diff options
author | Linus Nordberg <linus@nordberg.se> | 2015-09-17 13:15:30 +0200 |
---|---|---|
committer | Linus Nordberg <linus@nordberg.se> | 2015-09-17 13:15:30 +0200 |
commit | 627003ae120a09b0e72940eb3683132a4a0cf93f (patch) | |
tree | 92364dcd2d901fb4dee5e03072b945c393929102 |
Initial revision.
Moving from https://software.uninett.no/radsecproxy/ to https://software.nordu.net/radsecproxy/.
45 files changed, 1740 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..a8c1306 --- /dev/null +++ b/Makefile @@ -0,0 +1,19 @@ +# Build static html docs suitable for being shipped in the software +# package. This depends on ikiwiki being installed to build the docs. + +ifeq ($(shell which ikiwiki),) +IKIWIKI=echo "** ikiwiki not found" >&2 ; echo ikiwiki +else +IKIWIKI=ikiwiki +endif + +all: + $(IKIWIKI) `pwd` html -v --wikiname radsecproxy \ + --plugin=goodstuff \ + --plugin=sidebar \ + --exclude=html \ + --include=^doc/.*/.*\.html \ + --exclude=Makefile + +clean: + rm -rf .ikiwiki html diff --git a/contact.mdwn b/contact.mdwn new file mode 100644 index 0000000..7c20f19 --- /dev/null +++ b/contact.mdwn @@ -0,0 +1,12 @@ +## Mailing list + +To get in contact with other users and the developers of the +radsecproxy, please join the +[mailing list](https://postlister.uninett.no/sympa/info/radsecproxy/). There +you can also find a list archive. + +## Issue tracker + +There is an +[issue tracker](https://project.nordu.net/browse/RADSECPROXY) where +you can report bugs or request new features. diff --git a/doc.mdwn b/doc.mdwn new file mode 100644 index 0000000..0308c1f --- /dev/null +++ b/doc.mdwn @@ -0,0 +1,9 @@ +[[!meta title="radsecproxy documentation"]] + +Below you can find documentation for the various versions of +radsecproxy. + +* 1.6 [radsecproxy](1.6/radsecproxy.html), + [radsecproxy.conf](1.6/radsecproxy.conf.html), + [radsecproxy-hash](1.6/radsecproxy-hash.html) + diff --git a/doc/1.6/radsecproxy-hash.html b/doc/1.6/radsecproxy-hash.html new file mode 100644 index 0000000..9bf298b --- /dev/null +++ b/doc/1.6/radsecproxy-hash.html @@ -0,0 +1,117 @@ +<!-- Creator : groff version 1.22.2 --> +<!-- CreationDate: Thu Sep 17 10:29:24 2015 --> +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta name="generator" content="groff -Thtml, see www.gnu.org"> +<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII"> +<meta name="Content-Style" content="text/css"> +<style type="text/css"> + p { margin-top: 0; margin-bottom: 0; vertical-align: top } + pre { margin-top: 0; margin-bottom: 0; vertical-align: top } + table { margin-top: 0; margin-bottom: 0; vertical-align: top } + h1 { text-align: center } +</style> +<title>radsecproxy-hash</title> + +</head> +<body> + +<h1 align="center">radsecproxy-hash</h1> + +<a href="#NAME">NAME</a><br> +<a href="#SYNOPSIS">SYNOPSIS</a><br> +<a href="#DESCRIPTION">DESCRIPTION</a><br> +<a href="#OPTIONS">OPTIONS</a><br> +<a href="#SEE ALSO">SEE ALSO</a><br> + +<hr> + + +<h2>NAME +<a name="NAME"></a> +</h2> + + + +<p style="margin-left:11%; margin-top: 1em">radsecproxy-hash +- print digests of Ethernet MAC addresses</p> + +<h2>SYNOPSIS +<a name="SYNOPSIS"></a> +</h2> + + +<table width="100%" border="0" rules="none" frame="void" + cellspacing="0" cellpadding="0"> +<tr valign="top" align="left"> +<td width="11%"></td> +<td width="61%"> + + +<p style="margin-top: 1em">radsecproxy-hash [−h] +[−k key] [−t type]</p></td> +<td width="28%"> +</td></tr> +</table> + +<h2>DESCRIPTION +<a name="DESCRIPTION"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">Print the hash +or hmac of Ethernet MAC addresses read from standard +input.</p> + +<h2>OPTIONS +<a name="OPTIONS"></a> +</h2> + + +<table width="100%" border="0" rules="none" frame="void" + cellspacing="0" cellpadding="0"> +<tr valign="top" align="left"> +<td width="11%"></td> +<td width="9%"> + + +<p style="margin-top: 1em"><b>−h</b></p></td> +<td width="2%"></td> +<td width="43%"> + + +<p style="margin-top: 1em"><i>display help and exit</i></p></td> +<td width="35%"> +</td></tr> +<tr valign="top" align="left"> +<td width="11%"></td> +<td width="9%"> + + +<p><b>−k key</b></p></td> +<td width="2%"></td> +<td width="43%"> + + +<p><i>use KEY for HMAC calculation</i></p></td> +<td width="35%"> +</td></tr> +</table> + +<p style="margin-left:11%;"><b>−t type</b></p> + +<p style="margin-left:22%;"><i>print digest of type TYPE +[hash|hmac]</i></p> + +<h2>SEE ALSO +<a name="SEE ALSO"></a> +</h2> + + + +<p style="margin-left:11%; margin-top: 1em">radsecproxy.conf(5)</p> +<hr> +</body> +</html> diff --git a/doc/1.6/radsecproxy.conf.html b/doc/1.6/radsecproxy.conf.html new file mode 100644 index 0000000..1780a13 --- /dev/null +++ b/doc/1.6/radsecproxy.conf.html @@ -0,0 +1,886 @@ +<!-- Creator : groff version 1.22.2 --> +<!-- CreationDate: Thu Sep 17 10:29:24 2015 --> +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta name="generator" content="groff -Thtml, see www.gnu.org"> +<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII"> +<meta name="Content-Style" content="text/css"> +<style type="text/css"> + p { margin-top: 0; margin-bottom: 0; vertical-align: top } + pre { margin-top: 0; margin-bottom: 0; vertical-align: top } + table { margin-top: 0; margin-bottom: 0; vertical-align: top } + h1 { text-align: center } +</style> +<title>radsecproxy.conf</title> + +</head> +<body> + +<h1 align="center">radsecproxy.conf</h1> + +<a href="#NAME">NAME</a><br> +<a href="#DESCRIPTION">DESCRIPTION</a><br> +<a href="#CONFIGURATION SYNTAX">CONFIGURATION SYNTAX</a><br> +<a href="#BASIC OPTIONS">BASIC OPTIONS</a><br> +<a href="#BLOCKS">BLOCKS</a><br> +<a href="#CLIENT BLOCK">CLIENT BLOCK</a><br> +<a href="#SERVER BLOCK">SERVER BLOCK</a><br> +<a href="#REALM BLOCK">REALM BLOCK</a><br> +<a href="#TLS BLOCK">TLS BLOCK</a><br> +<a href="#REWRITE BLOCK">REWRITE BLOCK</a><br> +<a href="#SEE ALSO">SEE ALSO</a><br> + +<hr> + + +<h2>NAME +<a name="NAME"></a> +</h2> + + + +<p style="margin-left:11%; margin-top: 1em">radsecproxy.conf +− Radsec proxy configuration file</p> + +<h2>DESCRIPTION +<a name="DESCRIPTION"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">When the proxy +server starts, it will first check the command line +arguments, and then read the configuration file. Normally +radsecproxy will read the configuration file +<i>/usr/local/etc/radsecproxy.conf</i>. The command line +<b>−c</b> option can be used to instead read an +alternate file (see <b>radsecproxy</b>(1) for details).</p> + +<p style="margin-left:11%; margin-top: 1em">If the +configuration file can not be found, the proxy will exit +with an error message. Note that there is also an include +facility so that any configuration file may include other +configuration files. The proxy will also exit on +configuration errors.</p> + +<h2>CONFIGURATION SYNTAX +<a name="CONFIGURATION SYNTAX"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">When the +configuration file is processed, whitespace (spaces and +tabs) are generally ignored. For each line, leading and +trailing whitespace are ignored. A line is ignored if it is +empty, only consists of whitespace, or if the first +non-whitespace character is a #. The configuration is +generally case insensitive, but in some cases the option +values (see below) are not.</p> + +<p style="margin-left:11%; margin-top: 1em">There are two +types of configuration structures than can be used. The +first and simplest are lines on the format <i>option +value</i>. That is, an option name, see below for a list of +valid options, followed by whitespace (at least one space or +tab character), followed by a value. Note that if the value +contains whitespace, then it must be quoted using +"" or ’’. Any whitespace in front of +the option or after the value will be ignored.</p> + +<p style="margin-left:11%; margin-top: 1em">The other type +of structure is a block. A block spans at least two lines, +and has the format:</p> + +<p style="margin-left:22%; margin-top: 1em">blocktype name +{ <br> +option value <br> +option value <br> +... <br> +}</p> + +<p style="margin-left:11%; margin-top: 1em">That is, some +blocktype, see below for a list of the different block +types, and then enclosed in braces you have zero or more +lines that each have the previously described <i>option +value</i> format. Different block types have different rules +for which options can be specified, they are listed below. +The rules regarding white space, comments and quotes are as +above. Hence you may do things like:</p> + +<p style="margin-left:22%; margin-top: 1em">blocktype name +{ <br> +# option value <br> +option "value with space" <br> +... <br> +}</p> + +<p style="margin-left:11%; margin-top: 1em">Option value +characters can also be written in hex. This is done by +writing the character % followed by two hexadecimal digits. +If a % is used without two following hexadecimal digits, the +% and the following characters are used as written. If you +want to write a % and not use this decoding, you may of +course write % in hex; i.e., %25.</p> + +<p style="margin-left:11%; margin-top: 1em">There is one +special option that can be used both as a basic option and +inside all blocks. That is the option Include where the +value specifies files to be included. The value can be a +single file, or it can use normal shell globbing to specify +multiple files, e.g.:</p> + +<p style="margin-left:22%;">include +/usr/local/etc/radsecproxy.conf.d/*.conf</p> + +<p style="margin-left:11%; margin-top: 1em">The files are +sorted alphabetically. Included files are read in the order +they are specified, when reaching the end of a file, the +next file is read. When reaching the end of the last +included file, the proxy returns to read the next line +following the Include option. Included files may again +include other files.