commit da2270739c798f5d01e9d1afe269d4fa1c5000aa from: yasuoka date: Tue Jul 02 00:00:12 2024 UTC Change the syntax for "module" and "authenticate". "module" can have a {} block now. On the other hand, "authentication" can be without a {} block. The previous syntax is still accepted. Also make specifying the path of "module" be optional. commit - 4a4dce94acbf203aec1c6f5ebc1d97ef1f1ad2d4 commit + da2270739c798f5d01e9d1afe269d4fa1c5000aa blob - f02ac14445e6ce4ae3dd664929a88478c8524aa2 blob + 56a0f7b0aaa3318a7dc630f8c8decc6ecef6f67b --- usr.sbin/radiusd/parse.y +++ usr.sbin/radiusd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.18 2024/07/01 03:13:42 yasuoka Exp $ */ +/* $OpenBSD: parse.y,v 1.19 2024/07/02 00:00:12 yasuoka Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -37,14 +37,17 @@ #include "log.h" static struct radiusd *conf; -static struct radiusd_authentication authen; -static struct radiusd_client client; +static struct radiusd_authentication authen; +static struct radiusd_module *conf_module = NULL; +static struct radiusd_client client; -static struct radiusd_module *find_module (const char *); -static void free_str_l (void *); -static struct radiusd_module_ref *create_module_ref (const char *); -static void radiusd_authentication_init (struct radiusd_authentication *); -static void radiusd_client_init (struct radiusd_client *); +static struct radiusd_module *find_module(const char *); +static void free_str_l(void *); +static struct radiusd_module_ref *create_module_ref(const char *); +static void radiusd_authentication_init(struct radiusd_authentication *); +static void radiusd_client_init(struct radiusd_client *); +static const char + *default_module_path(const char *); TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files); static struct file { @@ -89,17 +92,18 @@ typedef struct { %} %token INCLUDE LISTEN ON PORT CLIENT SECRET LOAD MODULE MSGAUTH_REQUIRED -%token AUTHENTICATE AUTHENTICATE_BY DECORATE_BY SET +%token AUTHENTICATE AUTHENTICATE_BY BY DECORATE_BY SET %token ERROR YES NO %token STRING %token NUMBER %type optport %type listen_addr -%type str_l +%type str_l optdeco %type prefix %type yesno %type strnum %type key +%type optstring %% grammar : /* empty */ @@ -265,7 +269,45 @@ prefix : STRING '/' NUMBER { freeaddrinfo(res); } ; -module : MODULE LOAD STRING STRING { +module : MODULE STRING optstring { + const char *path = $3; + if (path == NULL && (path = default_module_path($2)) + == NULL) { + yyerror("default path for `%s' is unknown.", + $2); + free($2); + free($3); + YYERROR; + } + conf_module = radiusd_module_load(conf, path, $2); + free($2); + free($3); + if (conf_module == NULL) + YYERROR; + TAILQ_INSERT_TAIL(&conf->module, conf_module, next); + conf_module = NULL; + } + | MODULE STRING optstring { + const char *path = $3; + if (path == NULL && (path = default_module_path($2)) + == NULL) { + yyerror("default path for `%s' is unknown.", + $2); + free($2); + free($3); + YYERROR; + } + conf_module = radiusd_module_load(conf, path, $2); + free($2); + free($3); + if (conf_module == NULL) + YYERROR; + } '{' moduleopts '}' { + TAILQ_INSERT_TAIL(&conf->module, conf_module, next); + conf_module = NULL; + } + /* following syntaxes are for backward compatilities */ + | MODULE LOAD STRING STRING { struct radiusd_module *module; if ((module = radiusd_module_load(conf, $4, $3)) == NULL) { @@ -303,34 +345,104 @@ setstrerr: } ; +moduleopts : moduleopts '\n' moduleopt + | moduleopt + ; +moduleopt : /* empty */ + | SET key str_l { + if ($2[0] == '_') { + yyerror("setting `%s' is not allowed", $2); + free($2); + free_str_l(&$3); + YYERROR; + } + if (radiusd_module_set(conf_module, $2, $3.c, $3.v)) { + yyerror("syntax error by module `%s'", + conf_module->name); + free($2); + free_str_l(&$3); + YYERROR; + } + free($2); + free_str_l(&$3); + } + ; + key : STRING | SECRET { $$ = strdup("secret"); } ; -authenticate : AUTHENTICATE { +authenticate : AUTHENTICATE str_l BY STRING optdeco { + int i; + struct radiusd_authentication *auth; + struct radiusd_module_ref *modref, *modreft; + + if ((auth = calloc(1, + sizeof(struct radiusd_authentication))) == NULL) { + yyerror("Out of memory: %s", strerror(errno)); + goto authenticate_error; + } + modref = create_module_ref($4); + if ((auth->auth = create_module_ref($4)) == NULL) + goto authenticate_error; + auth->username = $2.v; + TAILQ_INIT(&auth->deco); + for (i = 0; i < $5.c; i++) { + if ((modref = create_module_ref($5.v[i])) + == NULL) + goto authenticate_error; + TAILQ_INSERT_TAIL(&auth->deco, modref, next); + } + TAILQ_INSERT_TAIL(&conf->authen, auth, next); + auth = NULL; + authenticate_error: + if (auth != NULL) { + free(auth->auth); + TAILQ_FOREACH_SAFE(modref, &auth->deco, next, + modreft) { + TAILQ_REMOVE(&auth->deco, modref, next); + free(modref); + } + free_str_l(&$2); + } + free(auth); + free($4); + free_str_l(&$5); + } + /* the followings are for backward compatibilities */ + | AUTHENTICATE str_l optnl '{' { radiusd_authentication_init(&authen); - } str_l optnl '{' authopts '}' { - struct radiusd_authentication *a; + authen.username = $2.v; + } authopts '}' { + int i; + struct radiusd_authentication *a; if (authen.auth == NULL) { - free_str_l(&$3); yyerror("no authentication module specified"); + for (i = 0; authen.username[i] != NULL; i++) + free(authen.username[i]); + free(authen.username); YYERROR; } if ((a = calloc(1, sizeof(struct radiusd_authentication))) == NULL) { - free_str_l(&$3); + for (i = 0; authen.username[i] != NULL; i++) + free(authen.username[i]); + free(authen.username); goto outofmemory; } a->auth = authen.auth; authen.auth = NULL; a->deco = authen.deco; - a->username = $3.v; - + a->username = authen.username; TAILQ_INSERT_TAIL(&conf->authen, a, next); } ; +optdeco : { $$.c = 0; $$.v = NULL; } + | DECORATE_BY str_l { $$ = $2; } + ; + authopts : authopts '\n' authopt | authopt ; @@ -395,6 +507,9 @@ strnum : STRING { $$ = $1; } ; optnl : | '\n' + ; +optstring : { $$ = NULL; } + | STRING { $$ = $1; } ; yesno : YES { $$ = true; } | NO { $$ = false; } @@ -435,6 +550,7 @@ lookup(char *s) static const struct keywords keywords[] = { { "authenticate", AUTHENTICATE}, { "authenticate-by", AUTHENTICATE_BY}, + { "by", BY}, { "client", CLIENT}, { "decorate-by", DECORATE_BY}, { "include", INCLUDE}, @@ -723,7 +839,6 @@ parse_config(const char *filename, struct radiusd *rad { int errors = 0; struct radiusd_listen *l; - struct radiusd_module_ref *m, *mt; conf = radiusd; radiusd_conf_init(conf); @@ -757,10 +872,8 @@ parse_config(const char *filename, struct radiusd *rad l->sock = -1; } radiusd_authentication_init(&authen); - TAILQ_FOREACH_SAFE(m, &authen.deco, next, mt) { - TAILQ_REMOVE(&authen.deco, m, next); - free(m); - } + if (conf_module != NULL) + radiusd_module_unload(conf_module); out: conf = NULL; return (errors ? -1 : 0); @@ -825,4 +938,25 @@ radiusd_client_init(struct radiusd_client *clnt) { memset(clnt, 0, sizeof(struct radiusd_client)); clnt->msgauth_required = true; +} + +static const char * +default_module_path(const char *name) +{ + unsigned i; + struct { + const char *name; + const char *path; + } module_paths[] = { + { "bsdauth", "/usr/libexec/radiusd/radiusd_bsdauth" }, + { "radius", "/usr/libexec/radiusd/radiusd_radius" }, + { "standard", "/usr/libexec/radiusd/radiusd_standard" } + }; + + for (i = 0; i < nitems(module_paths); i++) { + if (strcmp(name, module_paths[i].name) == 0) + return (module_paths[i].path); + } + + return (NULL); } blob - 6df77ef50ffeda83ddcfb00c2fec78cc95494925 blob + 5d02722c678e52a9e47acc48528a0c19ee462de1 --- usr.sbin/radiusd/radiusd.conf.5 +++ usr.sbin/radiusd/radiusd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: radiusd.conf.5,v 1.19 2024/07/01 03:22:06 yasuoka Exp $ +.