vzakharchenko / keycloak-radius-plugin Goto Github PK
View Code? Open in Web Editor NEWMake the radius server as part of keycloak SSO
License: Apache License 2.0
Make the radius server as part of keycloak SSO
License: Apache License 2.0
Hi.
Log4J 2.14.1 that is referenced in this project is vulnerable to CVE-2021-44228 (aka Log4Shell), about which there has been a lot of noise over the last few days. It should be updated to 2.15.0, which addresses the issue. Although it doesn't look like there are any log statements that would be vulnerable, I'd definitely feel better knowing this particular exploit is nowhere near our Keycloak deployment! In fact, I'm not sure it's even used at all, so maybe it can just be removed?
Thanks,
Nick
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/package.json
Path to vulnerable library: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/extract-zip/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/package.json
Path to vulnerable library: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/minimist/package.json,/tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: f7ee59020335252a60fd2f3028cbebba9cd37586
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.2
Step up your Open Source Security Game with WhiteSource here
Describe the bug
Start radius server using docker keeps restarting
To Reproduce
Steps to reproduce the behavior:
https://github.com/vzakharchenko/keycloak-radius-plugin/blob/master/docker/README.md
~/keycloak-radius
⇡6% ➜ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f528760367f9 vassio/keycloak-radius-plugin "/opt/radius/scripts…" 12 seconds ago Restarting (0) 1 second ago keycloak-radius-plugin
~/keycloak-radius
⇡6% ➜ docker logs f528
{"sharedSecret":"secret","authPort":1812,"accountPort":1813,"useUdpRadius":true,"externalDictionary":"""","radsec":{"privateKey":"/config/private.key","certificate":"/config/public.crt","useRadSec":false},"coa":{"port":3799,"useCoA":false}}
mkdir: created directory '/opt/keycloak/config/'
Keycloak - Open Source Identity and Access Management
Find more information at: https://www.keycloak.org/docs/latest
Usage:
kc.sh [OPTIONS] [COMMAND]
Use this command-line tool to manage your Keycloak cluster.
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
"./kc.sh") to execute from the current folder.
Options:
-cf, --config-file <file>
Set the path to a configuration file. By default, configuration properties are
read from the "keycloak.conf" file in the "conf" directory.
-h, --help This help message.
-v, --verbose Print out error details when running this command.
-V, --version Show version information
Commands:
build Creates a new and optimized server image.
start Start the server.
start-dev Start the server in development mode.
export Export data from realms to a file or directory.
import Import data from a directory or a file.
show-config Print out the current configuration.
tools Utilities for use and interaction with the server.
completion Generate bash/zsh completion script for kc.sh.
Examples:
Start the server in development mode for local development or testing:
$ kc.sh start-dev
Building an optimized server runtime:
$ kc.sh build <OPTIONS>
Start the server in production mode:
$ kc.sh start <OPTIONS>
Enable auto-completion to bash/zsh:
$ source <(kc.sh tools completion)
Please, take a look at the documentation for more details before deploying in
production.
Use "kc.sh start --help" for the available options when starting the server.
Use "kc.sh <command> --help" for more information about other commands.
{"sharedSecret":"secret","authPort":1812,"accountPort":1813,"useUdpRadius":true,"externalDictionary":"""","radsec":{"privateKey":"/config/private.key","certificate":"/config/public.crt","useRadSec":false},"coa":{"port":3799,"useCoA":false}}
Keycloak - Open Source Identity and Access Management
Find more information at: https://www.keycloak.org/docs/latest
Usage:
kc.sh [OPTIONS] [COMMAND]
Use this command-line tool to manage your Keycloak cluster.
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
"./kc.sh") to execute from the current folder.
Options:
-cf, --config-file <file>
Set the path to a configuration file. By default, configuration properties are
read from the "keycloak.conf" file in the "conf" directory.
-h, --help This help message.
-v, --verbose Print out error details when running this command.
-V, --version Show version information
Commands:
build Creates a new and optimized server image.
start Start the server.
start-dev Start the server in development mode.
export Export data from realms to a file or directory.
import Import data from a directory or a file.
show-config Print out the current configuration.
tools Utilities for use and interaction with the server.
completion Generate bash/zsh completion script for kc.sh.
Examples:
Start the server in development mode for local development or testing:
$ kc.sh start-dev
Building an optimized server runtime:
$ kc.sh build <OPTIONS>
Start the server in production mode:
$ kc.sh start <OPTIONS>
Enable auto-completion to bash/zsh:
$ source <(kc.sh tools completion)
Please, take a look at the documentation for more details before deploying in
production.