</p> + +<h2>BASIC OPTIONS +<a name="BASIC OPTIONS"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">The following +basic options may be specified in the configuration file. +Note that blocktypes and options inside blocks are discussed +later. Note that none of these options are required, and +indeed in many cases they are not needed. Note that you +should specify each at most once. The behaviour with +multiple occurences is undefined. <br> +PidFile</p> + +<p style="margin-left:22%;">The PidFile option specifies +the name of a file to which the process id (PID) will be +written. This is overridden by the <b>−i</b> command +line option. There is no default value for the PidFile +option.</p> + +<p style="margin-left:11%;">LogLevel</p> + +<p style="margin-left:22%;">This option specifies the debug +level. It must be set to 1, 2, 3, 4 or 5, where 1 logs only +serious errors, and 5 logs everything. The default is 2 +which logs errors, warnings and a few informational +messages. Note that the command line option <b>−d</b> +overrides this.</p> + +<p style="margin-left:11%;">LogDestination</p> + +<p style="margin-left:22%;">This specifies where the log +messages should go. By default the messages go to syslog +with facility LOG_DAEMON. Using this option you can specify +another syslog facility, or you may specify that logging +should be to a particular file, not using syslog. The value +must be either a file or syslog URL. The file URL is the +standard one, specifying a local file that should be used. +For syslog, you must use the syntax: +x−syslog:///FACILITY where FACILITY must be one of +LOG_DAEMON, LOG_MAIL, LOG_USER, LOG_LOCAL0, LOG_LOCAL1, +LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6 +or LOG_LOCAL7. You may omit the facility from the URL to +specify logging to the default facility, but this is not +very useful since this is the default log destination. Note +that this option is ignored if <b>−f</b> is specified +on the command line.</p> + +<p style="margin-left:11%;">FTicksReporting</p> + +<p style="margin-left:22%;">The FTicksReporting option is +used to enable F-Ticks logging and can be set to None, Basic +or Full. Its default value is None. If FTicksReporting is +set to anything other than None, note that the default value +for FTicksMAC is VendorKeyHashed which needs FTicksKey to be +set.</p> + +<p style="margin-left:22%; margin-top: 1em">See +radsecproxy.conf−example for details. Note that +radsecproxy has to be configured with F-Ticks support +(−−enable−fticks) for this option to have +any effect.</p> + +<p style="margin-left:11%;">FTicksMAC</p> + +<p style="margin-left:22%;">The FTicksMAC option can be +used to control if and how Calling-Station-Id (the users +Ethernet MAC address) is being logged. It can be set to one +of Static, Original, VendorHashed, VendorKeyHashed, +FullyHashed or FullyKeyHashed.</p> + +<p style="margin-left:22%; margin-top: 1em">The default +value for FTicksMAC is VendorKeyHashed. This means that +FTicksKey has to be set.</p> + +<p style="margin-left:22%; margin-top: 1em">Before chosing +any of Original, FullyHashed or VendorHashed, consider the +implications for user privacy when MAC addresses are +collected. How will the logs be stored, transferred and +accessed?</p> + +<p style="margin-left:22%; margin-top: 1em">See +radsecproxy.conf−example for details. Note that +radsecproxy has to be configured with F-Ticks support +(−−enable−fticks) for this option to have +any effect.</p> + +<p style="margin-left:11%;">FTicksKey</p> + +<p style="margin-left:22%;">The FTicksKey option is used to +specify the key to use when producing HMAC’s as an +effect of specifying VendorKeyHashed or FullyKeyHashed for +the FTicksMAC option.</p> + +<p style="margin-left:22%; margin-top: 1em">Note that +radsecproxy has to be configured with F-Ticks support +(−−enable−fticks) for this option to have +any effect.</p> + +<p style="margin-left:11%;">FTicksSyslogFacility</p> + +<p style="margin-left:22%;">The FTicksSyslogFacility option +is used to specify a dedicated syslog facility for F-Ticks +messages. This allows for easier filtering of F-Ticks +messages. If no FTicksSyslogFacility option is given, +F-Ticks messages are written to what the LogDestination +option specifies.</p> + +<p style="margin-left:22%; margin-top: 1em">F-Ticks +messages are always logged using the log level LOG_DEBUG. +Note that specifying a file in FTicksSyslogFacility (using +the file:/// prefix) is not supported.</p> + +<p style="margin-left:11%;">ListenUDP</p> + +<p style="margin-left:22%;">Normally the proxy will listen +to the standard RADIUS UDP port 1812 if configured to handle +UDP clients. On most systems it will do this for all of the +system’s IP addresses (both IPv4 and IPv6). On some +systems however, it may respond to only IPv4 or only IPv6. +To specify an alternate port you may use a value on the form +*:port where port is any valid port number. If you also want +to specify a specific address you can do e.g. +192.168.1.1:1812 or [2001:db8::1]:1812. The port may be +omitted if you want the default one (like in these +examples). These examples are equivalent to 192.168.1.1 and +2001:db8::1. Note that you must use brackets around the IPv6 +address. This option may be specified multiple times to +listen to multiple addresses and/or ports.</p> + +<p style="margin-left:11%;">ListenTCP</p> + +<p style="margin-left:22%;">This option is similar to the +ListenUDP option, except that it is used for receiving +connections from TCP clients. The default port number is +1812.</p> + +<p style="margin-left:11%;">ListenTLS</p> + +<p style="margin-left:22%;">This is similar to the +ListenUDP option, except that it is used for receiving +connections from TLS clients. The default port number is +2083. Note that this option was previously called +ListenTCP.</p> + +<p style="margin-left:11%;">ListenDTLS</p> + +<p style="margin-left:22%;">This is similar to the +ListenUDP option, except that it is used for receiving +connections from DTLS clients. The default port number is +2083.</p> + +<p style="margin-left:11%;">SourceUDP</p> + +<p style="margin-left:22%;">This can be used to specify +source address and/or source port that the proxy will use +for sending UDP client messages (e.g. Access Request).</p> + +<p style="margin-left:11%;">SourceTCP</p> + +<p style="margin-left:22%;">This can be used to specify +source address and/or source port that the proxy will use +for TCP connections.</p> + +<p style="margin-left:11%;">SourceTLS</p> + +<p style="margin-left:22%;">This can be used to specify +source address and/or source port that the proxy will use +for TLS connections.</p> + +<p style="margin-left:11%;">SourceDTLS</p> + +<p style="margin-left:22%;">This can be used to specify +source address and/or source port that the proxy will use +for DTLS connections.</p> + +<p style="margin-left:11%;">TTLAttribute</p> + +<p style="margin-left:22%;">This can be used to change the +default TTL attribute. Only change this if you know what you +are doing. The syntax is either a numerical value denoting +the TTL attribute, or two numerical values separated by +column specifying a vendor attribute, i.e. +vendorid:attribute.</p> + +<table width="100%" border="0" rules="none" frame="void" + cellspacing="0" cellpadding="0"> +<tr valign="top" align="left"> +<td width="11%"></td> +<td width="9%"> + + +<p>AddTTL</p></td> +<td width="2%"></td> +<td width="78%"> + + +<p>If a TTL attribute is present, the proxy will decrement +the value and discard the message if zero. Normally the +proxy does nothing if no TTL attribute is present. If you +use the AddTTL option with a value 1-255, the proxy will +when forwarding a message with no TTL attribute, add one +with the specified value. Note that this option can also be +specified for a client/server. It will then override this +setting when forwarding a message to that client/server.</p></td></tr> +</table> + +<p style="margin-left:11%;">LoopPrevention</p> + +<p style="margin-left:22%;">This can be set to on or off +with off being the default. When this is enabled, a request +will never be sent to a server named the same as the client +it was received from. I.e., the names of the client block +and the server block are compared. Note that this only gives +limited protection against loops. It can be used as a basic +option and inside server blocks where it overrides the basic +setting.</p> + +<p style="margin-left:11%;">IPv4Only and IPv6Only</p> + +<p style="margin-left:22%;">These can be set to on or off +with off being the default. At most one of IPv4Only and +IPv6Only can be enabled. Enabling IPv4Only or IPv6Only makes +radsecproxy resolve DNS names to the corresponding address +family only, and not the other. This is done for both +clients and servers. Note that this can be overridden in +client and server blocks, see below.</p> + +<p style="margin-left:11%;">Include</p> + +<p style="margin-left:22%;">This is not a normal +configuration option; it can be specified multiple times. It +can both be used as a basic option and inside blocks. For +the full description, see the configuration syntax section +above.