Opus One


Consulting

Software

RADIUS for OpenVMS

Description
Opus One has prepared a set of updates to the RADIUS 1.16 source code distributed by Livingston Enterprises to make RADIUS compatible with OpenVMS.

The OpenVMS RADIUS server uses the VMS SYSUAF (system authorization file) in addition to (or instead of) the standard ASCII RADIUS users file. This RADIUS server is generally compliant with RFC 2138 (RADIUS) and RFC 2139 (RADIUS accounting).

Author
RADIUS 1.16 is copyright Livingston Enterprises, and is freely available from them. The Opus One patches to RADIUS 1.16 were created by Opus One.

Availability and Status
Two versions of the RADIUS server for OpenVMS are available. The freeware version is a simple port of the Livingston code and is available via anonymous FTP. The porting notes for this version appear later in this file. If you get this version, you should go to the Livingston FTP site and get any documentation which is available on how to install and manage the code.

The licensed version is an extension of the freeware version with the following additional features:

  • Breakin detection and evasion; auditing
  • Support for both SYSUAF and RADIUS_USERS files
  • Support for predefined profiles (such as PPP user)
  • Support for VMS accounting records (not using "USER" type records!)
  • Support by Opus One
Contact Opus One for more information on licensing RADIUS for OpenVMS.

Notes
The following porting notes will be helpful to anyone trying to install the RADIUS server on OpenVMS:
  • Must use C v5 or higher; this will not compile with prior versions without hacking around all of the include files.
  • I've used logical names for all of the files. Look in radius.h as well as logicals.com.
  • Remember to add the radius ports to your tcp/ip; radiusd goes by name rather than number. If you're running Multinet, for example, look in hosts.local.
  • If VMS & SYSUAF are defined (which is the way any sane install should go), it will accept usernames of the form xyyyyyyy where X is a special character, either S, P, T, or C, indicating Slip, PPP, Telnet, or CSLIP, and yyyyyyyy is the username from the sysuaf. We don't care about case; tell your users whatever you please. Everything gets upcased on the way in (including password).
  • if SYSUAF is not defined, then it will read from the users. file in the standard way (no changes to syntax). The one exception is that "UNIX" passwords are checked against the SYSUAF and not against some mystical crypt()ed file of passwords. I didn't put in special code for 'if-the-first-character-is-this' versus not installations. If you don't want to have the first character be ignored, then go into vms.c and find some code which looks like this:

       /* Initialize SYS$GETUAI itemlist */
       usrnam.dsc$a_pointer = &username[1];		/* Given this username*/
       usrnam.dsc$w_length  = strlen(username) - 1;
    

    and change the 1s to 0s. I suppose one could ifdef it or put it into conf.h or radius.h, but I just wanted to get this port up.

  • the makefile. works with VMS MMS; I have not tested it against GNU or other freeware make. Given the simplicity of the program, I don't see why it shouldn't work. Here it is:

    ! VMS-flavored Makefile for RADIUS
    !		Remote Authentication Dial In User Service
    !
    !
    ! Add -DNOSHADOW to CFLAGS if you don't have Shadow Passwords
    !
    ! aix:	add -Daix to CFLAGS
    ! SCO:	add LIBS= -lsocket
    ! Solaris:
    !	CFLAGS= -O -Dsys5
    !	CC=	gcc -traditional
    !	LIBS= -lnsl -lsocket
    ! unixware: add -Dunixware to CFLAGS, use LIBS= -lucb -lnsl -lsocket
    !
    CFLAGS=/prefix=all/define=(NOSHADOW=1,VMS_SYSUAF=1)
    !CFLAGS=/define=(NOSHADOW=1,VMS_SYSUAF=1)
    CC=cc
    INCLUDES=radius.h conf.h prototype.h
    !
    ! Since radpass is deprecated, it has been deleted from here.
    ! Similarly, dbm isn't supported, so that's not here either.
    !
    
    radiusd.exe : radiusd.obj dict.obj users.obj util.obj md5.obj -
    	attrprint.obj acct.obj version.obj vms.obj
    	link/notrace radiusd,dict,users,util,md5,attrprint,acct,-
    		vms,version $(ldflag)
    
    radiusd.obj : radiusd.c $(INCLUDES)
    	$(CC) $(CFLAGS) $(CDFLAG) radiusd.c
    
    acct.obj : acct.c $(INCLUDES)
    	$(CC) $(CFLAGS) $(CDFLAG) acct.c
    
    attrprint.obj : attrprint.c $(INCLUDES)
    	$(CC) $(CFLAGS) $(CDFLAG) attrprint.c
    
    dict.obj : dict.c $(INCLUDES)
    	$(CC) $(CFLAGS) $(CDFLAG) dict.c
    
    users.obj : users.c $(INCLUDES)
    	$(CC) $(CFLAGS) $(CDFLAG) users.c
    
    util.obj : util.c $(INCLUDES)
    	$(CC) $(CFLAGS) $(CDFLAG) util.c
    
    version.obj : version.c $(INCLUDES)
    	$(CC) $(CFLAGS) $(CDFLAG) version.c
    
    md5.obj : md5.c md5.h
    	$(CC) $(CFLAGS) $(CDFLAG) md5.c
    
    vms.obj : vms.c $(INCLUDES) lgidef.h
    	$(CC) $(CFLAGS) $(CDFLAG) vms.c
    

  • the dbm() routines weren't ported; use the SYSUAF, OK?
  • I didn't port radpass; however, I do have a pop password changer; you can give people Eudora and let them use that to change their password instead of having them use the deprecated radpass.
  • All of the forking routines were not worth implementing on VMS. Since any sane implementation will use an ISAM file like the SYSUAF, there's plenty of speed and no need to bother. Hey, run this on something designed after 1980, eh? (yes, that's a barb at Intel and Linux)
  • I tested this over Multinet, but since the include files are all VMS UCX ones rather than Multinet-specific, it should work on any TCP/IP which does UCX emulation. Since all we're doing is capturing UDP, this cannot be too stressful.


Fax me this page Search the site


Home . Consulting . Library . Internet Services . About Us

© 1997 Opus One . Site by DesertNet Designs


1404 East Lind Road, Tucson, AZ 85719 . Phone: 520-324-0494 . Fax: 520-324-0495