Use "kc.sh start --help" for the available options when starting the server.
Use "kc.sh <command> --help" for more information about other commands.
{"sharedSecret":"secret","authPort":1812,"accountPort":1813,"useUdpRadius":true,"externalDictionary":"""","radsec":{"privateKey":"/config/private.key","certificate":"/config/public.crt","useRadSec":false},"coa":{"port":3799,"useCoA":false}}
Keycloak - Open Source Identity and Access Management
Find more information at: https://www.keycloak.org/docs/latest
Usage:
kc.sh [OPTIONS] [COMMAND]
Use this command-line tool to manage your Keycloak cluster.
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
"./kc.sh") to execute from the current folder.
Options:
-cf, --config-file <file>
Set the path to a configuration file. By default, configuration properties are
read from the "keycloak.conf" file in the "conf" directory.
-h, --help This help message.
-v, --verbose Print out error details when running this command.
-V, --version Show version information
Commands:
build Creates a new and optimized server image.
start Start the server.
start-dev Start the server in development mode.
export Export data from realms to a file or directory.
import Import data from a directory or a file.
show-config Print out the current configuration.
tools Utilities for use and interaction with the server.
completion Generate bash/zsh completion script for kc.sh.
Examples:
Start the server in development mode for local development or testing:
$ kc.sh start-dev
Building an optimized server runtime:
$ kc.sh build <OPTIONS>
Start the server in production mode:
$ kc.sh start <OPTIONS>
Enable auto-completion to bash/zsh:
$ source <(kc.sh tools completion)
Please, take a look at the documentation for more details before deploying in
production.
Use "kc.sh start --help" for the available options when starting the server.
Use "kc.sh <command> --help" for more information about other commands.
Expected behavior
Should not restart
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
Tried on PWD the same issue.
JSON Web Token implementation (symmetric and asymmetric)
Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz
Path to dependency file: /Examples/RadiusServiceAccountJSExample/package.json
Path to vulnerable library: /Examples/RadiusServiceAccountJSExample/node_modules/jsonwebtoken/package.json
Dependency Hierarchy:
Found in base branch: master
Versions <=8.5.1
of jsonwebtoken
library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes
option to true
in the sign()
and/or verify()
functions.
Publish Date: 2022-12-23
URL: CVE-2022-23539
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-8cf7-32gw-wr33
Release Date: 2022-12-23
Fix Resolution: jsonwebtoken - 9.0.0
Step up your Open Source Security Game with Mend here
Describe the bug
Although log4j functionality is still unused, the log4j lookup is still in the image.
Deploying the latest (1.3.7-16.1.0) immediately lights up the scanners for vulnerable images.
(as .zip get analyzed, only downloading and leaving the image is sufficient to flag a warning).
To Reproduce
Steps to reproduce the behavior:
*Download the image....
*in case .zip is not scanned, deploy the image
Run a scan for jndi_lookup with problems.
Expected behavior
Non-sensitive image, why include unused tools, lean images are to be prefered.
Screenshots
N/A
Desktop (please complete the following information):
N/A
Smartphone (please complete the following information):
N/A
Additional context
The log4j scanning proabaly is hete to staya while.
Describe the bug
After a successful Login with one of my test users, the session won't show up, neither in the user sessions nor in in the active sessions of the client.
The debug log of keycloak says:
[org.keycloak.events] (pool-17-thread-1) type=LOGIN, realmId=master, clientId=radius, userId=c197ec91-8f1a-44ba-b8d2-68fc1f8ada87, ipAddress=172.28.0.1, RADIUS='success Login to RADIUS for user admin', RADIUS_HOST=172.28.0.1
To Reproduce
Steps to reproduce the behavior:
Expected behavior
sessions for user listed / active sesssion counter > 0
Additional context
Keycloak is deployed in docker on my local machine
Logins are tested via radtest/radclient provided by freeradius
Is your feature request related to a problem? Please describe.
I have multiple groups. For this, I only worry about "WiFi" and "VPN". In my domain, there are some accounts that shouldn't have access to any networking, some that should have WiFi but not VPN, and some that have both.
