我最近正在测试 freeradius 3.0.27(该版本针对 blastradius 漏洞进行了 修复)。
来自文档 - github
# Global configuration for requiring Message-Authenticator in
# all Access-* packets sent over UDP or TCP. This flag is
# ignored for TLS.
#
# The number one way to protect yourself from the BlastRADIUS
# attack is to update all RADIUS servers, and then set this
# flag to "yes". If all RADIUS servers are updated, and if
# all of them have this flag set to "yes" for all clients,
# then your network is safe. You can then upgrade the
# clients when it is convenient, instead of rushing the
# upgrades.
根据建议,我尝试制作
require_message_authenticator = yes
并使用 radclient 发送了身份验证请求,其按预期工作。
[root@hostname ~]# cat auth.txt
User-Name = "testuser"
User-Password = 'XXXXXXX'
NAS-IP-Address = "xxx.xxx.xxx.xxx"
Message-Authenticator = 0x00
[root@hostname ~]# radclient -4 -xx xxx.xxx.xxx.xxx auth 'radiussecret' < auth.txt
Sent Access-Request Id 234 from 0.0.0.0:64365 to xxx.xxx.xxx.xxx:1812 length 78
User-Name = "testuser"
User-Password = "XXXXXXX"
NAS-IP-Address = xxx.xxx.xxx.xxx
Message-Authenticator = 0x00
Cleartext-Password = "XXXXXXX"
Received Access-Accept Id 234 from xxx.xxx.xxx.xxx:1812 to xxx.xxx.xxx.xxx:64365 length 119
Message-Authenticator = 0xae26df4b307a7fda19f6707a808f42d0
Reply-Message = "AAA provided by Radius"
但是,当我尝试在没有
Message-Authenticator
属性的情况下进行身份验证时,我仍然得到 Access-Accept
。
[root@hostname ~]# cat auth.txt
User-Name = "testuser"
User-Password = 'XXXXXXX'
NAS-IP-Address = "xxx.xxx.xxx.xxx"
[root@hostname ~]# radclient -4 -xx xxx.xxx.xxx.xxx auth 'radiussecret' < auth.txt
Sent Access-Request Id 131 from 0.0.0.0:61581 to xxx.xxx.xxx.xxx:1812 length 78
User-Name = "testuser"
User-Password = "XXXXXXX"
NAS-IP-Address = xxx.xxx.xxx.xxx
Cleartext-Password = "XXXXXXX"
Received Access-Accept Id 131 from xxx.xxx.xxx.xxx:1812 to xxx.xxx.xxx.xxx:61581 length 119
Message-Authenticator = 0x9774e2e86df2dbc1c9149b564cad42a3
Reply-Message = "AAA provided by Radius"
根据文档,如果
require_message_authenticator = yes
处的 security
块位于 radiusd.conf
文件中,则收到的没有 Message-Authenticator
的身份验证数据包应作为 Access-Reject
被丢弃。但就我而言,我得到了Access-Accept
。
我还注意到 github
中的另一个区块# WARNING: This switch is done for the first packet
# received from that client or home server. The change
# does NOT persist across server restarts. You MUST change
# the to "yes" manually, in order to make a permanent
# change to the configuration.
根据此声明,我还重新启动了两个请求之间的 Radius 服务,行为仍然相同。
需要有人来澄清困惑并引导正确的道路。
您正在尝试通过查看客户端输出来调试服务器。 这不是正确的方法。 所有文档都说要在调试模式下运行服务器,然后读取输出。
在这种情况下,radclient 添加了blastradius 缓解措施。 即它总是在访问请求数据包中发送消息验证器,即使输入文件没有明确包含消息验证器。
在调试模式下运行服务器,并读取输出。 您将看到它正在接收包含消息验证器的访问请求。