From issues at outoforder.cc Thu Oct 10 13:10:43 2013 From: issues at outoforder.cc (Mantis Bug Tracker) Date: Thu, 10 Oct 2013 13:10:43 -0400 Subject: [Issues] [mod_auth_xradius 0000174]: Current mod_auth_xradius is incompatible with Apache 2.4 Message-ID: <260445ffdc841d27d1872fbebf29d08d@issues.outoforder.cc> The following issue has been SUBMITTED. ====================================================================== http://issues.outoforder.cc/view.php?id=174 ====================================================================== Reported By: slaanesh Assigned To: ====================================================================== Project: mod_auth_xradius Issue ID: 174 Category: Apache Integration Reproducibility: always Severity: crash Priority: high Status: new Apache Version: ====================================================================== Date Submitted: 2013-10-10 13:10 EDT Last Modified: 2013-10-10 13:10 EDT ====================================================================== Summary: Current mod_auth_xradius is incompatible with Apache 2.4 Description: Current mod_auth_xradius can be succesfully compiled for Apache 2.4 with the aid of a few patches; but make Apache crash. Patches are here: http://pkgs.fedoraproject.org/cgit/mod_auth_xradius.git/tree/ This was originally reported at the end of 2012 in Redhat/Fedora's bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=879274 Same package compiled for RHEL/CentOS 5 & 6 works fine. Steps to Reproduce: On a supported Fedora release (i.e. 18 or higher) install Apache, install mod_auth_xradius and try to start Apache. Apache will crash. Additional Information: I can't put "2.4" in the Apache version field of the ticket as it seems it's not valid. ====================================================================== Issue History Date Modified Username Field Change ====================================================================== 2013-10-10 13:10 slaanesh New Issue ====================================================================== From issues at outoforder.cc Thu Oct 10 13:14:19 2013 From: issues at outoforder.cc (Mantis Bug Tracker) Date: Thu, 10 Oct 2013 13:14:19 -0400 Subject: [Issues] [mod_auth_xradius 0000175]: Module mangles configuration when 2 or more Radius servers are used Message-ID: <7afdd716825106dd37e94df5050d29f7@issues.outoforder.cc> The following issue has been SUBMITTED. ====================================================================== http://issues.outoforder.cc/view.php?id=175 ====================================================================== Reported By: slaanesh Assigned To: ====================================================================== Project: mod_auth_xradius Issue ID: 175 Category: Apache Integration Reproducibility: always Severity: crash Priority: normal Status: new Apache Version: ====================================================================== Date Submitted: 2013-10-10 13:14 EDT Last Modified: 2013-10-10 13:14 EDT ====================================================================== Summary: Module mangles configuration when 2 or more Radius servers are used Description: mod_auth_xradius will not work if 2 or more Radius servers are declared in the configuration. It will die with weird errors with part of the strings defined in the proper Apache directive. Current solution is to apply the following patch: http://pkgs.fedoraproject.org/cgit/mod_auth_xradius.git/tree/mod_auth_xradius-0.4.6-ha.patch As noted at the end of: http://issues.outoforder.cc/view.php?id=43 It fixes the issue (i.e. works for me) but doesn't work as redundancy feature. With this patch, all servers *must* respond in order for user to authenticate. If 2 configured, and one is down... user is denied. Steps to Reproduce: Configure 2 or more Radius servers in the module configuration. Additional Information: Can be tested using a supported Fedora release. ====================================================================== Issue History Date Modified Username Field Change ====================================================================== 2013-10-10 13:14 slaanesh New Issue ====================================================================== From issues at outoforder.cc Thu Oct 10 13:20:08 2013 From: issues at outoforder.cc (Mantis Bug Tracker) Date: Thu, 10 Oct 2013 13:20:08 -0400 Subject: [Issues] [mod_auth_xradius 0000176]: Current library bundling prevents packaging in some distributions where bundling is disallowed Message-ID: <52d39ee851ee3a82cf66d86f7ceed0d1@issues.outoforder.cc> The following issue has been SUBMITTED. ====================================================================== http://issues.outoforder.cc/view.php?id=176 ====================================================================== Reported By: slaanesh Assigned To: ====================================================================== Project: mod_auth_xradius