</p> + +<h2>BLOCKS +<a name="BLOCKS"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">There are five +types of blocks, they are client, server, realm, tls and +rewrite. At least one instance of each of client and realm +is required. This is necessary for the proxy to do anything +useful, and it will exit if not. The tls block is required +if at least one TLS/DTLS client or server is configured. +Note that there can be multiple blocks for each type. For +each type, the block names should be unique. The behaviour +with multiple occurences of the same name for the same block +type is undefined. Also note that some block option values +may reference a block by name, in which case the block name +must be previously defined. Hence the order of the blocks +may be significant.</p> + +<h2>CLIENT BLOCK +<a name="CLIENT BLOCK"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">The client +block is used to configure a client. That is, tell the proxy +about a client, and what parameters should be used for that +client. The name of the client block must (with one +exception, see below) be either the IP address (IPv4 or +IPv6) of the client, an IP prefix (IPv4 or IPv6) on the form +IpAddress/PrefixLength, or a domain name (FQDN). The way an +FQDN is resolved into an IP address may be influenced by the +use of the IPv4Only and IPv6Only options. Note that literal +IPv6 addresses must be enclosed in brackets.</p> + +<p style="margin-left:11%; margin-top: 1em">If a domain +name is specified, then this will be resolved immediately to +all the addresses associated with the name, and the proxy +will not care about any possible DNS changes that might +occur later. Hence there is no dependency on DNS after +startup.</p> + +<p style="margin-left:11%; margin-top: 1em">When some +client later sends a request to the proxy, the proxy will +look at the IP address the request comes from, and then go +through all the addresses of each of the configured clients +(in the order they are defined), to determine which (if any) +of the clients this is.</p> + +<p style="margin-left:11%; margin-top: 1em">In the case of +TLS/DTLS, the name of the client must match the FQDN or IP +address in the client certificate. Note that this is not +required when the client name is an IP prefix.</p> + +<p style="margin-left:11%; margin-top: 1em">Alternatively +one may use the host option inside a client block. In that +case, the value of the host option is used as above, while +the name of the block is only used as a descriptive name for +the administrator. The host option may be used multiple +times, and can be a mix of addresses, FQDNs and +prefixes.</p> + +<p style="margin-left:11%; margin-top: 1em">The allowed +options in a client block are host, IPv4Only, IPv6Only, +type, secret, tls, certificateNameCheck, +matchCertificateAttribute, duplicateInterval, AddTTL, +fticksVISCOUNTRY, fticksVISINST, rewrite, rewriteIn, +rewriteOut, and rewriteAttribute. We already discussed the +host option. To specify how radsecproxy should resolve a +host given as a DNS name, the IPv4Only or the IPv6Only can +be set to on. At most one of these options can be enabled. +Enabling IPv4Only or IPv6Only here overrides any basic +settings set at the top level. The value of type must be one +of udp, tcp, tls or dtls. The value of secret is the shared +RADIUS key used with this client. If the secret contains +whitespace, the value must be quoted. This option is +optional for TLS/DTLS and if omitted will default to +"radsec". (Note that using a secret other than +"radsec" for TLS is a violation of the standard +(RFC 6614) and that the proposed standard for DTLS +stipulates that the secret must be +"radius/dtls".)</p> + +<p style="margin-left:11%; margin-top: 1em">For a TLS/DTLS +client you may also specify the tls option. The option value +must be the name of a previously defined TLS block. If this +option is not specified, the TLS block with the name +defaultClient will be used if defined. If not defined, it +will try to use the TLS block named default. If the +specified TLS block name does not exist, or the option is +not specified and none of the defaults exist, the proxy will +exit with an error. NOTE: All versions of radsecproxy up to +and including 1.6 erroneously verify client certificate +chains using the CA in the very first matching client block +regardless of which block is used for the final decision. +This was changed in version 1.6.1 so that a client block +with a different tls option than the first matching client +block is no longer considered for verification of +clients.</p> + +<p style="margin-left:11%; margin-top: 1em">For a TLS/DTLS +client, the option certificateNameCheck can be set to off, +to disable the default behaviour of matching CN or +SubjectAltName against the specified hostname or IP +address.</p> + +<p style="margin-left:11%; margin-top: 1em">Additional +validation of certificate attributes can be done by use of +the matchCertificateAttribute option. Currently one can only +do some matching of CN and SubjectAltName. For regexp +matching on CN, one can use the value CN:/regexp/. For +SubjectAltName one can only do regexp matching of the URI, +this is specified as SubjectAltName:URI:/regexp/. Note that +currently this option can only be specified once in a client +block.</p> + +<p style="margin-left:11%; margin-top: 1em">The +duplicateInterval option can be used to specify for how many +seconds duplicate checking should be done. If a proxy +receives a new request within a few seconds of a previous +one, it may be treated the same if from the same client, +with the same authenticator etc. The proxy will then ignore +the new request (if it is still processing the previous +one), or returned a copy of the previous reply.</p> + +<p style="margin-left:11%; margin-top: 1em">The AddTTL +option is similar to the AddTTL option used in the basic +config. See that for details. Any value configured here +overrides the basic one when sending messages to this +client.</p> + +<p style="margin-left:11%; margin-top: 1em">The +fticksVISCOUNTRY option configures clients eligible to +F-Ticks logging as defined by the FTicksReporting basic +option.</p> + +<p style="margin-left:11%; margin-top: 1em">The +fticksVISINST option overwrites the default VISINST value +taken from the client block name.</p> + +<p style="margin-left:11%; margin-top: 1em">The rewrite +option is deprecated. Use rewriteIn instead.</p> + +<p style="margin-left:11%; margin-top: 1em">The rewriteIn +option can be used to refer to a rewrite block that +specifies certain rewrite operations that should be +performed on incoming messages from the client. The +rewriting is done before other processing. For details, see +the rewrite block text below. Similarly to tls discussed +above, if this option is not used, there is a fallback to +using the rewrite block named defaultClient if it exists; +and if not, a fallback to a block named default.</p> + +<p style="margin-left:11%; margin-top: 1em">The rewriteOut +option is used in the same way as rewriteIn, except that it +specifies rewrite operations that should be performed on +outgoing messages to the client. The rewriting is done after +other processing. Also, there is no rewrite fallback if this +option is not used.</p> + +<p style="margin-left:11%; margin-top: 1em">The +rewriteAttribute option currently makes it possible to +specify that the User-Name attribute in a client request +shall be rewritten in the request sent by the proxy. The +User-Name attribute is written back to the original value if +a matching response is later sent back to the client. The +value must be on the form +User-Name:/regexpmatch/replacement/. Example usage:</p> + +<p style="margin-left:22%;">rewriteAttribute +User-Name:/^(.*)@local$/\1@example.com/</p> + +<h2>SERVER BLOCK +<a name="SERVER BLOCK"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">The server +block is used to configure a server. That is, tell the proxy +about a server, and what parameters should be used when +communicating with that server. The name of the server block +must (with one exception, see below) be either the IP +address (IPv4 or IPv6) of the server, or a domain name +(FQDN). If a domain name is specified, then this will be +resolved immediately to all the addresses associated with +the name, and the proxy will not care about any possible DNS +changes that might occur later. Hence there is no dependency +on DNS after startup. If the domain name resolves to +multiple addresses, then for UDP/DTLS the first address is +used. For TCP/TLS, the proxy will loop through the addresses +until it can connect to one of them. The way an FQDN is +resolved into an IP address may be influenced by the use of +the IPv4Only and IPv6Only options. In the case of TLS/DTLS, +the name of the server must match the FQDN or IP address in +the server certificate.</p> + +<p style="margin-left:11%; margin-top: 1em">Alternatively +one may use the host option inside a server block. In that +case, the value of the host option is used as above, while +the name of the block is only used as a descriptive name for +the administrator. Note that multiple host options may be +used. This will then be treated as multiple names/addresses +for the same server. When initiating a TCP/TLS connection, +all addresses of all names may be attempted, but there is no +failover between the different host values. For failover one +must use separate server blocks.</p> + +<p style="margin-left:11%; margin-top: 1em">Note that the +name of the block, or values of host options may include a +port number (separated with a column). This port number will +then override the default port or a port option in the +server block. Also note that literal IPv6 addresses must be +enclosed in brackets.