\" $OpenBSD: radiusd.conf.5,v 1.20 2024/07/02 00:00:12 yasuoka Exp $ .\" .\" Copyright (c) 2014 Esdenera Networks GmbH .\" Copyright (c) 2014, 2023 Internet Initiative Japan Inc. @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: July 1 2024 $ +.Dd $Mdocdate: July 2 2024 $ .Dt RADIUSD.CONF 5 .Os .Sh NAME @@ -57,40 +57,46 @@ This option cannot be omitted. Specify if message authentication is required. The default is to require message authentication. .El -.It Ic module load Ar name path -Load a module -from -.Ar path -and name it with the given -.Ar name . -The following modules are available: -.Bl -column "/usr/libexec/radiusd/radiusd_bsdauthXXX" -.It Sy "Path" Ta Sy "Description" -.It Pa /usr/libexec/radiusd/radiusd_bsdauth Ta Do bsdauth Dc module -.It Pa /usr/libexec/radiusd/radiusd_radius Ta Do radius Dc module -.It Pa /usr/libexec/radiusd/radiusd_standard Ta Do standard Dc module -.El +.It Ic module Ar name Oo Ar path Oc Op Brq ... +Load a module. +Specify one of the predefined names for +.Ar name , +or specify +.Ar name +and +.Ar path . +When multiple modules of the same path are loaded with different names, +each module can have configurations respectively and work independently. +.Pp +The following module are predefined: .Bl -tag -width Ds .It Do bsdauth Dc module The .Dq bsdauth -module provides authentication from the local system's +module +provides authentication from the local system's .Xr authenticate 3 -interface, -known as -.Dq bsd auth . -It only supports PAP, password based authentication. +interface. +See +.Xr radiusd_bsdauth 8 . .It Do radius Dc module The .Dq radius module provides authentication from upstream RADIUS servers. +See +.Xr radiusd_radius 8 . .It Do standard Dc module The .Dq standard -module provides standard decorations for Access-Request messages or its -response messages. +module provides standard decorations for RADIUS messages. +See +.Xr radiusd_standard 8 . .El -.It Ic module set Ar module key value ... +.Pp +It is optionally followed by a block of options enclosed in curly brackets. +The following option can be used in the block: +.Bl -tag -width Ds +.It Ic set Ar key value ... Configure the module specific configurations by .Ar key and @@ -98,90 +104,18 @@ and for the module specified by .Ar module . Notice that -.Ar module , .Ar key , and .Ar value -must be quoted to be distinguished from the reserved word. -.Pp -The -.Dq bsdauth -module supports the following configuration key and value: -.Bl -tag -width Ds -offset indent -.It Ic restrict-group Ar group ... -Restrict login only if the user is a member of the specified groups. +must be quoted to be distinguished from the reserved word if needed. .El -.Pp -The -.Dq radius -module supports the following configuration key and value: -.Bl -tag -width Ds -offset indent -.It Ic server Ar address Ns Op : Ns Ar port -Specify the upstream server's address and port. -If -.Ar port -is omitted, 1812 is used. -This configuration can be specified multiple times. -.It Ic secret Ar secret -Specify the shared secret with the servers. -This configuration cannot be omitted. -.It Ic max-tries Ar number -Specify the maximum number of retransmissions for a server. -.Xr radiusd 8 -will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission -and subsequent retransmissions will occur every 8 seconds. -If the number of retransmissions per server reaches this value, -the current server is marked as -.Dq fail , -and the next server is used for subsequent requests. -The default value is 3. -.It Ic max-failovers Ar number -If a positive number is specified, -.Xr radiusd 8 -will failover to the next server -when the current server is marked -.Dq fail . -This key and value specifies the maximum number of failovers. -The default value is 0. -.It Ic request-timeout Ar sec -Specify the request timeout in seconds. -If this value is specified, -.Ar max-tries -and -.Ar max-failover -will not be used. -.El -.Pp -The -.Dq standard -module supports the following configuration key and value: -.Pp -.Bl -tag -width Ds -offset indent -compact -.It Ic strip-atmark-realm Ar true | false -Remove the realm part which starts with @ -.Pq atmark -from the User-Name attribute of the Access-Request. -.Pp -.It Ic strip-nt-domain Ar true | false -Remove NT domain which ends with \\ -.Pq backslash -from the User-Name attribute of the Access-Request. -.Pp -.It Cm remove-request-attribute Oo Ar vendor Oc Ar type -.It Cm remove-response-attribute Oo Ar vendor Oc Ar type -Remove all the specified attributes from request or response -messages of Access-Request. -Specify -.Ar type -of the attribute in a decimal number. -To specify a vendor attribute, -specify the Vendor-Id -in a decimal number for -.Ar vendor . -.El -.It Ic authenticate Ar username-pattern ... Brq ... +.It Ic authenticate Ar username-pattern ... Ic by Ar auth Oo Ic decorated-by \ +Ar deco ... Oc Specify an authentication configuration for the users specified by -.Ar username-pattern . +.Ar username-pattern. +The users matched by the pattern is authenticated by the module +specified by +.Ar auth . Use shell globbing rules for the pattern; multiple patterns can be specified by separating with space characters. When multiple @@ -191,28 +125,19 @@ lines are specified, the first setting whose .Ar username-pattern matches an authenticating user is used. -It is followed by a block of options enclosed in curly brackets: -.Bl -tag -width Ds -.It Ic authenticate-by Ar module -Specify the module name. -.It Ic decorate-by Ar module -Specify the module name. +.Pp +Optionally decoration modules can be specified by +.Ar deco . +The specified modules decorate the RADIUS messages in the configured order. .El -.El .Sh FILES -.Bl -tag -width "/usr/libexec/radiusd/radiusd_bsdauth" -compact +.Bl -tag -width "/etc/examples/radiusd.conf" -compact .It Pa /etc/radiusd.conf Default .Xr radiusd 8 configuration file. .It Pa /etc/examples/radiusd.conf Example configuration file. -.It Pa /usr/libexec/radiusd/radiusd_bsdauth -.Dq bsdauth -module executable. -.It Pa /usr/libexec/radiusd/radiusd_radius -.Dq radius -module executable. .El .Sh EXAMPLES .Bd -literal -offset indent @@ -220,31 +145,32 @@ listen on 0.0.0.0 listen on :: client 127.0.0.1/32 { - secret "secret" - msgauth-required no + secret "secret" + msgauth-required no } client 192.168.0.0/24 { - secret "secret" + secret "secret" } -module load bsdauth "/usr/libexec/radiusd/radiusd_bsdauth" -module set bsdauth restrict-group operator +module bsdauth { + set restrict-group operator +} -module load radius "/usr/libexec/radiusd/radiusd_radius" -module set radius secret "testing123" -module set radius server "127.0.0.1" +module radius { + set secret "testing123" + set server "127.0.0.1" +} -module load strip-realm "/usr/libexec/radiusd/radiusd_standard" -module set strip-realm strip-atmark-realm true - -authenticate *@local { - authenticate-by bsdauth - decorate-by strip-realm +module strip-realm "/usr/libexec/radiusd/radiusd_standard" { + set strip-atmark-realm true } -authenticate * { - authenticate-by radius -} + +authenticate *@local by bsdauth decorate-by strip-realm + +authenticate * by radius .Ed .Sh SEE ALSO -.Xr authenticate 3 , -.Xr radiusd 8 +.Xr radiusd 8 , +.Xr radiusd_bsdauth 8 , +.Xr radiusd_radius 8 , +.Xr radiusd_standard 8 blob - f5e904d18c7b7250f6b312ff48ed2e0328abf7fc blob + 008f6f4a127200abedcb3494555b042656ca3db3 --- usr.sbin/radiusd/radiusd_bsdauth/Makefile +++ usr.sbin/radiusd/radiusd_bsdauth/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.2 2024/01/28 18:38:16 deraadt Exp $ +# $OpenBSD: Makefile,v 1.3 2024/07/02 00:00:12 yasuoka Exp $ PROG= radiusd_bsdauth BINDIR= /usr/libexec/radiusd SRCS= radiusd_bsdauth.c radiusd_module.c imsg_subr.c LDADD+= -lradius -lcrypto -lutil DPADD+= ${LIBRADIUS} ${LIBCRYPTO} ${LIBUTIL} -NOMAN= # +MAN= radiusd_bsdauth.8 .include blob - /dev/null blob + 219eee0ea41cf3987a88dbc776414a9b9d75f5a3 (mode 644) --- /dev/null +++ usr.sbin/radiusd/radiusd_bsdauth.8 @@ -0,0 +1,61 @@ +.\" $OpenBSD: radiusd_bsdauth.8,v 1.1 2024/07/02 00:00:12 yasuoka Exp $ +.\" +.\" Copyright (c) 2014 Esdenera Networks GmbH +.\" Copyright (c) 2014, 2024 Internet Initiative Japan Inc. +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The following requests are required for all man pages. +.\" +.Dd $Mdocdate: July 2 2024 $ +.Dt RADIUSD_BSDAUTH 8 +.Os +.Sh NAME +.Nm radiusd_bsdauth +.Nd provide authentication by BSD authentication system +.Sh SYNOPSIS +.Nm radiusd_bsdauth +.Sh DESCRIPTION +The +.Nm +utility is executed by +.Xr radiusd 8 +as a module to provide authentication from the local system's +.Xr authenticate 3 +interface, +known as +.Dq bsd auth . +It only supports PAP, password based authentication. +.Sh CONFIGURATIONS +The +.Nm +supports the following configuration key and value: +.Bl -tag -width Ds +.It Ic restrict-group Ar group ... +Restrict login only if the user is a member of the specified groups. +.El +.Sh FILES +.Bl -tag -width "/usr/libexec/radiusd/radiusd_bsdauth" -compact +.It Pa /usr/libexec/radiusd/radiusd_bsdauth +.Dq bsdauth +module executable. +.El +.Sh SEE ALSO +.Xr authenticate 3 , +.Xr radiusd 8 , +.Xr radiusd.conf 5 +.Sh HISTORY +The +.Nm +daemon first appeared in +.Ox 5.8 . blob - 41aaac34f767f40a1eb774da34285a4a5ddfb915 blob + cd6d9731e9598a77a327d0a3120d45563b7f04b7 --- usr.sbin/radiusd/radiusd_radius/Makefile +++ usr.sbin/radiusd/radiusd_radius/Makefile @@ -1,10 +1,10 @@ -# $OpenBSD: Makefile,v 1.2 2024/01/28 18:38:16 deraadt Exp $ +# $OpenBSD: Makefile,v 1.3 2024/07/02 00:00:12 yasuoka Exp $ PROG= radiusd_radius BINDIR= /usr/libexec/radiusd SRCS= radiusd_radius.c radiusd_module.c util.c imsg_subr.c log.c CFLAGS+= -DUSE_LIBEVENT LDADD+= -lradius -lcrypto -lutil -levent DPADD+= ${LIBRADIUS} ${LIBCRYPTO} ${LIBUTIL} ${LIBEVENT} -NOMAN= # +MAN= radiusd_radius.8 .include blob - 5dbea5e193b2edefcd3dd6df8db29fb91f4bb235 blob + d873dc2a86e823c4421f022fa3f60cbbd336b5c7 --- usr.sbin/radiusd/radiusd_standard/Makefile +++ usr.sbin/radiusd/radiusd_standard/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.1 2023/09/08 05:56:22 yasuoka Exp $ +# $OpenBSD: Makefile,v 1.2 2024/07/02 00:00:12 yasuoka Exp $ PROG= radiusd_standard BINDIR= /usr/libexec/radiusd SRCS= radiusd_standard.c radiusd_module.c LDADD= -lutil -lradius -lcrypto -NOMAN= # +MAN= radiusd_standard.8 .include blob - /dev/null blob + 2ab83faf17498cdcd34b707de4576014ae9531e9 (mode 644) --- /dev/null +++ usr.sbin/radiusd/radiusd_radius.8 @@ -0,0 +1,84 @@ +.\" $OpenBSD: radiusd_radius.8,v 1.1 2024/07/02 00:00:12 yasuoka Exp $ +.\" +.