Commit Diff


commit - 4a4dce94acbf203aec1c6f5ebc1d97ef1f1ad2d4
commit + da2270739c798f5d01e9d1afe269d4fa1c5000aa
blob - f02ac14445e6ce4ae3dd664929a88478c8524aa2
blob + 56a0f7b0aaa3318a7dc630f8c8decc6ecef6f67b
--- usr.sbin/radiusd/parse.y
+++ usr.sbin/radiusd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.18 2024/07/01 03:13:42 yasuoka Exp $	*/
+/*	$OpenBSD: parse.y,v 1.19 2024/07/02 00:00:12 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -37,14 +37,17 @@
 #include "log.h"
 
 static struct	 radiusd *conf;
-static struct	 radiusd_authentication authen;
-static struct	 radiusd_client client;
+static struct	 radiusd_authentication  authen;
+static struct	 radiusd_module		*conf_module = NULL;
+static struct	 radiusd_client		 client;
 
-static struct	 radiusd_module *find_module (const char *);
-static void	 free_str_l (void *);
-static struct	 radiusd_module_ref *create_module_ref (const char *);
-static void	 radiusd_authentication_init (struct radiusd_authentication *);
-static void	 radiusd_client_init (struct radiusd_client *);
+static struct	 radiusd_module *find_module(const char *);
+static void	 free_str_l(void *);
+static struct	 radiusd_module_ref *create_module_ref(const char *);
+static void	 radiusd_authentication_init(struct radiusd_authentication *);
+static void	 radiusd_client_init(struct radiusd_client *);
+static const char
+		*default_module_path(const char *);
 
 TAILQ_HEAD(files, file)		 files = TAILQ_HEAD_INITIALIZER(files);
 static struct file {
@@ -89,17 +92,18 @@ typedef struct {
 %}
 
 %token	INCLUDE LISTEN ON PORT CLIENT SECRET LOAD MODULE MSGAUTH_REQUIRED
-%token	AUTHENTICATE AUTHENTICATE_BY DECORATE_BY SET
+%token	AUTHENTICATE AUTHENTICATE_BY BY DECORATE_BY SET
 %token	ERROR YES NO
 %token	<v.string>		STRING
 %token	<v.number>		NUMBER
 %type	<v.number>		optport
 %type	<v.listen>		listen_addr
-%type	<v.str_l>		str_l
+%type	<v.str_l>		str_l optdeco
 %type	<v.prefix>		prefix
 %type	<v.yesno>		yesno
 %type	<v.string>		strnum
 %type	<v.string>		key
+%type	<v.string>		optstring
 %%
 
 grammar		: /* empty */
@@ -265,7 +269,45 @@ prefix		: STRING '/' NUMBER {
 			freeaddrinfo(res);
 		}
 		;
-module		: MODULE LOAD STRING STRING {
+module		: MODULE STRING optstring {
+			const char *path = $3;
+			if (path == NULL && (path = default_module_path($2))
+			    == NULL) {
+				yyerror("default path for `%s' is unknown.",
+				    $2);
+				free($2);
+				free($3);
+				YYERROR;
+			}
+			conf_module = radiusd_module_load(conf, path, $2);
+			free($2);
+			free($3);
+			if (conf_module == NULL)
+				YYERROR;
+			TAILQ_INSERT_TAIL(&conf->module, conf_module, next);
+			conf_module = NULL;
+		}
+		| MODULE STRING optstring {
+			const char *path = $3;
+			if (path == NULL && (path = default_module_path($2))
+			    == NULL) {
+				yyerror("default path for `%s' is unknown.",
+				    $2);
+				free($2);
+				free($3);
+				YYERROR;
+			}
+			conf_module = radiusd_module_load(conf, path, $2);
+			free($2);
+			free($3);
+			if (conf_module == NULL)
+				YYERROR;
+		} '{' moduleopts '}' {
+			TAILQ_INSERT_TAIL(&conf->module, conf_module, next);
+			conf_module = NULL;
+		}
+		/* following syntaxes are for backward compatilities */
+		| MODULE LOAD STRING STRING {
 			struct radiusd_module *module;
 			if ((module = radiusd_module_load(conf, $4, $3))
 			    == NULL) {
@@ -303,34 +345,104 @@ setstrerr:
 		}
 		;
 