</p> + +<p style="margin-left:11%; margin-top: 1em">The allowed +options in a server block are host, port, IPv4Only, +IPv6Only, type, secret, tls, certificateNameCheck, +matchCertificateAttribute, AddTTL, rewrite, rewriteIn, +rewriteOut, statusServer, retryCount, dynamicLookupCommand +and retryInterval and LoopPrevention.</p> + +<p style="margin-left:11%; margin-top: 1em">We already +discussed the host option. To specify how radsecproxy should +resolve a host given as a DNS name, the IPv4Only or the +IPv6Only can be set to on. At most one of these options can +be enabled. Enabling IPv4Only or IPv6Only here overrides any +basic settings set at the top level. The port option allows +you to specify which port number the server uses. The usage +of type, secret, tls, certificateNameCheck, +matchCertificateAttribute, AddTTL, rewrite, rewriteIn and +rewriteOut are just as specified for the client block above, +except that defaultServer (and not defaultClient) is the +fallback for the tls, rewrite and rewriteIn options.</p> + +<p style="margin-left:11%; margin-top: 1em">statusServer +can be specified to enable the use of status-server messages +for this server. The value must be either on or off. The +default when not specified, is off. If statusserver is +enabled, the proxy will during idle periods send regular +status-server messages to the server to verify that it is +alive. This should only be enabled if the server supports +it.</p> + +<p style="margin-left:11%; margin-top: 1em">The options +retryCount and retryInterval can be used to specify how many +times the proxy should retry sending a request and how long +it should wait between each retry. The defaults are 2 +retries and an interval of 5s.</p> + +<p style="margin-left:11%; margin-top: 1em">The option +dynamicLookupCommand can be used to specify a command that +should be executed to dynamically configure a server. The +executable file should be given with full path and will be +invoked with the name of the realm as its first and only +argument. It should either print a valid server option on +stdout and exit with a code of 0 or print nothing and exit +with a non-zero exit code. An example of a shell script +resolving the DNS NAPTR records for the realm and then the +SRV records for each NAPTR matching +’x-eduroam:radius.tls’ is provided in +tools/naptr−eduroam.sh. This option was added in +radsecproxy-1.3 but tends to crash radsecproxy versions +earlier than 1.6.</p> + +<p style="margin-left:11%; margin-top: 1em">Using the +LoopPrevention option here overrides any basic setting of +this option. See section BASIC OPTIONS for details on this +option.</p> + +<h2>REALM BLOCK +<a name="REALM BLOCK"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">When the proxy +receives an Access-Request it needs to figure out to which +server it should be forwarded. This is done by looking at +the Username attribute in the request, and matching that +against the names of the defined realm blocks. The proxy +will match against the blocks in the order they are +specified, using the first match if any. If no realm +matches, the proxy will simply ignore the request. Each +realm block specifies what the server should do when a match +is found. A realm block may contain none, one or multiple +server options, and similarly accountingServer options. +There are also replyMessage and accountingResponse options. +We will discuss these later.</p> + +<p style="margin-left:11%; margin-top: 1em"><b>REALM BLOCK +NAMES AND MATCHING</b> <br> +In the general case the proxy will look for a @ in the +username attribute, and try to do an exact case insensitive +match between what comes after the @ and the name of the +realm block. So if you get a request with the attribute +value anonymous@example.com, the proxy will go through the +realm names in the order they are specified, looking for a +realm block named example.com.</p> + +<p style="margin-left:11%; margin-top: 1em">There are two +exceptions to this, one is the realm name * which means +match everything. Hence if you have a realm block named *, +then it will always match. This should then be the last +realm block defined, since any blocks after this would never +be checked. This is useful for having a default.</p> + +<p style="margin-left:11%; margin-top: 1em">The other +exception is regular expression matching. If the realm name +starts with a /, the name is treated as an regular +expression. A case insensitive regexp match will then be +done using this regexp on the value of the entire Username +attribute. Optionally you may also have a trailing / after +the regexp. So as an example, if you want to use regexp +matching the domain example.com you could have a realm block +named /@example\\.com$. Optinally this can also be written +/@example\\.com$/. If you want to match all domains under +the .com top domain, you could do /@.*\\.com$. Note that +since the matching is done on the entire attribute value, +you can also use rules like /^[a−k].*@example\\.com$/ +to get some of the users in this domain to use one server, +while other users could be matched by another realm block +and use another server.</p> + +<p style="margin-left:11%; margin-top: 1em"><b>REALM BLOCK +OPTIONS</b> <br> +A realm block may contain none, one or multiple server +options. If defined, the values of the server options must +be the names of previously defined server blocks. Normally +requests will be forwarded to the first server option +defined. If there are multiple server options, the proxy +will do fail-over and use the second server if the first is +down. If the two first are down, it will try the third etc. +If say the first server comes back up, it will go back to +using that one. Currently detection of servers being up or +down is based on the use of StatusServer (if enabled), and +that TCP/TLS/DTLS connections are up.</p> + +<p style="margin-left:11%; margin-top: 1em">A realm block +may also contain none, one or multiple accountingServer +options. This is used exactly like the server option, except +that it is used for specifying where to send matching +accounting requests. The values must be the names of +previously defined server blocks. When multiple accounting +servers are defined, there is a failover mechanism similar +to the one for the server option.</p> + +<p style="margin-left:11%; margin-top: 1em">If there is no +server option, the proxy will if replyMessage is specified, +reply back to the client with an Access Reject message. The +message contains a replyMessage attribute with the value as +specified by the replyMessage option. Note that this is +different from having no match since then the request is +simply ignored. You may wonder why this is useful. One +example is if you handle say all domains under say .bv. Then +you may have several realm blocks matching the domains that +exists, while for other domains under .bv you want to send a +reject. At the same time you might want to send all other +requests to some default server. After the realms for the +subdomains, you would then have two realm definitions. One +with the name /@.*\\.bv$ with no servers, followed by one +with the name * with the default server defined. This may +also be useful for blocking particular usernames.</p> + +<p style="margin-left:11%; margin-top: 1em">If there is no +accountingServer option, the proxy will normally do nothing, +ignoring accounting requests. There is however an option +called accountingResponse. If this is set to on, the proxy +will log some of the accounting information and send an +Accounting-Response back. This is useful if you do not care +much about accounting, but want to stop clients from +retransmitting accounting requests. By default this option +is set to off.</p> + +<h2>TLS BLOCK +<a name="TLS BLOCK"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">The TLS block +specifies TLS configuration options and you need at least +one of these if you have clients or servers using TLS/DTLS. +As discussed in the client and server block descriptions, a +client or server block may reference a particular TLS block +by name. There are also however the special TLS block names +default, defaultClient and defaultServer which are used as +defaults if the client or server block does not reference a +TLS block. Also note that a TLS block must be defined before +the client or server block that would use it. If you want +the same TLS configuration for all TLS/DTLS clients and +servers, you need just a single tls block named default, and +the client and servers need not refer to it. If you want all +TLS/DTLS clients to use one config, and all TLS/DTLS servers +to use another, then you would be fine only defining two TLS +blocks named defaultClient and defaultServer. If you want +different clients (or different servers) to have different +TLS parameters, then you may need to create other TLS blocks +with other names, and reference those from the client or +server definitions. Note that you could also have say a +client block refer to a default, even defaultServer if you +really want to.</p> + +<p style="margin-left:11%; margin-top: 1em">The available +TLS block options are CACertificateFile, CACertificatePath, +certificateFile, certificateKeyFile, certificateKeyPassword, +cacheExpiry, CRLCheck and policyOID. When doing RADIUS over +TLS/DTLS, both the client and the server present +certificates, and they are both verified by the peer. Hence +you must always specify certificateFile and +certificateKeyFile options, as well as +certificateKeyPassword if a password is needed to decrypt +the private key. Note that CACertificateFile may be a +certificate chain. In order to verify certificates, or send +a chain of certificates to a peer, you also always need to +specify CACertificateFile or CACertificatePath. Note that +you may specify both, in which case the certificates in +CACertificateFile are checked first. By default CRLs are not +checked. This can be changed by setting CRLCheck to on. One +can require peer certificates to adhere to certain policies +by specifying one or multiple policyOIDs using one or +multiple policyOID options.