I have upgraded my set of patches to the Livingston RADIUS 2.01, and added
some new features too. In short, my patches include support for:
- multiple sessions limits (LOGINS check item)
- max monthly time limits (MAXTIME check item)
- time periods logins limits (Time check item)
- support for shadow passwords aging (EXPIRE="SHADOW" check item)
- support for MD5 encrypted passwords (both in system's passwd
files and in users file)
- support for Pluggable Autentication Modules on Linux
As some of you know, these features were present in older releases I did
for radius 2.0. Now they are patching fine against 2.01 source code, which
you will have to get separately from Livingston site.
I have added two simple perl scripts to have some examples how to work
with the internal data structures used by my patches, so you can build
your own CGI scripts for online tracking, etc.
Please send me updates, comments, ideas, etc. If you build some CGI
scripts and you would like to have them distributed with this release,
please send them along.
You can get the patches from http://sysadm.sorosis.ro/devl/radius
I have attached a copy of the UPDATES file to this message for those
interested to read more efore proceeding. About the same information is
available o the www page mentioned above.
Best wishes and good luck,
Cristian Gafton
-- -------------------------------------------------------------------- Cristian Gafton gafton@sorosis.ro Computers & Communications Center Network Administrator http://sysadm.sorosis.ro/devel Iasi, Romania ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ UNIX is user friendly. It's just selective about who its friends are.
UPDATES readme for the Livingston RADIUSD 2.01 ============================================== Cristian Gafton <gafton@sorosis.ro>
NOTE: If you want to have the following features working reliably on your system, run the radiusd server in single-thread mode (radiusd -s).
REQUIREMENTS: - GNU make (sorry, folks...) - GNU dbm (aka gdbm) - an ANSI C compiler (gcc is your friend)
CHANGES TO THE NORMAL MODE OF OPERATION: - the default accounting directory is now /var/log/radius instead of /usr/adm/radacct. Please make note of this and don't bug me on this subject. You can change this in several ways: - using radiusd -a </your/acct/dir> - modify src/radius.h and recompile - make the necessary links on your system. - radiusd now is writting one radlast log file per month (automatically created). Detail files are named now detail-NN, where NN is the month number. - PARANOIA: all sources cleaned up. Now they compile cleanely with gcc and the following flags: -D_POSIX_SOURCE -Wall -Wwrite-strings \ -Wpointer-arith -Wcast-qual -Wcast-align \ -Wtraditional -Wstrict-prototypes -Wmissing-prototypes \ -Wnested-externs -Winline -Wshadow -pedantic - The code is now full of prototypes for all functions contained in the source files. This means "Sorry if you don't have an ANSI compiler."
ADDITIONS: - added support for limiting the online time of some users during the peak hours. Added a new program called radwatch. This program is intended to be run often from crontab, and used in conjunction with a pm_kill program. See RADWATCH file for details. - added support for /etc/raddb/denyuser file. This file contains one username per line. For users listed here the authentication will be denied regardless of any other settings. You can use @group instead of an username to get this restriction automatically applied to all members of some group (talking about UNIX user group here...) - a new program, 'radlist' is provided for querying the user-stats database maintained by the radius server. See 'radlist -h' for more. - radiusd is logging with LOG_NOTICE failed authetications and their reasons. (thanks to Tim Moloney <moloney@netsrq.com>) - radlast command provided for keeping track of the PMs usage. The database used to store the information is located by default in /var/log/radius/radlast (defined in radius.h). Note that this database is _not_ compatible with the standard UNIX last program. See 'radlast -h' for more. - MD5 encrypted passwords support (both in passwd file and/or users file) - you can specify now Expire="SHADOW" as a check item to use the expiry information from the shadow file on shadowed systems (useable also on DEFAULT entries) - added MAXTIME=integer check item to specify the max number of monthly hours a user may use the system. - added the LOGINS=integer check item for users file. You can limit the max number of concurrent logins with this parameter. This should work reliably now (if you use gdbm and single threaded mode...) - added support for PAM on systems which can use it. It is enabled by default on Linux_2.0 and commented out for Linux_1.2. See the PAM-INFO file for more details. - added a Time=string check-item to limit the time frame an user is allowed to log in. The format is consists of days specifiers followed by hors intervals, multiple values separated by commas. Day specifiers are Mo, Tu, We, Th, Fr, Sa, Su and Wk meaning Mo-fr and Al meaning all of them. Hours intervals are specified as HHMM-HHMM (hours_minutes). Thus, valid entries are: Time = "MoTuWe0800-1400,Wk2200-0400" Time = "Al1800-0600,Wk1000-1330" ... you get the idea. PLEASE DON'T USE SPACES in the string. The parser is brain dead already. :-)
BUGS FIXED: - fixed a bug which on some systems resulted in radiusd not seeing the changes in /etc/shadow and/or /etc/passwd files. (thanks: Ray Rocker) (Solution: play hard with set(pw/sp)ent() and end(pw/sp)ent() functions).
THINGS YOU NEED TO KNOW: - radiusd is not clearing the user_stats database when restarted, thus there is a possibility of hung logings and inconsistency with the real situation. There is a command line switch to enable clearing the user-stats database upon startup. See 'radiusd -h' for more. (For those with limited imagination, it is the '-c' flag :-)
Report bugs to Cristian Gafton <gafton@sorosis.ro>