+moduleopts	: moduleopts '\n' moduleopt
+		| moduleopt
+		;
+moduleopt	: /* empty */
+		| SET key str_l {
+			if ($2[0] == '_') {
+				yyerror("setting `%s' is not allowed", $2);
+				free($2);
+				free_str_l(&$3);
+				YYERROR;
+			}
+			if (radiusd_module_set(conf_module, $2, $3.c, $3.v)) {
+				yyerror("syntax error by module `%s'",
+				    conf_module->name);
+				free($2);
+				free_str_l(&$3);
+				YYERROR;
+			}
+			free($2);
+			free_str_l(&$3);
+		}
+		;
+
 key		: STRING
 		| SECRET { $$ = strdup("secret"); }
 		;
 
-authenticate	: AUTHENTICATE {
+authenticate	: AUTHENTICATE str_l BY STRING optdeco {
+			int				 i;
+			struct radiusd_authentication	*auth;
+			struct radiusd_module_ref	*modref, *modreft;
+
+			if ((auth = calloc(1,
+			    sizeof(struct radiusd_authentication))) == NULL) {
+				yyerror("Out of memory: %s", strerror(errno));
+				goto authenticate_error;
+			}
+			modref = create_module_ref($4);
+			if ((auth->auth = create_module_ref($4)) == NULL)
+				goto authenticate_error;
+			auth->username = $2.v;
+			TAILQ_INIT(&auth->deco);
+			for (i = 0; i < $5.c; i++) {
+				if ((modref = create_module_ref($5.v[i]))
+				    == NULL)
+					goto authenticate_error;
+				TAILQ_INSERT_TAIL(&auth->deco, modref, next);
+			}
+			TAILQ_INSERT_TAIL(&conf->authen, auth, next);
+			auth = NULL;
+ authenticate_error:
+			if (auth != NULL) {
+				free(auth->auth);
+				TAILQ_FOREACH_SAFE(modref, &auth->deco, next,
+				    modreft) {
+					TAILQ_REMOVE(&auth->deco, modref, next);
+					free(modref);
+				}
+				free_str_l(&$2);
+			}
+			free(auth);
+			free($4);
+			free_str_l(&$5);
+		}
+		/* the followings are for backward compatibilities */
+		| AUTHENTICATE str_l optnl '{' {
 			radiusd_authentication_init(&authen);
-		} str_l optnl '{' authopts '}' {
-			struct radiusd_authentication *a;
+			authen.username = $2.v;
+		} authopts '}' {
+			int				 i;
+			struct radiusd_authentication	*a;
 
 			if (authen.auth == NULL) {
-				free_str_l(&$3);
 				yyerror("no authentication module specified");
+				for (i = 0; authen.username[i] != NULL; i++)
+					free(authen.username[i]);
+				free(authen.username);
 				YYERROR;
 			}
 			if ((a = calloc(1,
 			    sizeof(struct radiusd_authentication))) == NULL) {
-				free_str_l(&$3);
+				for (i = 0; authen.username[i] != NULL; i++)
+					free(authen.username[i]);
+				free(authen.username);
 				goto outofmemory;
 			}
 			a->auth = authen.auth;
 			authen.auth = NULL;
 			a->deco = authen.deco;
-			a->username = $3.v;
-
+			a->username = authen.username;
 			TAILQ_INSERT_TAIL(&conf->authen, a, next);
 		}
 		;
 
+optdeco		: { $$.c = 0; $$.v = NULL; }
+		| DECORATE_BY str_l { $$ = $2; }
+		;
+
 authopts	: authopts '\n' authopt
 		| authopt
 		;
@@ -395,6 +507,9 @@ strnum		: STRING	{ $$ = $1; }
 		;
 optnl		:
 		| '\n'
+		;
+optstring	: { $$ = NULL; }
+		| STRING { $$ = $1; }
 		;
 yesno		: YES { $$ = true; }
 		| NO  { $$ = false; }
@@ -435,6 +550,7 @@ lookup(char *s)
 	static const struct keywords keywords[] = {
 		{ "authenticate",		AUTHENTICATE},
 		{ "authenticate-by",		AUTHENTICATE_BY},
+		{ "by",				BY},
 		{ "client",			CLIENT},
 		{ "decorate-by",		DECORATE_BY},
 		{ "include",			INCLUDE},
@@ -723,7 +839,6 @@ parse_config(const char *filename, struct radiusd *rad
 {
 	int				 errors = 0;
 	struct radiusd_listen		*l;
-	struct radiusd_module_ref	*m, *mt;
 
 	conf = radiusd;
 	radiusd_conf_init(conf);
@@ -757,10 +872,8 @@ parse_config(const char *filename, struct radiusd *rad
 		l->sock = -1;
 	}
 	radiusd_authentication_init(&authen);
-	TAILQ_FOREACH_SAFE(m, &authen.deco, next, mt) {
-		TAILQ_REMOVE(&authen.deco, m, next);
-		free(m);
-	}
+	if (conf_module != NULL)
+		radiusd_module_unload(conf_module);
 out:
 	conf = NULL;
 	return (errors ? -1 : 0);
@@ -825,4 +938,25 @@ radiusd_client_init(struct radiusd_client *clnt)
 {
 	memset(clnt, 0, sizeof(struct radiusd_client));
 	clnt->msgauth_required = true;
+}
+
+static const char *
+default_module_path(const char *name)
+{
+	unsigned i;
+	struct {
+		const char *name;
+		const char *path;
+	} module_paths[] = {
+		{ "bsdauth",	"/usr/libexec/radiusd/radiusd_bsdauth" },
+		{ "radius",	"/usr/libexec/radiusd/radiusd_radius" },
+		{ "standard",	"/usr/libexec/radiusd/radiusd_standard" }
+	};
+
+	for (i = 0; i < nitems(module_paths); i++) {
+		if (strcmp(name, module_paths[i].name) == 0)
+			return (module_paths[i].path);
+	}
+
+	return (NULL);
 }
blob - 6df77ef50ffeda83ddcfb00c2fec78cc95494925
blob + 5d02722c678e52a9e47acc48528a0c19ee462de1
--- usr.sbin/radiusd/radiusd.conf.5
+++ usr.sbin/radiusd/radiusd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: radiusd.conf.5,v 1.19 2024/07/01 03:22:06 yasuoka Exp $
+.\"	$OpenBSD: radiusd.conf.5,v 1.20 2024/07/02 00:00:12 yasuoka Exp $
 .\"
 .\" Copyright (c) 2014 Esdenera Networks GmbH
 .\" Copyright (c) 2014, 2023 Internet Initiative Japan Inc.
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 1 2024 $
+.Dd $Mdocdate: July 2 2024 $
 .Dt RADIUSD.CONF 5
 .Os
 .Sh NAME
@@ -57,40 +57,46 @@ This option cannot be omitted.
 Specify if message authentication is required.
 The default is to require message authentication.
 .El
-.It Ic module load Ar name path
-Load a module
-from
-.Ar path
-and name it with the given
-.Ar name .
-The following modules are available:
-.Bl -column "/usr/libexec/radiusd/radiusd_bsdauthXXX"
-.It Sy "Path" Ta Sy "Description"
-.It Pa /usr/libexec/radiusd/radiusd_bsdauth Ta Do bsdauth Dc module
-.It Pa /usr/libexec/radiusd/radiusd_radius Ta Do radius Dc module
-.It Pa /usr/libexec/radiusd/radiusd_standard Ta Do standard Dc module
-.El
+.It Ic module Ar name Oo Ar path Oc Op Brq ...
+Load a module.
+Specify one of the predefined names for
+.Ar name ,
+or specify
+.Ar name
+and
+.Ar path .
+When multiple modules of the same path are loaded with different names,
+each module can have configurations respectively and work independently.
+.Pp
+The following module are predefined:
 .Bl -tag -width Ds
 .It Do bsdauth Dc module
 The
 .Dq bsdauth
-module provides authentication from the local system's
+module
+provides authentication from the local system's
 .Xr authenticate 3
-interface,
-known as
-.Dq bsd auth .
-It only supports PAP, password based authentication.
+interface.
+See
+.Xr radiusd_bsdauth 8 .
 .It Do radius Dc module
 The
 .Dq radius
 module provides authentication from upstream RADIUS servers.
+See
+.Xr radiusd_radius 8 .
 .It Do standard Dc module
 The
 .Dq standard
-module provides standard decorations for Access-Request messages or its
-response messages.
+module provides standard decorations for RADIUS messages.
+See
+.Xr radiusd_standard 8 .
 .El
-.It Ic module set Ar module key value ...
+.Pp
+It is optionally followed by a block of options enclosed in curly brackets.