</p> + +<p style="margin-left:11%; margin-top: 1em">CA certificates +and CRLs are normally cached permanently. That is, once a CA +or CRL has been read, the proxy will never attempt to +re-read it. CRLs may change relatively often and the proxy +should ideally always use the latest CRLs. Rather than +restarting the proxy, there is an option cacheExpiry that +specifies how many seconds the CA and CRL information should +be cached. Reasonable values might be say 3600 (1 hour) or +86400 (24 hours), depending on how frequently CRLs are +updated and how critical it is to be up to date. This option +may be set to zero to disable caching.</p> + +<h2>REWRITE BLOCK +<a name="REWRITE BLOCK"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">The rewrite +block specifies rules that may rewrite RADIUS messages. It +can be used to add, remove and modify specific attributes +from messages received from and sent to clients and servers. +As discussed in the client and server block descriptions, a +client or server block may reference a particular rewrite +block by name. There are however also the special rewrite +block names default, defaultClient and defaultServer which +are used as defaults if the client or server block does not +reference a block. Also note that a rewrite block must be +defined before the client or server block that would use it. +If you want the same rewrite rules for input from all +clients and servers, you need just a single rewrite block +named default, and the client and servers need not refer to +it. If you want all clients to use one config, and all +servers to use another, then you would be fine only defining +two rewrite blocks named defaultClient and defaultServer. +Note that these defaults are only used for rewrite on input. +No rewriting is done on output unless explicitly specified +using the rewriteOut option.</p> + +<p style="margin-left:11%; margin-top: 1em">The available +rewrite block options are addAttribute, addVendorAttribute, +removeAttribute, removeVendorAttribute and modifyAttribute. +They can all be specified none, one or multiple times.</p> + +<p style="margin-left:11%; margin-top: 1em">addAttribute is +used to add attributes to a message. The option value must +be on the form attribute:value where attribute is a +numerical value specifying the attribute. Simliarly, the +addVendorAttribute is used to specify a vendor attribute to +be added. The option value must be on the form +vendor:subattribute:value, where vendor and subattribute are +numerical values.</p> + +<p style="margin-left:11%; margin-top: 1em">The +removeAttribute option is used to specify an attribute that +should be removed from received messages. The option value +must be a numerical value specifying which attribute is to +be removed. Similarly, removeVendorAttribute is used to +specify a vendor attribute that is to be removed. The value +can be a numerical value for removing all attributes from a +given vendor, or on the form vendor:subattribute, where +vendor and subattribute are numerical values, for removing a +specific subattribute for a specific vendor.</p> + + +<p style="margin-left:11%; margin-top: 1em">modifyAttribute +is used to specify modification of attributes. The value +must be on the form attribute:/regexpmatch/replacement/ +where attribute is a numerical attribute type, regexpmatch +is regexp matching rule and replacement specifies how to +replace the matching regexp. Example usage:</p> + +<p style="margin-left:22%;">modifyAttribute +1:/^(.*)@local$/\1@example.com/</p> + +<h2>SEE ALSO +<a name="SEE ALSO"></a> +</h2> + + + +<p style="margin-left:11%; margin-top: 1em"><b>radsecproxy</b>(1), +<br> +Transport Layer Security (TLS) Encryption for RADIUS ⟨ +https://tools.ietf.org/html/rfc6614⟩</p> +<hr> +</body> +</html> diff --git a/doc/1.6/radsecproxy.html b/doc/1.6/radsecproxy.html new file mode 100644 index 0000000..ee3140f --- /dev/null +++ b/doc/1.6/radsecproxy.html @@ -0,0 +1,251 @@ +<!-- Creator : groff version 1.22.2 --> +<!-- CreationDate: Thu Sep 17 10:29:23 2015 --> +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta name="generator" content="groff -Thtml, see www.gnu.org"> +<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII"> +<meta name="Content-Style" content="text/css"> +<style type="text/css"> + p { margin-top: 0; margin-bottom: 0; vertical-align: top } + pre { margin-top: 0; margin-bottom: 0; vertical-align: top } + table { margin-top: 0; margin-bottom: 0; vertical-align: top } + h1 { text-align: center } +</style> +<title>radsecproxy</title> + +</head> +<body> + +<h1 align="center">radsecproxy</h1> + +<a href="#NAME">NAME</a><br> +<a href="#SYNOPSIS">SYNOPSIS</a><br> +<a href="#DESCRIPTION">DESCRIPTION</a><br> +<a href="#OPTIONS">OPTIONS</a><br> +<a href="#SIGNALS">SIGNALS</a><br> +<a href="#FILES">FILES</a><br> +<a href="#SEE ALSO">SEE ALSO</a><br> + +<hr> + + +<h2>NAME +<a name="NAME"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">radsecproxy - a +generic RADIUS proxy that provides both RADIUS UDP and +TCP/TLS (RadSec) transport.</p> + +<h2>SYNOPSIS +<a name="SYNOPSIS"></a> +</h2> + + +<table width="100%" border="0" rules="none" frame="void" + cellspacing="0" cellpadding="0"> +<tr valign="top" align="left"> +<td width="11%"></td> +<td width="89%"> + + +<p style="margin-top: 1em">radsecproxy [−c +configfile] [−d debuglevel] [−f] [−i +pidfile] [−p] [−v]</p></td></tr> +</table> + +<h2>DESCRIPTION +<a name="DESCRIPTION"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">radsecproxy is +a <b>generic RADIUS proxy</b> that in addition to to usual +<b>RADIUS UDP</b> transport, also supports <b>TLS +(RadSec)</b>. The aim is for the proxy to have sufficient +features to be flexible, while at the same time to be small, +efficient and easy to configure. Currently the executable on +Linux is only about <i>48 KB</i>, and it uses about <i>64 +KB</i> (depending on the number of peers) while running.</p> + +<p style="margin-left:11%; margin-top: 1em">The proxy was +initially made to be able to deploy <b>RadSec</b> (RADIUS +over TLS) so that all RADIUS communication across network +links could be done using TLS, without modifying existing +RADIUS software. This can be done by running this proxy on +the same host as an existing RADIUS server or client, and +configure the existing client/server to talk to localhost +(the proxy) rather than other clients and servers +directly.</p> + +<p style="margin-left:11%; margin-top: 1em">There are +however other situations where a RADIUS proxy might be +useful. Some people deploy RADIUS topologies where they want +to route RADIUS messages to the right server. The nodes that +do purely routing could be using a proxy. Some people may +also wish to deploy a proxy on a site boundary. Since the +proxy <b>supports both IPv4 and IPv6</b>, it could also be +used to allow communication in cases where some RADIUS nodes +use only IPv4 and some only IPv6.</p> + +<h2>OPTIONS +<a name="OPTIONS"></a> +</h2> + + +<table width="100%" border="0" rules="none" frame="void" + cellspacing="0" cellpadding="0"> +<tr valign="top" align="left"> +<td width="11%"></td> +<td width="3%"> + + +<p style="margin-top: 1em"><b>−f</b></p></td> +<td width="8%"></td> +<td width="26%"> + + +<p style="margin-top: 1em"><i>Run in foreground</i></p></td> +<td width="52%"> +</td></tr> +</table> + +<p style="margin-left:22%; margin-top: 1em">By specifying +this option, the proxy will run in foreground mode. That is, +it won’t detach. Also all logging will be done to +stderr.</p> + +<p style="margin-left:11%;"><b>−d <debug +level></b></p> + +<p style="margin-left:22%; margin-top: 1em"><i>Debug +level</i></p> + +<p style="margin-left:22%; margin-top: 1em">This specifies +the debug level. It must be set to 1, 2, 3, 4 or 5, where 1 +logs only serious errors, and 5 logs everything. The default +is 2 which logs errors, warnings and a few informational +messages.</p> + +<table width="100%" border="0" rules="none" frame="void" + cellspacing="0" cellpadding="0"> +<tr valign="top" align="left"> +<td width="11%"></td> +<td width="3%"> + + +<p><b>−p</b></p></td> +<td width="8%"></td> +<td width="10%"> + + +<p><i>Pretend</i></p></td> +<td width="68%"> +</td></tr> +</table> + +<p style="margin-left:22%; margin-top: 1em">The proxy reads +configuration files and performs initialisation as usual, +but exits prior to creating any sockets. It will return +different exit codes depending on whether the configuration +files are okay. This may be used to verify configuration +files, and can be done while another instance is +running.</p> + +<table width="100%" border="0" rules="none" frame="void" + cellspacing="0" cellpadding="0"> +<tr valign="top" align="left"> +<td width="11%"></td> +<td width="3%"> + + +<p style="margin-top: 1em"><b>−v</b></p></td> +<td width="8%"></td> +<td width="20%"> + + +<p style="margin-top: 1em"><i>Print version</i></p></td> +<td width="58%"> +</td></tr> +</table> + +<p style="margin-left:22%; margin-top: 1em">When this +option is specified, the proxy will simply print version +information and exit.