tokens are supported. Frank Cusack <fcusack@fcusack.com> * Fix core dump on Solaris in radwho.c Patch from Eddie Stassen <eddies@saix.net> * Fix leak / core dump in Oracle module. * Fix memory leak in rlm_counter Kostas Kalevras <kkalev@noc.ntua.gr> * "LOCAL" realms do not need to have an entry in the 'clients' file. Philippe Levan <levan@epix.net> -- Alan DeKok <aland@ox.org> FreeRADIUS 0.3.0 ; urgency=low * Added ability to send debug messages to the log file, when running in daemon mode. * Miscellaneous fixes to get Debian packaging working. * When trapping a signal, don't SIGKILL children on a SIGTERM, SIGTERM them, instead. This allows Exec-Program scripts to catch the signal, and finish processing, instead of dying. Bug noted by Michael Chernyakhovsky <magmike@mail.ru> * Increased limit on length of user name read from /etc/passwd, to match the maximum allowed by RADIUS. Bug noted by "Gonzalez B., Fernando" <fgonzalez@manquehue.cl> * Configurable fail-over when proxying packets. If the home server doesn't respond to a repeated proxied request, it's marked as 'dead', and the next one in the list is used. Patch by Eddie Stassen <eddies@saix.net> and <spirn@21cn.com> * Pass Access-Challenge attributes through the server, in preparation for EAP. Raghu <raghud@hereuare.com> * More fixes for RFC compliance on the Message-Authenticator Raghu <raghud@hereuare.com> * Merged OSFC2/OSFSIA authentication patches from Cistron. (Bug # 104) The patches are not well tested, however. * IBM DB2 UDB V7.1 SQL driver, contributed by Joerg Wendland <wendland@scan-plus.de> * Fix the IP + Port address assignment. Bug found by "John Padula" <john_padula@aviancommunications.com> * Patch to avoid smashing the contents of Ascend binary filters. Michael Chernyakhovsky <magmike@mail.ru> * Create and Validate Message-Authenticator attribute, in preparation for EAP. * Initialize variables properly in rlm_attr_filter. Patch from Andriy I Pilipenko <bamby@marka.net.ua> * Renamed RedHat init script from 'radiusd.init' to 'radiusd'. This allows it to work properly with the RedHat rc system. Patch from Christian Vogel <chris@amor.iksys.de> * Fix the configure script checks for PostgreSQL, so that they use the 'test' command properly. Bug found by Robert Haskins <rhaskins@ziplink.net> * Change instances of 'assert' to 'rad_assert', so that it can log the error to the standard radius log files. Patch from Vesselin Atanasov <vesselin@bgnet.bg> * Patch to prevent segv when freeing results, from Tomas Heredia <tomas@intermediasp.com> * Added support for Exec-Program to acct. Bug found by <magmike@mail.ru> * Corrected rlm_files so that raddb/acct_users works * When doing synchronous proxying, update proxy next try entries, so that the server doesn't eat CPU time. Raghu <raghud@hereuare.com> * Add primitive dictionary.nomadix <CBoyd@apogeetelecom.com> * Log messages to console, if the logger hasn't been initialized. <vesselin@bgnet.bg> * Log invalid user for proxy rejects, too. <help@visp.net> * Fixed Expiration attribute handling. * Added code to handle Ascend-Send-Secret and Ascend-Receive-Secret * Removed non thread-pool code. If we have threads, we now force the use of thread pools. * Update version number * correct bug where proxied accounting packets would never have a reply sent back to the NAS, or the reply would be sent twice. -- Alan DeKok <aland@ox.org> FreeRADIUS Alpha 0.2.0, July 30, 2001. * call openlog() again when using PAM, to get the correct log facility. * Update child thread code, to minimize race conditions. * Make thread pools the default. Using plain child threads is NOT recommended. * Ignore SIGPIPE to get ride of crashes when using ldap. * Update proxying code to work better. * Platform independent pthread_cancel()ling * Fix 'unresponsive child pid' erroneous warning messages. * Many changes to get various SQL modules working. Note that there may still be some issues with Oracle. * Added configure options 'with-rlm-FOO-include/lib-dir', so that lower-level rlm_FOO modules can be configured via the top-level configuration file. This isn't completely done yet. * Fix check for shared library using libtool info, instead of assuming extension being ".so". * Fixes for HPUX. We probably need more. * Many additional bug fixes and changes.