+The following option can be used in the block:
+.Bl -tag -width Ds
+.It Ic set Ar key value ...
 Configure the module specific configurations by
 .Ar key
 and
@@ -98,90 +104,18 @@ and
 for the module specified by
 .Ar module .
 Notice that
-.Ar module ,
 .Ar key ,
 and
 .Ar value
-must be quoted to be distinguished from the reserved word.
-.Pp
-The
-.Dq bsdauth
-module supports the following configuration key and value:
-.Bl -tag -width Ds -offset indent
-.It Ic restrict-group Ar group ...
-Restrict login only if the user is a member of the specified groups.
+must be quoted to be distinguished from the reserved word if needed.
 .El
-.Pp
-The
-.Dq radius
-module supports the following configuration key and value:
-.Bl -tag -width Ds -offset indent
-.It Ic server Ar address Ns Op : Ns Ar port
-Specify the upstream server's address and port.
-If
-.Ar port
-is omitted, 1812 is used.
-This configuration can be specified multiple times.
-.It Ic secret Ar secret
-Specify the shared secret with the servers.
-This configuration cannot be omitted.
-.It Ic max-tries Ar number
-Specify the maximum number of retransmissions for a server.
-.Xr radiusd 8
-will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission
-and subsequent retransmissions will occur every 8 seconds.
-If the number of retransmissions per server reaches this value,
-the current server is marked as
-.Dq fail ,
-and the next server is used for subsequent requests.
-The default value is 3.
-.It Ic max-failovers Ar number
-If a positive number is specified,
-.Xr radiusd 8
-will failover to the next server
-when the current server is marked
-.Dq fail .
-This key and value specifies the maximum number of failovers.
-The default value is 0.
-.It Ic request-timeout Ar sec
-Specify the request timeout in seconds.
-If this value is specified,
-.Ar max-tries
-and
-.Ar max-failover
-will not be used.
-.El
-.Pp
-The
-.Dq standard
-module supports the following configuration key and value:
-.Pp
-.Bl -tag -width Ds -offset indent -compact
-.It Ic strip-atmark-realm Ar true | false
-Remove the realm part which starts with @
-.Pq atmark
-from the User-Name attribute of the Access-Request.
-.Pp
-.It Ic strip-nt-domain Ar true | false
-Remove NT domain which ends with \\
-.Pq backslash
-from the User-Name attribute of the Access-Request.
-.Pp
-.It Cm remove-request-attribute Oo Ar vendor Oc Ar type
-.It Cm remove-response-attribute Oo Ar vendor Oc Ar type
-Remove all the specified attributes from request or response
-messages of Access-Request.
-Specify
-.Ar type
-of the attribute in a decimal number.
-To specify a vendor attribute,
-specify the Vendor-Id
-in a decimal number for
-.Ar vendor .
-.El
-.It Ic authenticate Ar username-pattern ... Brq ...
+.It Ic authenticate Ar username-pattern ... Ic by Ar auth Oo Ic decorated-by \
+Ar deco ...  Oc
 Specify an authentication configuration for the users specified by
-.Ar username-pattern .
+.Ar username-pattern.
+The users matched by the pattern is authenticated by the module
+specified by
+.Ar auth .
 Use shell globbing rules for the pattern;
 multiple patterns can be specified by separating with space characters.
 When multiple
@@ -191,28 +125,19 @@ lines are specified, the first
 setting whose
 .Ar username-pattern
 matches an authenticating user is used.
-It is followed by a block of options enclosed in curly brackets:
-.Bl -tag -width Ds
-.It Ic authenticate-by Ar module
-Specify the module name.
-.It Ic decorate-by Ar module
-Specify the module name.
+.Pp
+Optionally decoration modules can be specified by
+.Ar deco .
+The specified modules decorate the RADIUS messages in the configured order.
 .El
-.El
 .Sh FILES
-.Bl -tag -width "/usr/libexec/radiusd/radiusd_bsdauth" -compact
+.Bl -tag -width "/etc/examples/radiusd.conf" -compact
 .It Pa /etc/radiusd.conf
 Default
 .Xr radiusd 8
 configuration file.
 .It Pa /etc/examples/radiusd.conf
 Example configuration file.
-.It Pa /usr/libexec/radiusd/radiusd_bsdauth
-.Dq bsdauth
-module executable.
-.It Pa /usr/libexec/radiusd/radiusd_radius
-.Dq radius
-module executable.
 .El
 .Sh EXAMPLES
 .Bd -literal -offset indent
@@ -220,31 +145,32 @@ listen on 0.0.0.0
 listen on ::
 