</p> + +<p style="margin-left:11%;"><b>−c <config file +path></b></p> + +<p style="margin-left:22%; margin-top: 1em"><i>Config file +path</i></p> + +<p style="margin-left:22%; margin-top: 1em">This option +allows you to specify which config file to use. This is +useful if you want to use a config file that is not in any +of the default locations.</p> + +<p style="margin-left:11%;"><b>−i <pid file +path></b></p> + +<p style="margin-left:22%; margin-top: 1em"><i>PID file +path</i></p> + +<p style="margin-left:22%; margin-top: 1em">This option +tells the proxy to create a PID file with the specified +path.</p> + +<h2>SIGNALS +<a name="SIGNALS"></a> +</h2> + + +<p style="margin-left:11%; margin-top: 1em">The proxy +generally exits on all signals. The exceptions are listed +below.</p> + +<table width="100%" border="0" rules="none" frame="void" + cellspacing="0" cellpadding="0"> +<tr valign="top" align="left"> +<td width="11%"></td> +<td width="9%"> + + +<p><b>SIGHUP</b></p></td> +<td width="2%"></td> +<td width="78%"> + + +<p>When logging to a file, this signal forces a reopen of +the log file.</p></td></tr> +</table> + +<p style="margin-left:11%;"><b>SIGPIPE</b></p> + +<p style="margin-left:22%; margin-top: 1em">This signal is +ignored.</p> + +<h2>FILES +<a name="FILES"></a> +</h2> + + + +<p style="margin-left:11%; margin-top: 1em"><b>/etc/radsecproxy.conf</b></p> + +<p style="margin-left:22%; margin-top: 1em">The default +configuration file.</p> + +<h2>SEE ALSO +<a name="SEE ALSO"></a> +</h2> + + + +<p style="margin-left:11%; margin-top: 1em">radsecproxy.conf(5), +radsecproxy-hash(1)</p> +<hr> +</body> +</html> diff --git a/download.mdwn b/download.mdwn new file mode 100644 index 0000000..c1192d2 --- /dev/null +++ b/download.mdwn @@ -0,0 +1,215 @@ +## Verifying + +SHA256 checksums can be found in [[sha256.txt]]. + +PGP signatures can be found below. + +## Releases + +* [1.6.6](radsecproxy-1.6.6.tar.xz) + ([PGP sig](radsecproxy-1.6.6.tar.xz.asc)) from January 19th, 2015 + + This is the latest release. It fixes + [RADSECPROXY-59](https://project.nordu.net/browse/RADSECPROXY-59) + (use rewriteIn correctly), and + [RADSECPROXY-58](https://project.nordu.net/browse/RADSECPROXY-58) + (handle CHAP when there is no CHAP-Challenge), as well as a number + of security fixes (two use-after-free, one null-pointer dereference, + and three heap overflows). </dd> + + +* [1.6.5](radsecproxy-1.6.5.tar.gz) + ([PGP sig](radsecproxy-1.6.5.tar.gz.asc)) from September 6th, 2013 + + Fixes a crash bug introduced in 1.6.4. Fixes + [RADSECPROXY-53](https://project.nordu.net/browse/RADSECPROXY-53), + bugfix on 1.6.4. + +* 1.6.4 ([PGP sig](radsecproxy-1.6.4.tar.gz.asc)) from September 5th, + 2013 + + Fixes a bug with not keeping Proxy-State attributes in all replies + [RADSECPROXY-52](https://project.nordu.net/browse/RADSECPROXY-52). + +* [1.6.3](radsecproxy-1.6.3.tar.gz) + ([PGP sig](radsecproxy-1.6.3.tar.gz.asc)) from September 5th, 2013 + + Fixes bugs vital for dynamic discovery, see ChangeLog for details. + +* [1.6.2](radsecproxy-1.6.2.tar.gz) + ([PGP sig](radsecproxy-1.6.2.tar.gz.asc)) from October 25th, 2012 + + Fixes bug regarding certificate authentication for DTLS + [RADSECPROXY-43](https://project.nordu.net/browse/RADSECPROXY-43), + CVE-2012-4566). + +* [1.6.1](radsecproxy-1.6.1.tar.gz) + ([PGP sig](radsecproxy-1.6.1.tar.gz.asc)) from September 14th, 2012 + + Fixes a bug regarding certificate authentication + [RADSECPROXY-43](https://project.nordu.net/browse/RADSECPROXY-43), + CVE-2012-4523) + +* [1.6](radsecproxy-1.6.tar.gz) + ([PGP sig](radsecproxy-1.6.tar.gz.asc)) from April 28th, 2012 + + Improved support for F-Ticks logging and new option for pidfile. + + **Incompatible change**: The default shared secret for TLS and DTLS + connections change from "mysecret" to "radsec" as per + draft-ietf-radext-radsec-12 section 2.3 (4). Please make sure to + specify a secret in both client and server blocks to avoid + unwanted surprises. + + The default place to look for a configuration file has changed from + /etc to /usr/local/etc, let radsecproxy know where your + configuration file can be found by using the `-c' command line + option, or configure radsecproxy on with --sysconfdir=/etc when + building to restore old behaviour. + + For other changes, see Changelog inside the archive. + +* [1.5](radsecproxy-1.5.tar.gz) + ([PGP sig](radsecproxy-1.5.tar.gz.asc)) from October 8th, 2011 + + Introduces support for F-Ticks logging. For other changes, see + Changelog inside the archive. + +## Older releases + +* [1.4.3](radsecproxy-1.4.3.tar.gz) + ([PGP sig](radsecproxy-1.4.3.tar.gz.asc)) from July 22nd, 2011 + + Fixed a debug printout issue. + +* [1.4.2](radsecproxy-1.4.2.tar.gz) + ([PGP sig](radsecproxy-1.4.2.tar.gz.asc)) from November 23rd, 2010 + + Mostly a security update due to a certain vulnerability in how + caching was handled in OpenSSL prior to 0.9.8p and 1.0.0b. If your + OpenSSL is older than those, you should use this one or newer. + +* 1.4.1 from November 18th, 2010 + + This release contained some debug code that caused crashes, and is + hence removed. + +* [1.4](radsecproxy-1.4.tar.gz) from June 12th, 2010 + + The major changes are support for LoopPrevention per server, added + AddVendorAttribute rewrite configuration, new log level DBG_NOTICE, + fixed UDP fragmentation issue, fixed build issues on Solaris and + fixed bug regarding long passwords. + +* [1.3.1](radsecproxy-1.3.1.tar.gz) from July 22nd, 2009 + + Last release of 1.3. The main change is an important fix for + multiple UDP servers with the same IP address, which solves + accounting problems experienced by many. Thanks alot to Simon + Leinen for submitting the patch for this. Default log level is 2, + while it was 3 previously. also, some log messages have changed log + levels. you should be fine using this in production, although 1.2 + may be safer (as it has been through more testing) if you don't need + the new features. + +* [1.2](radsecproxy-1.2.tar.gz) from October 7th, 2008 + + Perhaps the most stable "old" release so far. If you do not need + the new features in 1.3+, then this may be the best option. Some + issues with earlier releases are fixed and there are also a number + of new useful features like more message rewrite options and + regularly refreshing CRLs. + + +* [1.3-beta](radsecproxy-1.3-beta.tar.gz) from February 18th, 2009 + + This is only a beta release and needs more testing to be as mature as + 1.2, so be careful about using this in production. But if you can, + please help test this release to speed its way towards the 1.3 + release. The only new feature since the alpha release is that client + and server blocks can contain multiple host options. There have also + been some minor bug fixes, and it is now possible when compiling to + select which transports to support. + +* [1.3-alpha](radsecproxy-1.3-alpha.tar.gz) from December 4th, 2008 + + Many new features were introduced in 1.3. The major ones are TCP and + DTLS transport, and dynamic server discovery. Other minor features + are TTL (hopcount) support for RADIUS messages and PolicyOID for + checking certificate policies. + +* [1.1](radsecproxy-1.1.tar.gz) from July 24th, 2008 + + This release has proven to be fairly stable, but an upgrade to 1.2 + is recommended. Some issues with earlier releases are fixed and + there are also a number of new useful features like failover when + not using Status-Server, limited loop prevention and CRL + checking. This is also the first version where accounting works + properly. + +* [1.1-beta](radsecproxy-1.1-beta.tar.gz) from May 14th, 2008 + + The main new features since 1.1-alpha were attribute filtering, + accounting support and improved certificate matching. + +* [1.1-alpha](radsecproxy-1.1-alpha.tar.gz) from December 24th, 2007 + + There are some known problems with this release, so you should be + using the most recent 1.1 release instead. The new features were in + short: pretend option for validating configuration; include option + for including additional config files; clients can be configured by + IP prefix, allowing dynamic clients; server failover support; source + address and port can be specified for requests; and finally optional + rewriting of the username attribute. + +* [1.0p1](radsecproxy-1.0p1.tar.gz) from October 16th, 2007 + + Since 1.0 a bug was fixed where the proxy was likely to crash if any + servers were configured after the first realm block. Since the + alpha release the certificate validation was improved and some minor + bugs have been fixed. + +* [1.0](radsecproxy-1.0.tar.gz) from September 21st, 2007 + +* [1.0-alpha-p1](radsecproxy-1.0-alpha-p1.tar.gz) from June 13th, 2007 + +* [1.0-alpha](radsecproxy-1.0-alpha.tar.gz) from June 5th, 2007 + +## Access via git + +The developer tree of radsecproxy is available as a +[tar archive](https://git.nordu.net/?p=radsecproxy.git;a=snapshot;h=HEAD;sf=tgz) +or you use git. To checkout the current version of the tree, enter +the following command: + + git clone https://git.nordu.net/radsecproxy.git + +If you want to contribute code, you need to get in +[contact with the developers](?page=contact). + +Note that there is also a +[web interface](http://git.nordu.net/?p=radsecproxy.git;a=summary) to +the repository. + +## Linux packages + +Various people have kindly contributed packages for various Linux +distributions. + +### Debian + +* Since Debian release 5 (Lenny), radsecproxy is included in the +distribution. + +* 1.2 for CentOS 5 / Red Hat Enterprise Linux 5 +[radsecproxy-1.2-1.i386.rpm](packages/radsecproxy-1.2-1.i386.rpm) +[radsecproxy-1.2-1.src.rpm](packages/radsecproxy-1.2-1.src.rpm) + +* 1.0 for openSUSE, Fedora and Mandriva openSUSE should be available +from various mirrors, but all of these can also be downloaded from +[download.opensuse.org](http://download.opensuse.org/repositories/network:/aaa/). +The Fedora and Mandriva packages have not yet been tested (AFAIK), +please let me know whether they work for you or not. + +* 1.0p1 for [OpenSDE](http://opensde.org/) +Part of the distribution, see the site diff --git a/index.mdwn b/index.mdwn new file mode 100644 index 0000000..98a7de0 --- /dev/null +++ b/index.mdwn @@ -0,0 +1,33 @@ +radsecproxy is a generic RADIUS proxy that in addition to to usual +RADIUS UDP transport, also supports TLS (RadSec), as well as RADIUS +over TCP and DTLS. The aim is for the proxy to have sufficient +features to be flexible, while at the same time to be small, efficient +and easy to configure. + +The proxy was initially made to be able to deploy RadSec (RADIUS over +TLS) so that all RADIUS communication across network links could be +done using TLS, without modifying existing RADIUS software. This can +be done by running this proxy on the same host as an existing RADIUS +server or client, and configure the existing client/server to talk to +localhost (the proxy) rather than other clients and servers directly. + +There are however other situations where a RADIUS proxy might be +useful. Some people deploy RADIUS topologies where they want to route +RADIUS messages to the right server. The nodes that do purely routing +could be using a proxy. Some people may also wish to deploy a proxy on +a site boundary. Since the proxy supports both IPv4 and IPv6, it could +also be used to allow communication in cases where some RADIUS nodes +use only IPv4 and some only IPv6. + +## Latest release + +On January 19th 2015 +[radsecproxy-1.6.6](dist/radsecproxy-1.6.6.tar.xz) +([PGP-sig)](dist/radsecproxy-1.6.6.tar.xz.asc) was released, and this +is the recommended release for most people. Please report issues, +request features etc. to the +[bug tracker](https://project.nordu.net/browse/RADSECPROXY). If you +use radsecproxy, you should consider joining the +[mailing list](https://postlister.uninett.no/sympa/info/radsecproxy/) +to stay up to date on changes, issues etc. as well. All releases can +be found on the [[download page|download]]. diff --git a/radsecproxy-1.0-alpha-p1.tar.gz b/radsecproxy-1.0-alpha-p1.tar.gz Binary files differnew file mode 100644 index 0000000..9c5ba77 --- /dev/null +++ b/radsecproxy-1.0-alpha-p1.tar.gz diff --git a/radsecproxy-1.0-alpha.tar.gz b/radsecproxy-1.0-alpha.tar.gz Binary files differnew file mode 100644 index 0000000..988eb72 --- /dev/null +++ b/radsecproxy-1.0-alpha.tar.gz diff --git a/radsecproxy-1.0.tar.gz b/radsecproxy-1.0.tar.gz Binary files differnew file mode 100644 index 0000000..0ae37c6 --- /dev/null +++ b/radsecproxy-1.0.tar.gz diff --git a/radsecproxy-1.0p1.tar.gz b/radsecproxy-1.0p1.tar.gz Binary files differnew file mode 100644 index 0000000..ea90054 --- /dev/null +++ b/radsecproxy-1.0p1.tar.gz diff --git a/radsecproxy-1.1-alpha.tar.gz b/radsecproxy-1.1-alpha.tar.gz Binary files differnew file mode 100644 index 0000000..a843be3 --- /dev/null +++ b/radsecproxy-1.1-alpha.tar.gz diff --git a/radsecproxy-1.1-beta.tar.gz b/radsecproxy-1.1-beta.tar.gz Binary files differnew file mode 100644 index 0000000..2aab2c1 --- /dev/null +++ b/radsecproxy-1.1-beta.tar.gz diff --git a/radsecproxy-1.1.tar.gz b/radsecproxy-1.1.tar.gz Binary files differnew file mode 100644 index 0000000..7bb59b4 --- /dev/null +++ b/radsecproxy-1.1.tar.gz diff --git a/radsecproxy-1.2.tar.gz b/radsecproxy-1.2.tar.gz Binary files differnew file mode 100644 index 0000000..1971748 --- /dev/null +++ b/radsecproxy-1.2.tar.gz diff --git a/radsecproxy-1.3-alpha.tar.gz b/radsecproxy-1.3-alpha.tar.gz Binary files differnew file mode 100644 index 0000000..86be6bf --- /dev/null +++ b/radsecproxy-1.3-alpha.tar.gz diff --git a/radsecproxy-1.3-beta.tar.gz b/radsecproxy-1.3-beta.tar.gz Binary files differnew file mode 100644 index 0000000..92e4494 --- /dev/null +++ b/radsecproxy-1.3-beta.tar.gz diff --git a/radsecproxy-1.3.1.tar.gz b/radsecproxy-1.3.1.tar.gz Binary files differnew file mode 100644 index 0000000..aa72941 --- /dev/null +++ b/radsecproxy-1.3.1.tar.gz diff --git a/radsecproxy-1.3.tar.gz b/radsecproxy-1.3.tar.gz Binary files differnew file mode 100644 index 0000000..1dad580 --- /dev/null +++ b/radsecproxy-1.3.tar.gz diff --git a/radsecproxy-1.4.2.tar.gz b/radsecproxy-1.4.2.tar.gz Binary files differnew file mode 100644 index 0000000..23ebf72 --- /dev/null +++ b/radsecproxy-1.4.2.tar.gz diff --git a/radsecproxy-1.4.2.tar.gz.asc b/radsecproxy-1.4.2.tar.gz.asc new file mode 100644 index 0000000..9bcdae7 --- /dev/null +++ b/radsecproxy-1.4.2.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.10 (GNU/Linux) + +iQIcBAABCAAGBQJM69K7AAoJEB6L80kjKRJlpPcQANJccUgxQkVL8NArZK0pKhpe +0pyuwGlAOvfZTOe1vDbX2zHpbj9s/RXxV28xcE9o4gJhHjKqS4Ikk8b92W8KCi/Y +VfX0in1JJO0F2xy4LVxfTtmPZTgumAEm6lQAyv212MBxLC1joUNltGYyr/Pk+b5i +lwZNidK7/ZWr6qclpc4bGpZbfiJiuJ4RKS0nzO9M5Y8Ue/gPjX35Q0nZXmUYRXma +/lA8+ERjpxvU0YTrgTVGUYMQ78pql+nyvYqAd+iccSSlWIntQCWu3uAbBUbBVx4f +d2ekrUaXEBV8AWHa/J86V0LteRX4BV+BdlJrkdFAXJLKtl5c3UmfCV6wewPyqxPR +4JA7C3O02oE/c9ICYkpqHNkcBBSW0yyhSMHFuZXOjqyczdOPmvSCMzFRtuIkgSjU +NJUgV6nDffbQVedAF+GkVO1ll4xFvqGdAh9CjiIU/rhyN2eOWe6NL0t84eaUdDGV +5jzAVLFnmBNS99msmKO/RcSgJHE4NnoV1XTliAfU1lO+qY0nqyi+9FXJ3vVm9bHw +AzX+cK9Qbf5crZlQOxpDdsjVH1CTdXeg80csEzw9cLYPwQmqUN7DBL/7YFmFI78Z +mmQ2CxWyE1sTyAA/qnt4yWQ8x0EAo/lVlQBPdArxWlDRbhmdMbaJKp7REcwgedo3 +QNXzZuoO2x5Ls/aAw4dP +=DPGU +-----END PGP SIGNATURE----- diff --git a/radsecproxy-1.4.3.tar.gz b/radsecproxy-1.4.3.tar.gz Binary files differnew file mode 100644 index 0000000..bc64fa0 --- /dev/null +++ b/radsecproxy-1.4.3.tar.gz diff --git a/radsecproxy-1.4.3.tar.gz.asc b/radsecproxy-1.4.3.tar.gz.asc new file mode 100644 index 0000000..f3edc57 --- /dev/null +++ b/radsecproxy-1.4.3.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iQIcBAABCAAGBQJOKY3lAAoJEB6L80kjKRJleyEQAOdRiAOZ9dV95Kota+RYuC1K +ljrL2SPHrq/xAvvHWM9fGFEkGCUNaSt/VgDDE6zO1Ege+zYv8KsDf50ObqSJNvT6 +7E/3ZBdOfkPfaSdVIxa9OD4HxPJh/qiSEKa0Uqo/bgSO3eu6+FYJY5ttkROO8uN/ +bOmvvx0gDxcUfq/eFDuA3dC1uR1P/aqtE2ueJcXw2BV3qjZRapgSpNc7HzaW4avQ +ke9HAfDaOZtSEG7S6kQ+k16wagKcxw4MQjtEq7P5g/C3l00vKYD5eOjt9ClSQS3H +TdP9ubk3tTDgutvYaD7RSypObVf/ZUMk2X5QmWK+TjLkBq10CE51BIPIUme4l3RS +LOlqGRzxCALbtd2/olPRwvkChSKbcC5fXwBqr0ZUcj8hx2QL9v3H1yb8nihFCRBN +mkG2bCGsuEf5sBRRlwApNqNJwxGpXPIoDH2axzS+VEvKQseNaOypFwaWiSbTaOpn +OdCrE0V/RORjOWYetS6RYjSZidKjzmdE14LlnOuNo6Lv2Iqz+kTg8sjQiafOgMxZ +RrpXJf6YsN5U8LeQ7Iaf6RrQLzHjV16JwP9VKXsgkTYrEdXJuOMvrOlpAcsXHFO9 +ChHUPF800ORijEn+RUp1lNvcxbgCC+8TFg/OVHjr/NhaS/we2mZosy5Mtcj1ZQQo +7w3BSdaAjq++kIxuT+5B +=+V5O +-----END PGP SIGNATURE----- diff --git a/radsecproxy-1.4.tar.gz b/radsecproxy-1.4.tar.gz Binary files differnew file mode 100644 index 0000000..4ea1cba --- /dev/null +++ b/radsecproxy-1.4.tar.gz diff --git a/radsecproxy-1.5.tar.gz b/radsecproxy-1.5.tar.gz Binary files differnew file mode 100644 index 0000000..367f79f --- /dev/null +++ b/radsecproxy-1.5.tar.gz diff --git a/radsecproxy-1.5.tar.gz.asc b/radsecproxy-1.5.tar.gz.asc new file mode 100644 index 0000000..2062966 --- /dev/null +++ b/radsecproxy-1.5.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iQIcBAABCAAGBQJOkFu0AAoJEB6L80kjKRJl/SIQAKsbop76MS0X1KNbwKdhYcG3 +CyWDA9dP44FB7PLpBDywqD0Pn++baGNu7+WSYlakwCXcwvEjpR1GhtZ8b604KEVN +uYRKD+9ikTrRV4RVyAzmqqjNwX1wehqzywmsGpCpQG0SQSrwCi5v7CSJv3XoCjdV +u1oYzZiwSegGUTAmcCfLi+PHQ5jQJi8PuOCFa7NOAzDdJU2B8MMm4kVxUhGXdPvb +9abaGbnddEwgHgu7hu4Nk5+g7m9BHHEFAPGRmWgJRgMlNL5UzYHJe6VeI17QZOl/ +xfeMUvT1f5d0BbSFQvgM6fOPXYbE4MAcstpvNQjRZUo4zmW6A3Dxl080nF/wXn4t +XWQThs9JYKH5ZZ7aEhsUlF0BVddddH0HW90TIJWPfiHk63B/abcNBntY+agOmi3M +g7K5g5rgC0tOWEQe0o+q0qtF3C3fQpjm60zN+OdPl2aoJmC8HupmBMUlAeKD4jEB +Sw1/60tNVQjO3FDbwHjMeDMZyX4OSoDQJhXO59lscPrd4EHgSplU0WbkuSdZ50Lk +LrRQ0Jfst5fYw+SNkzOEdIzYF7WfZ8lPlNGA2/TRW450Qeyek1+AYC/eS99h5Vcs +Vh3Zi2VplHwg4ezf/PAUWh1Ee3YPl8qzyN16mvZVFqmO4qxIjn97grjZm1HhlS9B +b8i0EZTcGHBdjWWHR83e +=Htom +-----END PGP SIGNATURE----- diff --git a/radsecproxy-1.6.1.tar.gz b/radsecproxy-1.6.1.tar.gz Binary files differnew file mode 100644 index 0000000..7c3a53d --- /dev/null +++ b/radsecproxy-1.6.1.tar.gz diff --git a/radsecproxy-1.6.1.tar.gz.asc b/radsecproxy-1.6.1.tar.gz.asc new file mode 100644 index 0000000..5fb1040 --- /dev/null +++ b/radsecproxy-1.6.1.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.19 (FreeBSD) + +iQIcBAABCAAGBQJQUxU0AAoJEB6L80kjKRJlLJIQAOYHUNZgOdAndqhy/3zLVk3B +fArFCV6h6XMsoveSogxUwSaOdQPN26x8T5pDbTxOaXBkmvayqfEDeiRtXZA6p6U5 +LXu3w9Umws5XCCTq5nnJfyD8UfHTH4ecVLK3LH6bAeVCyyM9TiAMIhI65G2tuFT+ +qfe8+w7ZOnrah/crxD0PUYaQcZnB/3QShiry1hTCl6AzYvj5nonPFhz6cTp1ljRL +b02CAsqnoDATpmPe1vrtTDjvTBMZeaTVwmif8nOsg0wpcBupkRQjocpUPTHaVySD +mC9heuMVGL409NPiIyCLeLBUwE4/4b5hM8pPy3WBBSXksvxgljwDLzNNk4by0d39 +cXmXWzn3jZDLMAHV2CoVgTR9QQKVaUMmmAVDtNTXZRCEARYg+eDOX3wKMiwqtw6e +59gav/QyuiDBgi3hbvZ1LcBPMPjNBmNI+K1Mjlm0UydMoA/HNgkwnzm4W81FFUWH +Meyv/FWZdHnoPPdJdDExzRpHH0cnvU9I7PMrh/UVSYhZd0d82dLKgIsjnRoDKfiV +Wa4Htpgl/1wPUOcZZBt5z52s0Ow9E6tLmA8kwN+CX43Eqkgd8dCYJ0l9KQgeMpMY +uIVmfGtPxGuiw5qUo9oOCcvHuyrdNucOsBMQWJqh499gn0NQNYxz88FEzXZIEn2M +JslcuksaDBnzLxFJQvSy +=Nrvi +-----END PGP SIGNATURE----- diff --git a/radsecproxy-1.6.2.tar.gz b/radsecproxy-1.6.2.tar.gz Binary files differnew file mode 100644 index 0000000..c1f1fa5 --- /dev/null +++ b/radsecproxy-1.6.2.tar.gz diff --git a/radsecproxy-1.6.2.tar.gz.asc b/radsecproxy-1.6.2.tar.gz.asc new file mode 100644 index 0000000..5107981 --- /dev/null +++ b/radsecproxy-1.6.2.