-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[defect]: pam_radius_auth module doesn't work if ipv6 is disabled #4397
Comments
Hi @NorthFuture , Could you perform the tests using the latest code from https://github.com/FreeRADIUS/pam_radius ? e.g:
For Debian...
Or Redhat/Centos.
Because the latest HEAD code is working as well as can be seen here https://github.com/FreeRADIUS/pam_radius/runs/4609191777?check_suite_focus=true#step:19:58 e.g:
i.e: Please, everything related to |
@NorthFuture have you had a chance to validate? either way, it isn't an issue. just use the latest 2.0.1 from the HEAD. |
Hi, Still having the issue with version 2. Mar 10 08:16:34 xxx sshd[411850]: pam_radius_auth: 2.0.1 (git #4215c490), built on Nov 2 2021 at 14:37:12 However we manged surpass this problem holding back on version 1.4 with bullseye. Luckily this package had no other dependencies. Let me know if you would like to investigate. |
@NorthFuture please, copy and paste the content of your |
Do you mean pam_radius_auth.conf? |
@NorthFuture exactly |
the content is just one line (changed names for privacy reasons) my_radius_server:31812 mysecret 20 where my_radius_server resolves to a private ip4 address 10.xx.yy.zz |
That's is the problem. If you take a look at https://github.com/FreeRADIUS/pam_radius/blob/master/pam_radius_auth.conf#L47 you will see that for ipv6 we have some special config set. in your case. please try:
Please. try that and let me know what you see. even the logs. |
I did that, and I tried to use my ipv4 ip address as well (between brackets) without luck. the error is still Probably it's due some weird setup of our servers. I don't want to bother you with this issue that apparently we only encountered. we are fine to stay on 1.4 for now. |
@NorthFuture No worries, we are trying to figure out if it is a real issue or not. so, the next try is to configure like: IPv4
IPv6
If possible, first do the test using only the IPv4 then remove/comment and try using IPv6 (not the DNS host entry) |
This is telling This means that the module is using IPv6 addresses, but the system has IPv6 networking disabled. This most often happens when you use a DNS name for the RADIUS server address, but DNS returns IPv6. There's no way for the module to know that the OS has IPv6 disabled. It looks like the module always opens an IPv6 socket, so I'll poke it to catch |
Does this bug still exist, it doesn't look like it's been addressed? The CISA secure config states that IPv6 is to be disabled unless it's in use. Using this module, it's impossible to disable IPv6. CIS-CAT keeps throwing an audit fail since it can't be disabled. This issue isn't filed under libpam_radius. I would be happy to create one. |
I've pushed a change in FreeRADIUS/pam_radius@8d37353 You should now be able to do
|
What type of defect/bug is this?
Unexpected behaviour (obvious or verified by project member)
How can the issue be reproduced?
version: libpam-radius-auth 2.0.0-1
os version: debian 11.2
in /etc/pam_radius_auth.conf
configure an ipv4 host
have ipv6 disabled on your system
Log output from the FreeRADIUS daemon
if ipv6 is disabled we get this error pam_radius_auth: Failed to open RADIUS IPv6 socket: Address family not supported by protocol
Relevant log output from client utilities
No response
Backtrace from LLDB or GDB
No response
The text was updated successfully, but these errors were encountered: