Linux – Run FreeRADIUS on FIPS Enabled Redhat Server

fips-140-2freeradiuslinuxredhat

I'm attempting to install a FreeRADIUS server on a RHEL 6.9 VM. This VM is operating in FIPS mode. I'm running into the problem described in a Red Hat bug report found here.

According to that bug report from March of 2015 the RADIUS protocol requires MD5 support. FreeRADIUS (and RADIUS) can therefore not be supported in FIPS mode.

I'm hoping that in the 3 years that have transpired since that bug report there's been a fix or workaround that I can implement to get around this issue. Unfortunately, I'm restricted to running in FIPS mode per DISA STIG requirements. Is anyone aware of a way to get FreeRADIUS to work on a machine that's operating in FIPS mode?

Best Answer

It seems as though the FreeRADIUS packages being used are being built with the internal MD5 functions enabled, and as such, they're not reliant on OpenSSL's MD5 implementation. This means in this instance, FreeRADIUS will work with OpenSSL in FIPS mode.

For FreeRADIUS 4 (the next major version), I've implemented runtime checking to swap in internal functions if OpenSSL is in FIPS mode, and to use the OpenSSL functions if it is not in FIPS mode.

There are two reasons we want to use the OpenSSL functions over the internal ones when we can:

They've had much more public scrutiny. They've likely been proven correct at some point.
They take advantage of any hardware acceleration provided by the CPU or crypto acceleration cards.

As you've posted in the comments, certain other algorithms used by TLS may be unavailable. It should be possible to work around any disabled algorithms, by setting an explicit cipher list in the EAP module configuration and in the relevant RADSEC TLS section (TLS config parsing is common code).

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Cron – When Does cron.daily Run

For the distributions you mention:

On CentOS 5.4 (Should be same for RHEL5)

grep run-parts /etc/crontab

01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

So cron.daily runs at 04:02am.

Same on CentOS 4.8

Best Answer

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Cron – When Does cron.daily Run

Related Topic