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.19 (FreeBSD) + +iQIcBAABCAAGBQJQiSfWAAoJEB6L80kjKRJlTK0P/0oOlaY7qP5lF2kZ8aWkDvCe +SZC2zvAOemSmgn/lEPckVDjdgaV1YXrIstLgZY9dRQoctbRPZB9GMpoPynYTb6j5 +8lJt7lA9Bd0rEyIXO0n7VuGVAXQBMO5Hjb2TWoyTMgvg9I2GeJ82/oMWrwRHd4w0 +scfCBP6gOKMNzurGzzrBnkqsB3Tv5AhzZF7/2NBVX0KOyU1XXZktANaqavpXDjZ8 +Hz8sI9E3dvwOLR73DH6qbOnEDA3dUqBvEghB90pO2kpoSIrzPNBN8/qUg2P3P3SG +1ybYlWNLZzAPhR9PUMWQ7uq/bJ+aI1VnfgZAEf5gnQGhNuqFTIdIz5NkPuGt9G7/ +NT4T+D1ixo28lIBkIC440y9xL3ACN8jooXB/UrDU6voMPoLOCet6bCmFOYyDsfXi +h6mBmox0exYz11xNI+kT/7HmMfs7nxCO6i4pN2uRVgzTWU9Rwsh6gJ2uhscmUIn3 +Khq3nDNhzLeL8QKAobcOYAoWN9AoE84niBt90siuwqC0GS5zcRem4f477iDJvRK6 +QTQOfw8/HQSdPQjgbpi1Px21LLTO/Gna5R5iuZvFGubAjQM0jVLSf8u2GghSHQu2 +a3rvqKArezlI9v4CHNp4VSLCKtnbncUOFV2bJKaUE9ryedkf7KST9gj7jYbHpHdz +VYKuG5TuEt2wZvuYDVsY +=WjuE +-----END PGP SIGNATURE----- diff --git a/radsecproxy-1.6.3.tar.gz b/radsecproxy-1.6.3.tar.gz Binary files differnew file mode 100644 index 0000000..a5b9adc --- /dev/null +++ b/radsecproxy-1.6.3.tar.gz diff --git a/radsecproxy-1.6.3.tar.gz.asc b/radsecproxy-1.6.3.tar.gz.asc new file mode 100644 index 0000000..0c91e5d --- /dev/null +++ b/radsecproxy-1.6.3.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (GNU/Linux) + +iQIcBAABCAAGBQJSJz0xAAoJEB6L80kjKRJlZnYP/jY6i0XGBFUrExXU5ZfkdfKQ +C77GSZZDeVflXfVFWjzgjAlDDKJZ5dUrSMkKXhkWe0mTs7eayY2HPIj5s5xu9H+j +o7sGyyc/2rBUjLtPpCRu93ukHbkP97KE1R1QRYWqIiKfdc1jxFMIAUXS6FFcxbTQ +uZQYkG+5t9tnXdoTXLYEB1Y7uDZ2dJIu7pcK8s98HSjaKkjN1Ph4eytpENEoyBOX +tcsS1Jgf1ilm9OURXXto6ct2WLIfzD3yu+sPvRvHuAcHSScA31u8wVBYQfNxQXQL +5uj+0n9BN8IXg/IoxdeATKn6sascHd3vikKAFeL8Xo7m0iP8975GghEWBNgYx+Tg +Ju0YOHivVsULtyh61TDz5Vng9Br+pjX1aRMy6rS70mvh4D1ctFVg+4ZxMx8UpK06 +F3X8jAaDa4oSXNQJkoUaTMWCgQprnAs1jEpICdVzntlylws6Ei84tIatfZGj0Exf +3WDQAR7S4yI6CUsz68FTDzsmjRWAYMENgseYnnWN6q7YrP1hizuaUDOxpXG8ZfM7 +KbCqDKBdqzfkMMMhZEksbSryMXT/UM2lLrlfLvSZGZo9cHkCnYDZthbCdWXXhBug +FRO6SmX+8cwcRuh3Fmi//JYv6C1EvFk4lOrwBKXtwVjdwTrZYutzutNML4yGUvoR +DpaART428P/6uMp96vCO +=stR5 +-----END PGP SIGNATURE----- diff --git a/radsecproxy-1.6.4.tar.gz b/radsecproxy-1.6.4.tar.gz Binary files differnew file mode 100644 index 0000000..aa8b3bf --- /dev/null +++ b/radsecproxy-1.6.4.tar.gz diff --git a/radsecproxy-1.6.4.tar.gz.asc b/radsecproxy-1.6.4.tar.gz.asc new file mode 100644 index 0000000..54af8aa --- /dev/null +++ b/radsecproxy-1.6.4.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (GNU/Linux) + +iQIcBAABCAAGBQJSKIeIAAoJEB6L80kjKRJlEv4P/iUWIdQRIWxrPCg10s5TIHBR +Bss9EV/rq4aMsVxRWyLgzLs0TvxbwJTQyQcI6w98k8Lu5leSshDw55Z7ZHye5smu +xMTrmHOTl7nE4gcxWrG+R1aac61G7BdOUuG/0Q1asXyj17A09/BpAoWMuJqSqtAq +MHsB3uX1+vfOptuDvknNPPP8BFI01si5VeTCNunJwdNlmr7/QxfFqKMeq8PQHx2c +3iqUc8yShAqJOeR3EeGgTgTxRn7vy0yBm7V6EbQZhNX+2t39SLqleVXCrrG+/WLc +zEFzWCs8ouyzRzqnve3zRuRE30bkjG3SmiAwlwB0+LCfcs7PRAyWDuv9DzJ32D9f +qL6FuVjegHLdnT1QcW3JdKK3y3AC73+pDYnRSTy1aMVO+5jfbAf1Xq4/c+0kxzOs +jDt8ALcOzRL1fVR9drqGxfPQrqFw3odDNfyMK8v5d1jz+B4B4AfGL1wcqaRJMN3u +Nh+xQ0430QczDdc2adprUjTT39r955K7QTRfxmez9NVu6mZxBINJQBmdV58+6TQD +amI5ADbidhOZEnRbM102UT9IBWUcUtdsRCp+tbcbbuEgDarp2Y4fcEKgWW4bG6Os +Labuhf+WzpmlirMi2yt1tY5VQdz0OdBGyB7LOLOvdo0dVRp0kI4e2Z5UXEtjaKZi +LAHIxS+a2VdhlU5X2Fkn +=a8LW +-----END PGP SIGNATURE----- diff --git a/radsecproxy-1.6.5.tar.gz b/radsecproxy-1.6.5.tar.gz Binary files differnew file mode 100644 index 0000000..631e78c --- /dev/null +++ b/radsecproxy-1.6.5.tar.gz diff --git a/radsecproxy-1.6.5.tar.gz.asc b/radsecproxy-1.6.5.tar.gz.asc new file mode 100644 index 0000000..1ac95b3 --- /dev/null +++ b/radsecproxy-1.6.5.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (GNU/Linux) + +iQIcBAABCAAGBQJSKdkrAAoJEB6L80kjKRJlfqgQAML6n2CoLPe6DRa8LF8W5Do/ +cDZccicyd0B1QjnNoHTOEFu9jIb7RTBnv68w0rcYF6hLlj03pAWKczAmretOnoqu +vURrJrmACi3fJ8urgt6muhlrcb0ZkCfKhFCIjlMJma1z3KBCdO9OmuWU22Z5lYMj +uFEU00u7bTXkoZLwPgljLypBteWckPTzt1QePU/ZjemRvDNfd7nByw1ga83WVzH2 +fKqtOPOhkEtftiql6piDty29qJgJO9MN7NOrpiGYEWiutJXzZFdp57h47pIaGo8p +7X/vGq4FjkNcWO1wLL/UvMo/MOdt+hU783u11QLh37tkRCurc1IAUDCrKEnRNfV7 +QGbr3//CKxt/UyJhJgUSeQ8SJy5F6Pj6/mckwvqFaYJDxBNAfrorsdULrS98Vd6l +EvCMmx/B413rr0dnG8A56Rj9wcFc3nSKNSaf+to3EgHTkC246qtsYjQ+8y0Y/lda +6zAsnPvdzidCacQThgEefHkdwM1uFirpzFnd38g0zbusmT1/A21UionsVIQaiSBM +W/+a+Cp7y+6QQO7BRFyLnNmaccTVirf1RNQK9cd81p3UL65VZPQN/j9vmqtylVMi +JHEiwmVBQcEFITUq4QRuyiRAZ9IcgKOlfKpJpwXPshhNjXynhM1pqpJL7jq8fnll +p1dQ1zh0tR4wBEW5AURo +=z3I3 +-----END PGP SIGNATURE----- diff --git a/radsecproxy-1.6.6.tar.xz b/radsecproxy-1.6.6.tar.xz Binary files differnew file mode 100644 index 0000000..26bf087 --- /dev/null +++ b/radsecproxy-1.6.6.tar.xz diff --git a/radsecproxy-1.6.6.tar.xz.asc b/radsecproxy-1.6.6.tar.xz.asc new file mode 100644 index 0000000..421670c --- /dev/null +++ b/radsecproxy-1.6.6.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABCAAGBQJUvQmKAAoJEB6L80kjKRJl9CUP/i3zyi7OOx4IAvOacTydAvcd +t8sz/YTpi0/kud2Tt3rOK0Bc1/LSLL0U+QEg2KcYvC7mu5NAADgeMOM1vi98Ce4u +5TcPCiFxDigZBT92jiq77DRBGrtl37W12GtU71CyUDPBp1th++1mJP0lm7sY8OZ8 +kXCCyZfWrgXkyntWv5hBwEn9SuzfmbYI8SyvL7ofJETZ0qfhqcfJff7v5N7L/f+w +WhH0uDLqKgjjP+Y+6JUdZYYYRuQ75r8JPdJ/uo3xJs7G4OTk8/ucvqFmOQF7TJq9 +A+Nch83MG9cDY6+N3od40zvz9qTLpybvQ2mKNUEj6AASPt6O+DHtqVo6E1eQ6ZIj +fTOZbeJaam/5jK5z2+4MPmtW2+GPFsMQjzyZueAbW0pYU0WAsf3fZi3GkCL3OE2l +ec4VvdzVAI9aVQTwn9ebQdwyPxQf9+0fU6BpGL4R9FobIY5Re2Hm6Fib1Ym4TkSy +oxIf3j1tiFBB5KZwLIhkP8mTTi6UoqDb/ThU+5KllwQQZrEv8K0C77rt9kXZkaPg +gXCGVJEfny5hoHcLT1uNemmYVRAKgDZYNLRA7YV+lpa/GfcD4lz8AZSg6bnqlQIB +4gBjLQLIZr6xiToSSNGeLjaTfd36VgtKnzmtsb8NIbN4YhLsFRptfsnTdp13I6Cr +DJ8vjIrenGVSxe9tX+0x +=AJTs +-----END PGP SIGNATURE----- diff --git a/radsecproxy-1.6.tar.gz b/radsecproxy-1.6.tar.gz Binary files differnew file mode 100644 index 0000000..54d78f3 --- /dev/null +++ b/radsecproxy-1.6.tar.gz diff --git a/radsecproxy-1.6.tar.gz.asc b/radsecproxy-1.6.tar.gz.asc new file mode 100644 index 0000000..1ea8eb8 --- /dev/null +++ b/radsecproxy-1.6.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.19 (FreeBSD) + +iQIcBAABCAAGBQJPmpfSAAoJEB6L80kjKRJlJbUP/2zFzGRGfs+Fkkq8tA/IQjPZ +5BaSR02HITKOwr8D6eoYGdSSLl2fetQkml1i+xqlbCWbvNXkul6+wwQBJ1ZYGOrD +o7KXd06B75i8mAfIU45HhzfRl3TSq3Er9lZIXbWwkMMUrzEweNMLqziTQ6645EyB +O4/gYBoTga8JxsXHicPPKLYXJC4neIb5NgQ7mhU8xNmsu5CC1K8tVDRoxocsi41o +LTsLSPdSxESiPNJVlm0Xu1BXTEKINbGBAQV32s/idIxrOVUlEYIfSAV48o0Iz1tH +aQ8lC0eZL9Unv1po81xwic8uRmfQeix0RM0bf5AwyURw+62KFEwG9PjYMRNEdFbK +xRE1k5YzrujEbmaQ9z1H62H+M+zDtvqy4ASd5BLPmaJBiQ9fS90vYUefLQLcPux8 +padZbTPmA4Shgnn9TqAe7CEzQr7g4CnNrfcxTgsxDfhBxr2eiB1JrecChEZ6IdGT +idfiOpuKtUUFIYzCkGIb2ZJYqrQ5IDEyOWpD9s5u+KVwTnLtWBXdeJksREqYdmSV +dvQvx37nVu3F8CxdeAYDNjW5D4TI/NWE+7JTS9LdD8+cj1ixvOwBED3dKbOPwAYv +HU9bISjZIc4ocTZk0bHDVhdlOCa88zacoJ4+JarUnNAb2e1s0hHbTdFZoId3byjm +D90Z0IloqK2JUllwINcG +=4F1m +-----END PGP SIGNATURE----- diff --git a/radsecproxy-devel-20081006.tar.gz b/radsecproxy-devel-20081006.tar.gz Binary files differnew file mode 100644 index 0000000..5a038ac --- /dev/null +++ b/radsecproxy-devel-20081006.tar.gz diff --git a/radsecproxy-devel-20081106.tar.gz b/radsecproxy-devel-20081106.tar.gz Binary files differnew file mode 100644 index 0000000..55cfbba --- /dev/null +++ b/radsecproxy-devel-20081106.tar.gz diff --git a/sha256.txt b/sha256.txt new file mode 100644 index 0000000..cfe2726 --- /dev/null +++ b/sha256.txt @@ -0,0 +1,25 @@ +4fca01d04416abce86100a024c2afdcd7dba573c3b418d3850acdc0e26ce3ed5 radsecproxy-devel-20081106.tar.gz +2b84753521cf3db992d333c5f3fc3c316d3c101cc488993f4bc41ec6531c8244 radsecproxy-devel-20081006.tar.gz +b20058d88f9994d6affc47d2a81dfb0c9878d8498d42662e2033adea115ea67a radsecproxy-1.3.tar.gz +a0de10c88b1137aa45b043539c24e962a4aaf6733338bacb27f5f8443bb26e5c radsecproxy-1.3-beta.tar.gz +f52c25ac96fbb3c7370385f54964f4fcb4c0b0ef7fe165f97611fdddefe8015b radsecproxy-1.3-alpha.tar.gz +ebed436dd1cf2a3b3a5313a4e179e300e1b02e22df6bba0a426ee32fc18e690e radsecproxy-1.3.1.tar.gz +edcdb0acd044b4fb8d913801b5362b72df9c39b9526eecec44853093ab74831a radsecproxy-1.2.tar.gz +5ef48727c30cdf412c6e9f8a13817d9a7ad20787673cd93476d09d5da90a6478 radsecproxy-1.1.tar.gz +1e57886b1251b7ac81917173b753dd3a8150c921056f46f36c907db55b5bbaa9 radsecproxy-1.1-beta.tar.gz +11625b0b56972f0cad29a63fae0baa20a7f78307506faf881ff0f37e0f4a1a85 radsecproxy-1.1-alpha.tar.gz +fa892f20f46436ab6dc7a3fbd7e84a6cc0132e31c54a3eb56702b36e4d18eaf8 radsecproxy-1.0.tar.gz +95fb8f2e39e82f089d8038a78473329322ac2d28dbfe8239092f6f1827cf852f radsecproxy-1.0p1.tar.gz +1bb5c086c04042bcd78b031ce6bab3db01f48c3c38c500a339ca6cf5cbdbd74e radsecproxy-1.0-alpha.tar.gz +032a79942bc9dec6c836d41497b0a5377c7b855b3383e2df6eebafd8a596347e radsecproxy-1.0-alpha-p1.tar.gz +12cbdb8c0ac6eaba81fc805033549845a5937f42e32416f091cc79796f207385 radsecproxy-1.4.tar.gz +76f2db133c22883bd87bd0c6f2c258c14d7c01751845d425abb4a1599401757e radsecproxy-1.4.2.tar.gz +7271339d15c4850f7bd9c7ea26d583c450347cbdeaca13c35921409502245eeb radsecproxy-1.4.3.tar.gz +abddfae337c31c2496b38ac504eee780acc655c7ea2457361cee6d2f6f5c6bdd radsecproxy-1.5.tar.gz +7348425b76703cf614cd8e3952c79f8aa471a27f3d3192729f8afbd6332d099f radsecproxy-1.6.tar.gz +44d7943d2de5db029782ed4931736a210ee77d1157576729d3c20214e4200a45 radsecproxy-1.6.1.tar.gz +d562e69025b8833f0e44b141ae04aa0ae6b014290883a4f88967d8220c1d927c radsecproxy-1.6.2.tar.gz +49cb599fb446307dba3adf9032e1c5c45113b4b871fb759cbf41a27f1b6e29ac radsecproxy-1.6.3.tar.gz +65837d14daad56ca8eb8cb629db0d01dfd6b341df8e4df1c12ba362242a47be7 radsecproxy-1.6.4.tar.gz +b0b7718c84a73ee2af48684cb5c9f3d76369c7e3a4ad3258b919769b4dc65e5f radsecproxy-1.6.5.tar.gz +278251399e326f9afacd1df8c7de492ec5ae6420085f71630da8f6ce585297ef radsecproxy-1.6.6.tar.xz diff --git a/sidebar.mdwn b/sidebar.mdwn new file mode 100644 index 0000000..6b1e402 --- /dev/null +++ b/sidebar.mdwn @@ -0,0 +1,3 @@ +* **[[download]]** +* [[documentation|doc]] +* [[contact]] |