diff options
author | Jim P <jim@pingle.org> | 2011-12-16 07:52:45 -0800 |
---|---|---|
committer | Jim P <jim@pingle.org> | 2011-12-16 07:52:45 -0800 |
commit | 6fa15510ae4285911f0e643c48f0940d94f22ff5 (patch) | |
tree | 688ed0ad942da4a5e0410eebceee45dccbdd7baa | |
parent | 7e5cb1e9951f7afab0404506e61e0acf63e62709 (diff) | |
parent | 976e803ecd4d6e1e5112b427a2c05f59efeb8637 (diff) | |
download | pfsense-packages-6fa15510ae4285911f0e643c48f0940d94f22ff5.tar.gz pfsense-packages-6fa15510ae4285911f0e643c48f0940d94f22ff5.tar.bz2 pfsense-packages-6fa15510ae4285911f0e643c48f0940d94f22ff5.zip |
Merge pull request #134 from Nachtfalkeaw/master
disabled proxy module (not often used) and disabled virtual-server "control-socket" which is experimental and misconfigured a security issue.
-rwxr-xr-x | config/freeradius2/freeradius.inc | 17 | ||||
-rw-r--r-- | pkg_config.8.xml | 2 | ||||
-rw-r--r-- | pkg_config.8.xml.amd64 | 2 |
3 files changed, 12 insertions, 9 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 29ca98f8..76fb23d5 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -29,6 +29,8 @@ function freeradius_install_command() { exec("chown -R root:wheel /usr/local/etc/raddb"); exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12"); + // disable an experimental module of freeRADIUS which could be a security issue if not configured correctly! + exec("rm -f /usr/local/etc/raddb/sites-enabled/control-socket"); closedir($handle); @@ -146,14 +148,15 @@ log { } checkrad = \${sbindir}/checkrad -security { +security { max_attributes = $varsettingsmaxattributes reject_delay = $varsettingsrejectdelay status_server = no ### Needs additional config in raddb/sites-available/status } -proxy_requests = yes -\$INCLUDE proxy.conf +### disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server +#proxy_requests = yes +#\$INCLUDE proxy.conf \$INCLUDE clients.conf thread pool { start_servers = $varsettingsstartservers @@ -259,7 +262,7 @@ EOD; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0600); - conf_mount_ro(); + conf_mount_ro(); restart_service('freeradius'); } @@ -296,11 +299,11 @@ client $varclientshortname { shortname = $varclientshortname ### Optional: Used by checkrad.pl for simultaneous use checks. Default: other - nastype = $varclientnastype + nastype = $varclientnastype ### Optional: will be used in future releases - #login = !root - #password = someadminpas + #login = !root + #password = someadminpas ### Additional configuration needed. See: raddb/sites-available/originate-coa #virtual_server = home1 diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 495a4ef0..fefb92dd 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -760,7 +760,7 @@ Do not use together with freeradius package. Both are using the same XML files.]]></descr> <pkginfolink>http://forum.pfsense.org/index.php/topic,43675.0.html</pkginfolink> <category>System</category> - <version>2.1.12 pkg v1.1.0</version> + <version>2.1.12 pkg v1.1.1</version> <status>BETA</status> <required_version>2.0</required_version> <maintainer>Nachtfalke</maintainer> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 2730cf82..a7ff638b 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -803,7 +803,7 @@ Do not use together with freeradius package. Both are using the same XML files.]]></descr> <pkginfolink>http://forum.pfsense.org/index.php/topic,43675.0.html</pkginfolink> <category>System</category> - <version>2.1.12 pkg v1.1.0</version> + <version>2.1.12 pkg v1.1.1</version> <status>BETA</status> <required_version>2.0</required_version> <maintainer>Nachtfalke</maintainer> |