\" Copyright (c) 2014 Esdenera Networks GmbH +.\" Copyright (c) 2014, 2024 Internet Initiative Japan Inc. +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The following requests are required for all man pages. +.\" +.Dd $Mdocdate: July 2 2024 $ +.Dt RADIUSD_RADIUS 8 +.Os +.Sh NAME +.Nm radiusd_radius +.Nd provide authentication from upstream RADIUS servers +.Sh SYNOPSIS +.Nm radiusd_radius +.Sh DESCRIPTION +The +.Nm +utility is executed by +.Xr radiusd 8 +as a module to provide authentication from upstream RADIUS servers. +.Sh CONFIGURATIONS +The +.Nm +supports the following configuration key and value: +.Bl -tag -width Ds +.It Ic server Ar address Ns Op : Ns Ar port +Specify the upstream server's address and port. +If +.Ar port +is omitted, 1812 is used. +This configuration can be specified multiple times. +.It Ic secret Ar secret +Specify the shared secret with the servers. +This configuration cannot be omitted. +.It Ic max-tries Ar number +Specify the maximum number of retransmissions for a server. +.Xr radiusd 8 +will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission +and subsequent retransmissions will occur every 8 seconds. +If the number of retransmissions per server reaches this value, +the current server is marked as +.Dq fail , +and the next server is used for subsequent requests. +The default value is 3. +.It Ic max-failovers Ar number +If a positive number is specified, +.Xr radiusd 8 +will failover to the next server +when the current server is marked +.Dq fail . +This key and value specifies the maximum number of failovers. +The default value is 0. +.It Ic request-timeout Ar sec +Specify the request timeout in seconds. +If this value is specified, +.Ar max-tries +and +.Ar max-failover +will not be used. +.El +.Sh FILES +.Bl -tag -width "/usr/libexec/radiusd/radiusd_radius" -compact +.It Pa /usr/libexec/radiusd/radiusd_radius +.Dq radius +module executable. +.El +.Sh HISTORY +The +.Nm +daemon first appeared in +.Ox 5.8 . blob - /dev/null blob + a75c9da3e970a8eec6665f41a9f1a88d62cb4df7 (mode 644) --- /dev/null +++ usr.sbin/radiusd/radiusd_standard.8 @@ -0,0 +1,70 @@ +.\" $OpenBSD: radiusd_standard.8,v 1.1 2024/07/02 00:00:12 yasuoka Exp $ +.\" +.\" Copyright (c) 2014 Esdenera Networks GmbH +.\" Copyright (c) 2014, 2024 Internet Initiative Japan Inc. +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The following requests are required for all man pages. +.\" +.Dd $Mdocdate: July 2 2024 $ +.Dt RADIUSD_STANDARD 8 +.Os +.Sh NAME +.Nm radiusd_standard +.Nd provide standard decorations for RADIUS messages +.Sh SYNOPSIS +.Nm radiusd_standard +.Sh DESCRIPTION +The +.Nm +utility processes files ... +.Sh CONFIGURATIONS +The +.Nm +module supports the following configuration key and value: +.Pp +.Bl -tag -width Ds +.It Ic strip-atmark-realm Ar true | false +Remove the realm part which starts with @ +.Pq atmark +from the User-Name attribute of the Access-Request. +.Pp +.It Ic strip-nt-domain Ar true | false +Remove NT domain which ends with \\ +.Pq backslash +from the User-Name attribute of the Access-Request. +.Pp +.It Cm remove-request-attribute Oo Ar vendor Oc Ar type +.It Cm remove-response-attribute Oo Ar vendor Oc Ar type +Remove all the specified attributes from request or response +messages of Access-Request. +Specify +.Ar type +of the attribute in a decimal number. +To specify a vendor attribute, +specify the Vendor-Id +in a decimal number for +.Ar vendor . +.El +.Sh FILES +.Bl -tag -width "/usr/libexec/radiusd/radiusd_standard" -compact +.It Pa /usr/libexec/radiusd/radiusd_standard +.Dq standard +module executable. +.El +.Sh HISTORY +The +.Nm +daemon first appeared in +.Ox 5.8 .