Describe the solution you'd like
I would like to have groups like so:
User's Group Membership | Effect |
---|---|
None | REJECT all requests (optionally excluding requests missing the Connect-Info attribute) |
WiFi | REJECT all except Connect-Info == "WiFi" |
VPN | REJECT all except Connect-Info == "VPN" |
WiFi, VPN | REJECT all except Connect-Info == "WiFi" or "VPN" |
Describe alternatives you've considered
I have tried every combination of REJECT_RADIUS
, REJECT_Connect-Info
, and ACCEPT_Connect-Info
that I can think of, but I cannot get this behavior working. I cannot seem to handle the case of users who have no membership (users who do not have access to anything).
I probably missed anything but seems the Keycloak-Radius-Server automatically sends out an attribute "Acct-Interim-Interval=60" which almost all of our devices either accept or ignore but one device type rejects authentication if send. Question: is there an easy way to prevent sending this attribute?
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
org.keycloak:keycloak-model-infinispan
, org.keycloak:keycloak-authz-client
, org.keycloak:keycloak-servlet-filter-adapter
, org.keycloak:keycloak-model-jpa
, org.keycloak:keycloak-authz-policy-common
, org.keycloak:keycloak-server-spi
, org.keycloak:keycloak-kerberos-federation
)These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
org.keycloak:keycloak-model-infinispan
, org.keycloak:keycloak-authz-client
, org.keycloak:keycloak-servlet-filter-adapter
, org.keycloak:keycloak-model-jpa
, org.keycloak:keycloak-authz-policy-common
, org.keycloak:keycloak-server-spi
, org.keycloak:keycloak-kerberos-federation
)These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.
.circleci/config.yml
circleci/openjdk 11.0.8-node
Examples/LdapOtpExample/docker-compose.yaml
osixia/openldap 1.5.0
docker/docker-compose-keycloak.yaml
quay.io/keycloak/keycloak 21.0.0
docker/Dockerfile
quay.io/keycloak/keycloak 21.0.0
docker/DockerfileMultiArch
maltegrosse/keycloak-multiarch 20.0.5
.github/workflows/docker-amd64.yml
actions/checkout v3
docker/setup-qemu-action v2
docker/setup-buildx-action v2
docker/login-action v2
docker/build-push-action v4
.github/workflows/maven.yml
actions/checkout v3
actions/setup-java v3
.github/workflows/node.js.yml
actions/checkout v3
actions/setup-node v3
.github/workflows/sonar-build.yml
actions/checkout v3
actions/setup-java v3
actions/cache v3
actions/cache v3
keycloak-plugins/chillispot-radius-plugin/pom.xml
org.apache.maven.plugins:maven-assembly-plugin 3.5.0
keycloak-plugins/cisco-radius-plugin/pom.xml
org.apache.maven.plugins:maven-assembly-plugin 3.5.0
keycloak-plugins/mikrotik-radius-plugin/pom.xml
org.apache.maven.plugins:maven-assembly-plugin 3.5.0
keycloak-plugins/pom.xml
org.keycloak:keycloak-core 21.0.0
org.keycloak:keycloak-kerberos-federation 21.0.0
org.keycloak:keycloak-services 21.0.0
org.keycloak:keycloak-server-spi 21.0.0
org.keycloak:keycloak-authz-policy-common 21.0.0
org.keycloak:keycloak-server-spi-private 21.0.0
org.keycloak:keycloak-ldap-federation 21.0.0
org.keycloak:keycloak-model-jpa 21.0.0
org.jboss.logmanager:jboss-logmanager 2.1.19.Final
org.keycloak:keycloak-servlet-filter-adapter 21.0.0
org.keycloak:keycloak-authz-client 21.0.0
org.keycloak:keycloak-model-infinispan 21.0.0
org.freemarker:freemarker 2.3.32
org.slf4j:slf4j-simple 2.0.6
org.testng:testng 7.7.1
org.mockito:mockito-core 5.1.1
org.apache.commons:commons-lang3 3.12.0
org.apache.maven.plugins:maven-gpg-plugin 3.0.1
org.apache.maven.plugins:maven-shade-plugin 3.4.1
pl.project13.maven:git-commit-id-plugin 4.9.10
org.codehaus.mojo:properties-maven-plugin 1.1.0
org.apache.maven.plugins:maven-enforcer-plugin 3.2.1
org.apache.maven.plugins:maven-source-plugin 3.2.1