Issue ID: 176 Category: Compile or Build Reproducibility: always Severity: feature Priority: normal Status: new Apache Version: ====================================================================== Date Submitted: 2013-10-10 13:20 EDT Last Modified: 2013-10-10 13:20 EDT ====================================================================== Summary: Current library bundling prevents packaging in some distributions where bundling is disallowed Description: mod_auth_xradius currently ship with files and libraries taken from other projects. This makes it impossible to ship it in some distributions where bundling is disallowed. Redhat is shipping patches to make it work with system NSS implementations (instead of md5.h) and to compile the xradius code derived from FreeBSD as an external library. Patches: http://pkgs.fedoraproject.org/cgit/mod_auth_xradius.git/tree/mod_auth_xradius-0.4.6-libnss_libxradius.patch http://pkgs.fedoraproject.org/cgit/mod_auth_xradius.git/tree/mod_auth_xradius-0.4.6-share_libxradius.patch Steps to Reproduce: Compile the module. ====================================================================== Issue History Date Modified Username Field Change ====================================================================== 2013-10-10 13:20 slaanesh New Issue ====================================================================== From issues at outoforder.cc Thu Oct 10 13:20:45 2013 From: issues at outoforder.cc (Mantis Bug Tracker) Date: Thu, 10 Oct 2013 13:20:45 -0400 Subject: [Issues] [mod_auth_xradius 0000165]: Replay Attack possible xradius with apr_memcache In-Reply-To: Message-ID: <8e3ad4429aa418355c3f50238007cb03@issues.outoforder.cc> A NOTE has been added to this issue. ====================================================================== http://issues.outoforder.cc/view.php?id=165 ====================================================================== Reported By: pcfreak Assigned To: ====================================================================== Project: mod_auth_xradius Issue ID: 165 Category: Security Issue Reproducibility: always Severity: major Priority: high Status: new Apache Version: apache2 Version: 2.2.16-6+squeeze3 ====================================================================== Date Submitted: 2011-09-29 06:27 EDT Last Modified: 2013-10-10 13:20 EDT ====================================================================== Summary: Replay Attack possible xradius with apr_memcache Description: On Debian Squeeze I successfully compiled mod_auth_xradius and apr_memcache. I authenticate against a radius server backend that verifies SafeWord OTP Tokens. Everything looks good so far, but when I sniff the "Authorization: Basic" string in http traffic and base64decode it I can use the credentials on different sessions and on different IPs. A so called replay attack is possible during the "AuthXRadiusCacheTimeout" even from a different IP. I don't know if this is related to xradius or apr_memcache. Steps to Reproduce: Use tcpflow to sniff http-session and grab the Authorization: Basic d0Y5NjMzMzc6MTExMjkzMjA5NzAw string. Do a "echo d0Y5NjMzMzc6MTExMjg3NTAyOTIz | base64 -d - && echo" and then you have wF963337:111287502923 During the AuthXRadiusCacheTimeout you can use the credentials U: wF963337 P: 111287502923 on any machine to authenticate. Additional Information: Relevant parts of apache site config ##The Cache for mod_auth_xradius must be configured globally. ##If you do not want Authentication Caching, set: AuthXRadiusCache memcache "127.0.0.1:11211" ## Time in Seconds that an entry will be cached. AuthXRadiusCacheTimeout 300 ## Type of authentication to use - radius needs basic AuthType Basic ## We have to assign xradius as provider here AuthBasicProvider xradius ## Client prompt for authentication AuthName "Credentials needed" ## Address and the Shared Secret of the RADIUS Server(s) to contact. AuthXRadiusAddServer "10.11.12.13:1812" "yoursecret" #AuthXRadiusAddServer "10.11.12.14:1812" "yoursecret" ## Time in Seconds to wait for replies from the RADIUS Servers AuthXRadiusTimeout 7 ## Number of times to resend a request to a server if no reply is received. AuthXRadiusRetries 2 ## This tells apache that we want a valid user and password. require valid-user Version of memcached Package: memcached Version: 1.4.5-1 ====================================================================== ---------------------------------------------------------------------- (0000311) slaanesh (reporter) - 2013-10-10 13:20 http://issues.outoforder.cc/view.php?id=165#c311 ---------------------------------------------------------------------- Bump! Issue History Date Modified Username Field Change ====================================================================== 2011-09-29 06:27 pcfreak New Issue 2013-10-10 13:20 slaanesh Note Added: 0000311 ======================================================================