 client 127.0.0.1/32 {
-	secret "secret"
-	msgauth-required no
+    secret "secret"
+    msgauth-required no
 }
 client 192.168.0.0/24 {
-	secret "secret"
+    secret "secret"
 }
 
-module load bsdauth "/usr/libexec/radiusd/radiusd_bsdauth"
-module set bsdauth restrict-group operator
+module bsdauth {
+    set restrict-group operator
+}
 
-module load radius "/usr/libexec/radiusd/radiusd_radius"
-module set radius secret "testing123"
-module set radius server "127.0.0.1"
+module radius {
+    set secret "testing123"
+    set server "127.0.0.1"
+}
 
-module load strip-realm "/usr/libexec/radiusd/radiusd_standard"
-module set strip-realm strip-atmark-realm true
-
-authenticate *@local {
-	authenticate-by bsdauth
-	decorate-by strip-realm
+module strip-realm "/usr/libexec/radiusd/radiusd_standard" {
+    set strip-atmark-realm true
 }
-authenticate * {
-	authenticate-by radius
-}
+
+authenticate *@local by bsdauth decorate-by strip-realm
+
+authenticate * by radius
 .Ed
 .Sh SEE ALSO
-.Xr authenticate 3 ,
-.Xr radiusd 8
+.Xr radiusd 8 ,
+.Xr radiusd_bsdauth 8 ,
+.Xr radiusd_radius 8 ,
+.Xr radiusd_standard 8
blob - f5e904d18c7b7250f6b312ff48ed2e0328abf7fc
blob + 008f6f4a127200abedcb3494555b042656ca3db3
--- usr.sbin/radiusd/radiusd_bsdauth/Makefile
+++ usr.sbin/radiusd/radiusd_bsdauth/Makefile
@@ -1,9 +1,9 @@
-#	$OpenBSD: Makefile,v 1.2 2024/01/28 18:38:16 deraadt Exp $
+#	$OpenBSD: Makefile,v 1.3 2024/07/02 00:00:12 yasuoka Exp $
 PROG=		radiusd_bsdauth
 BINDIR=		/usr/libexec/radiusd
 SRCS=		radiusd_bsdauth.c radiusd_module.c imsg_subr.c
 LDADD+=		-lradius -lcrypto -lutil
 DPADD+=		${LIBRADIUS} ${LIBCRYPTO} ${LIBUTIL}
-NOMAN=		#
+MAN=		radiusd_bsdauth.8
 
