The functionality previously forced by files/patch-ab is now available using the FreeRADIUS with_ntdomain_hack = yes configuration option within mschap { }. files/patch-ab is therefore being removed. /usr/ports/UPDATED needs to carry a warning about the change in functionality, though it is expected to affect only a minority of users. This change makes rlm-mschap behave the same on FreeBSD as on other platforms. This should help make FreeRADIUS configurations more portable between FreeBSD and other platforms. Without this change, it's possible for a FreeRADIUS configuration to work on FreeBSD but not on other platforms, where failures within MS-CHAP will be observed. Background: files/patch-ab was required to force RFC 2759 compliance in historic versions of FreeRADIUS. FreeRADIUS itself now provides the necessary functionality, which is enabled using with_ntdomain_hack = yes inside the mschap { } section of the FreeRADIUS configuration. RFC 2759, the specification for MS-CHAPv2, requires the calculation of the NT-Response field relating to an MS-CHAPv2 Response to use only the user name, without any prepended domain name (see RFC 2759 paragraphs 4 and 8.2). RFC 2759 paragraph 4 states "When computing the NT-Response field contents, only the user name is used, without any associated Windows NT domain name." Later, it states, "The Windows NT domain name may prefix the user's account name". RFC 2759 paragraph 8.2 amplifies this by stating, in connection to the challenge_hash() function that files/patch-ab patches (which is the implementation of RFC 2759's ChallengeHash) "Only the user name (as presented by the peer and excluding any prepended domain name) is used as input to SHAUpdate()." Fix: See attached patch. Note: files/patch-ab should be removed Please add the following warning to /usr/ports/UPDATED: AFFECTS: Users of net/freeradius AUTHOR: David Wood <david@wood2.org.uk> FreeBSD used to patch FreeRADIUS's rlm_mschap.c to strip all domain names when calculating the hash of an MS-CHAP challenge (a requirement specified in RFC 2759 paragraph 4 and amplified in paragraph 8.2). FreeRADIUS now offers its own solution to discard a domain name before hashing in the MS-CHAP code, which can be enabled via a configuration option. As there is no longer any need for the FreeBSD patch, it has been removed, leaving the MS-CHAP code behaving as supplied by the FreeRADIUS team. If the previous behaviour of the MS-CHAP code is required, add: with_ntdomain_hack = yes to the mschap { } section of your FreeRADIUS configuration. There should be a commented out line that can be modified around line 696 of /usr/local/etc/raddb/radiusd.conf if your configuration is based on the sample FreeRADIUS configuration. This option is not set by default in the sample FreeRADIUS configuration. Only those who have clients sending a domain name as part of the user name when using MS-CHAP will be affected by this change; they will need to set this option to allow FreeRADIUS to authenticate their clients successfully. This may only affect those with older Windows clients, but I cannot be sure. Some sources suggest setting this configuration option anyway to prevent FreeRADIUS from breaching RFC 2759 inadvertently, leading to authentication failure. It is left to the user whether to set this configuration option anyway, or only to set it in the event of authentication failures stemming from MS-CHAP. Debug output from radiusd that reads "rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?" suggests that this configuration option should be enabled. Patch attached with submission follows:
Let's have another crack at formatting the proposed wording for /usr/ports/UPDATED - it looks pretty ugly in the web version of the PR: Please add the following warning to /usr/ports/UPDATED: AFFECTS: Users of net/freeradius AUTHOR: David Wood <david@wood2.org.uk> FreeBSD used to patch FreeRADIUS's rlm_mschap.c to strip all domain names when calculating the hash of an MS-CHAP challenge (a requirement specified in RFC 2759 paragraph 4 and amplified in paragraph 8.2). FreeRADIUS now offers its own solution to discard a domain name before hashing in the MS-CHAP code, which can be enabled via a configuration option. As there is no longer any need for the FreeBSD patch, it has been removed, leaving the MS-CHAP code behaving as supplied by the FreeRADIUS team. If the previous behaviour of the MS-CHAP code is required, add: with_ntdomain_hack = yes to the mschap { } section of your FreeRADIUS configuration. There should be a commented out line that can be modified around line 696 of /usr/local/ etc/raddb/radiusd.conf if your configuration is based on the sample FreeRADIUS configuration. This option is not set by default in the sample FreeRADIUS configuration. Only those who have clients sending a domain name as part of the user name when using MS-CHAP will be affected by this change; they will need to set this option to allow FreeRADIUS to authenticate their clients successfully. This may only affect those with older Windows clients, but I cannot be sure. Some sources suggest setting this configuration option anyway to prevent FreeRADIUS from breaching RFC 2759 inadvertently, leading to authentication failure. It is left to the user whether to set this configuration option anyway, or only to set it in the event of authentication failures stemming from MS-CHAP. Debug output from radiusd that reads "rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?" suggests that this configuration option should be enabled. Formatting: This should be a total of five paragraphs. The paragraph breaks come: ...FreeRADIUS team.[para]If the previous behaviour ... ...sample FreeRADIUS configuration.[para]This option is not ... ...I cannot be sure.[para]Some sources ... ... stemming from MS-CHAP.[para]Debug output from ... In the second paragraph, "with_ntdomain_hack = yes" should be on a line by itself.
When one of the busy committers gets round to having a look at this, and hopefully committing it, can an acknowledgement be added along the lines of: New maintainer alerted to this issue by private mail from Thomas Vogt <thomas@bsdunix.ch> It was remiss of me to omit that acknowledgement in the original PR. Thanks.
Responsible Changed From-To: freebsd-ports-bugs->alepulver I'll take it.
alepulver 2006-11-07 02:51:44 UTC FreeBSD ports repository Modified files: . UPDATING net/freeradius Makefile Removed files: net/freeradius/files patch-ab Log: - Remove patch file: freeradius/files/patch-ab (see UPDATING note). - Add note to UPDATING. PR: ports/105025 Submitted by: David Wood <david@wood2.org.uk> (maintainer) Revision Changes Path 1.422 +41 -1 ports/UPDATING 1.51 +1 -0 ports/net/freeradius/Makefile 1.4 +0 -19 ports/net/freeradius/files/patch-ab (dead) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed. Thanks!