OpenBSD Journal

Security fix for radius authentication

Contributed by grey on from the catching up dept.

Thanks once again to Brad Smith for pointing out a new security fix. The description is as follows:

Eilko Bos reported that radius authentication, as implemented by login_radius(8), was not checking the shared secret used for replies sent by the radius server. This could allow an attacker to spoof a reply granting access to the attacker. Note that OpenBSD does not ship with radius authentication enabled.

You can download the patches here for 3.5 and here for 3.4. As always, you can also find this information at

(Comments are closed)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]