 .include <bsd.prog.mk>
blob - /dev/null
blob + 219eee0ea41cf3987a88dbc776414a9b9d75f5a3 (mode 644)
--- /dev/null
+++ usr.sbin/radiusd/radiusd_bsdauth.8
@@ -0,0 +1,61 @@
+.\"	$OpenBSD: radiusd_bsdauth.8,v 1.1 2024/07/02 00:00:12 yasuoka Exp $
+.\"
+.\" Copyright (c) 2014 Esdenera Networks GmbH
+.\" Copyright (c) 2014, 2024 Internet Initiative Japan Inc.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The following requests are required for all man pages.
+.\"
+.Dd $Mdocdate: July 2 2024 $
+.Dt RADIUSD_BSDAUTH 8
+.Os
+.Sh NAME
+.Nm radiusd_bsdauth
+.Nd provide authentication by BSD authentication system
+.Sh SYNOPSIS
+.Nm radiusd_bsdauth
+.Sh DESCRIPTION
+The
+.Nm
+utility is executed by
+.Xr radiusd 8
+as a module to provide authentication from the local system's
+.Xr authenticate 3
+interface,
+known as
+.Dq bsd auth .
+It only supports PAP, password based authentication.
+.Sh CONFIGURATIONS
+The
+.Nm
+supports the following configuration key and value:
+.Bl -tag -width Ds
+.It Ic restrict-group Ar group ...
+Restrict login only if the user is a member of the specified groups.
+.El
+.Sh FILES
+.Bl -tag -width "/usr/libexec/radiusd/radiusd_bsdauth" -compact
+.It Pa /usr/libexec/radiusd/radiusd_bsdauth
+.Dq bsdauth
+module executable.
+.El
+.Sh SEE ALSO
+.Xr authenticate 3 ,
+.Xr radiusd 8 ,
+.Xr radiusd.conf 5
+.Sh HISTORY
+The
+.Nm
+daemon first appeared in
+.Ox 5.8 .
blob - 41aaac34f767f40a1eb774da34285a4a5ddfb915
blob + cd6d9731e9598a77a327d0a3120d45563b7f04b7
--- usr.sbin/radiusd/radiusd_radius/Makefile
+++ usr.sbin/radiusd/radiusd_radius/Makefile
@@ -1,10 +1,10 @@
-#	$OpenBSD: Makefile,v 1.2 2024/01/28 18:38:16 deraadt Exp $
+#	$OpenBSD: Makefile,v 1.3 2024/07/02 00:00:12 yasuoka Exp $
 PROG=		radiusd_radius
 BINDIR=		/usr/libexec/radiusd
 SRCS=		radiusd_radius.c radiusd_module.c util.c imsg_subr.c log.c
 CFLAGS+=	-DUSE_LIBEVENT
 LDADD+=		-lradius -lcrypto -lutil -levent
 DPADD+=		${LIBRADIUS} ${LIBCRYPTO} ${LIBUTIL} ${LIBEVENT}
-NOMAN=		#
+MAN=		radiusd_radius.8
 
 .include <bsd.prog.mk>
blob - 5dbea5e193b2edefcd3dd6df8db29fb91f4bb235
blob + d873dc2a86e823c4421f022fa3f60cbbd336b5c7
--- usr.sbin/radiusd/radiusd_standard/Makefile
+++ usr.sbin/radiusd/radiusd_standard/Makefile
@@ -1,8 +1,8 @@
-#	$OpenBSD: Makefile,v 1.1 2023/09/08 05:56:22 yasuoka Exp $
+#	$OpenBSD: Makefile,v 1.2 2024/07/02 00:00:12 yasuoka Exp $
 PROG=		radiusd_standard
 BINDIR=		/usr/libexec/radiusd
 SRCS=		radiusd_standard.c radiusd_module.c
 LDADD=		-lutil -lradius -lcrypto
-NOMAN=		#
+MAN=		radiusd_standard.8
 
