aboutsummaryrefslogtreecommitdiff
path: root/UPDATING
diff options
context:
space:
mode:
authorAlejandro Pulver <alepulver@FreeBSD.org>2006-11-07 02:51:44 +0000
committerAlejandro Pulver <alepulver@FreeBSD.org>2006-11-07 02:51:44 +0000
commite302ecc0362cec05456d0a42fa4d8338f30db684 (patch)
treecb612a89e0f1eb29ea9fd06ae1841e2ebb240df4 /UPDATING
parentb57347d8979a7e4a0caf32656769919c69ab2404 (diff)
downloadports-e302ecc0362cec05456d0a42fa4d8338f30db684.tar.gz
ports-e302ecc0362cec05456d0a42fa4d8338f30db684.zip
Notes
Diffstat (limited to 'UPDATING')
-rw-r--r--UPDATING40
1 files changed, 40 insertions, 0 deletions
diff --git a/UPDATING b/UPDATING
index 67cd26c0dd1b..ffa1f00d71ac 100644
--- a/UPDATING
+++ b/UPDATING
@@ -7,6 +7,46 @@ time you update your ports collection, before attempting any port
upgrades.
20061106
+ AFFECTS: Users of net/freeradius
+ AUTHOR: David Wood <david@wood2.org.uk>
+
+ FreeBSD used to patch FreeRADIUS's rlm_mschap.c to strip all domain names
+ when calculating the hash of an MS-CHAP challenge (a requirement specified
+ in RFC 2759 paragraph 4 and amplified in paragraph 8.2). FreeRADIUS now
+ offers its own solution to discard a domain name before hashing in the
+ MS-CHAP code, which can be enabled via a configuration option. As there is
+ no longer any need for the FreeBSD patch, it has been removed, leaving the
+ MS-CHAP code behaving as supplied by the FreeRADIUS team.
+
+ If the previous behaviour of the MS-CHAP code is required, add:
+
+ with_ntdomain_hack = yes
+
+ to the mschap { } section of your FreeRADIUS configuration. There should be
+ a commented out line that can be modified around line 696 of
+ ${PREFIX}/etc/raddb/radiusd.conf if your configuration is based on the
+ sample FreeRADIUS configuration.
+
+ This option is not set by default in the sample FreeRADIUS configuration.
+ Only those who have clients sending a domain name as part of the user name
+ when using MS-CHAP will be affected by this change; they will need to set
+ this option to allow FreeRADIUS to authenticate their clients successfully.
+ This may only affect those with older Windows clients, but I cannot be sure.
+
+ Some sources suggest setting this configuration option anyway to prevent
+ FreeRADIUS from breaching RFC 2759 inadvertently, leading to authentication
+ failure. It is left to the user whether to set this configuration option
+ anyway, or only to set it in the event of authentication failures stemming
+ from MS-CHAP.
+
+ Debug output from radiusd that reads "rlm_mschap: NT Domain delimeter found,
+ should we have enabled with_ntdomain_hack?" suggests that this configuration
+ option should be enabled.
+
+ New maintainer alerted to this issue by private mail from Thomas Vogt
+ <thomas@bsdunix.ch>.
+
+20061106
AFFECTS: users of syutils/munin-*
AUTHOR: miwi@FreeBSD.org