 .include <bsd.prog.mk>
blob - /dev/null
blob + 2ab83faf17498cdcd34b707de4576014ae9531e9 (mode 644)
--- /dev/null
+++ usr.sbin/radiusd/radiusd_radius.8
@@ -0,0 +1,84 @@
+.\"	$OpenBSD: radiusd_radius.8,v 1.1 2024/07/02 00:00:12 yasuoka Exp $
+.\"
+.\" Copyright (c) 2014 Esdenera Networks GmbH
+.\" Copyright (c) 2014, 2024 Internet Initiative Japan Inc.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The following requests are required for all man pages.
+.\"
+.Dd $Mdocdate: July 2 2024 $
+.Dt RADIUSD_RADIUS 8
+.Os
+.Sh NAME
+.Nm radiusd_radius
+.Nd provide authentication from upstream RADIUS servers
+.Sh SYNOPSIS
+.Nm radiusd_radius
+.Sh DESCRIPTION
+The
+.Nm
+utility is executed by
+.Xr radiusd 8
+as a module to provide authentication from upstream RADIUS servers.
+.Sh CONFIGURATIONS
+The
+.Nm
+supports the following configuration key and value:
+.Bl -tag -width Ds
+.It Ic server Ar address Ns Op : Ns Ar port
+Specify the upstream server's address and port.
+If
+.Ar port
+is omitted, 1812 is used.
+This configuration can be specified multiple times.
+.It Ic secret Ar secret
+Specify the shared secret with the servers.
+This configuration cannot be omitted.
+.It Ic max-tries Ar number
+Specify the maximum number of retransmissions for a server.
+.Xr radiusd 8
+will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission
+and subsequent retransmissions will occur every 8 seconds.
+If the number of retransmissions per server reaches this value,
+the current server is marked as
+.Dq fail ,
+and the next server is used for subsequent requests.
+The default value is 3.
+.It Ic max-failovers Ar number
+If a positive number is specified,
+.Xr radiusd 8
+will failover to the next server
+when the current server is marked
+.Dq fail .
+This key and value specifies the maximum number of failovers.
+The default value is 0.
+.It Ic request-timeout Ar sec
+Specify the request timeout in seconds.
+If this value is specified,
+.Ar max-tries
+and
+.Ar max-failover
+will not be used.
+.El
+.Sh FILES
+.Bl -tag -width "/usr/libexec/radiusd/radiusd_radius" -compact
+.It Pa /usr/libexec/radiusd/radiusd_radius
+.Dq radius
+module executable.
+.El
+.Sh HISTORY
+The
+.Nm
+daemon first appeared in
+.Ox 5.8 .
blob - /dev/null
blob + a75c9da3e970a8eec6665f41a9f1a88d62cb4df7 (mode 644)
--- /dev/null
+++ usr.sbin/radiusd/radiusd_standard.8
@@ -0,0 +1,70 @@
+.\"	$OpenBSD: radiusd_standard.8,v 1.1 2024/07/02 00:00:12 yasuoka Exp $
+.\"
+.\" Copyright (c) 2014 Esdenera Networks GmbH
+.\" Copyright (c) 2014, 2024 Internet Initiative Japan Inc.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The following requests are required for all man pages.
+.\"
+.Dd $Mdocdate: July 2 2024 $
+.Dt RADIUSD_STANDARD 8
+.Os
+.Sh NAME
+.Nm radiusd_standard
+.Nd provide standard decorations for RADIUS messages
+.Sh SYNOPSIS
+.Nm radiusd_standard
+.Sh DESCRIPTION
+The
+.Nm
+utility processes files ...
+.Sh CONFIGURATIONS
+The
+.Nm
+module supports the following configuration key and value:
+.Pp
+.Bl -tag -width Ds
+.It Ic strip-atmark-realm Ar true | false
+Remove the realm part which starts with @
+.Pq atmark
+from the User-Name attribute of the Access-Request.
+.Pp
+.It Ic strip-nt-domain Ar true | false
+Remove NT domain which ends with \\
+.Pq backslash
+from the User-Name attribute of the Access-Request.
+.Pp
+.It Cm remove-request-attribute Oo Ar vendor Oc Ar type
+.It Cm remove-response-attribute Oo Ar vendor Oc Ar type
+Remove all the specified attributes from request or response
+messages of Access-Request.
+Specify
+.Ar type
+of the attribute in a decimal number.
+To specify a vendor attribute,
+specify the Vendor-Id
+in a decimal number for
+.Ar vendor .
+.El
+.Sh FILES
+.Bl -tag -width "/usr/libexec/radiusd/radiusd_standard" -compact
+.It Pa /usr/libexec/radiusd/radiusd_standard
+.Dq standard
+module executable.
+.El
+.Sh HISTORY
+The
+.Nm
+daemon first appeared in
+.Ox 5.8 .