org.apache.maven.plugins:maven-assembly-plugin 3.5.0
org.apache.maven.plugins:maven-pmd-plugin 3.20.0
com.fasterxml.jackson.core:jackson-databind 2.14.2
com.github.spotbugs:spotbugs-maven-plugin 4.7.3.2
com.h3xstream.findsecbugs:findsecbugs-plugin 1.12.0
com.mebigfatguy.sb-contrib:sb-contrib 7.4.7
com.github.spotbugs:spotbugs 4.7.3
org.apache.maven.plugins:maven-checkstyle-plugin 3.2.1
org.apache.maven.plugins:maven-compiler-plugin 3.11.0
org.codehaus.mojo:templating-maven-plugin 1.0.0
org.eluder.coveralls:coveralls-maven-plugin 4.3.0
javax.xml.bind:jaxb-api 2.3.1
org.jacoco:jacoco-maven-plugin 0.8.8
org.apache.maven.plugins:maven-release-plugin 3.0.0-M7
keycloak-plugins/proxy-radius-plugin/pom.xml
org.apache.maven.plugins:maven-assembly-plugin 3.5.0
keycloak-plugins/rad-sec-plugin/pom.xml
org.apache.maven.plugins:maven-assembly-plugin 3.5.0
keycloak-plugins/radius-disconnect-plugin/pom.xml
org.hibernate:hibernate-core 5.6.15.Final
org.apache.maven.plugins:maven-assembly-plugin 3.5.0
keycloak-plugins/radius-plugin/pom.xml
com.github.vzakharchenko:tinyradius-netty 1.1.4.1
io.netty:netty-all 4.1.89.Final
com.github.stefanbirkner:system-lambda 1.2.1
org.bouncycastle:bcprov-jdk15on 1.70
org.apache.maven.plugins:maven-jar-plugin 3.3.0
org.apache.maven.plugins:maven-assembly-plugin 3.5.0
keycloak-plugins/radius-theme/pom.xml
org.apache.maven.plugins:maven-assembly-plugin 3.5.0
keycloak-quarkus/pom.xml
org.keycloak:keycloak-server-spi 21.0.0
org.apache.maven.plugins:maven-dependency-plugin 3.5.0
org.apache.maven.plugins:maven-antrun-plugin 3.1.0
org.apache.maven.plugins:maven-assembly-plugin 3.5.0
Examples/ConditionAccessRequestJSExample/package.json
body-parser *
express *
express-handlebars *
node-radius-client *
node-radius-utils *
path *
hbs *
Examples/LdapOtpExample/package.json
body-parser *
express *
express-handlebars *
node-radius-client *
node-radius-utils *
path *
hbs *
Examples/OTPPasswordJSExample/package.json
body-parser *
express *
express-handlebars *
node-radius-client *
node-radius-utils *
path *
hbs *
Examples/OneTimePasswordJSExample/package.json
body-parser *
express *
express-handlebars *
express-session *
keycloak-connect *
node-radius-client *
node-radius-utils *
path *
hbs *
Examples/RadiusAuthorizationJSExample/package.json
body-parser *
express *
express-handlebars *
hbs *
node-radius-client *
node-radius-utils *
path *
Examples/RadiusDefaultRealmJSExample/package.json
body-parser *
express *
express-handlebars *
node-radius-client *
node-radius-utils *
path *
hbs *
Examples/RadiusServiceAccountJSExample/package.json
body-parser *
express *
express-handlebars *
node-radius-client *
node-radius-utils *
path *
keycloak-connect *
express-session *
jsonwebtoken *
axios *
hbs *
Examples/WebAuthnJSExample/package.json
body-parser *
express *
express-handlebars *
express-session *
keycloak-connect *
node-radius-client *
node-radius-utils *
path *
hbs *
My settings are these:
° keycloak radius plugin installed quarks. (ubuntu 20.04.3) ( external server )
running: /opt/keycloak-radius# bin/kc.sh start --hostname=mydomain.cloud --hostname-strict-backchannel=true --https-port=8443
° configured https tls and hostname external ip ( no proxy ).
° radius over TLS configured as radsec port 1812 ,1813.
° configured "mikrotik-radius-plugin" only for login mikrotik
° user created for login test
My Mikrotik
° Routerboard RB750GR3 version 6.49.6 (stable)
° configured radius radsec, accouting AAA
The mistake:
when i go to login by winbox i get the following error in keycloak terminal.
[com.github.vzakharchenko.radius.radius.handlers.AuthHandler] (pool-3-thread-1) failed with message: java.lang.NullPointerException
2022-09-11 12:38:15,706 ERROR [com.github.vzakharchenko.radius.radius.handlers.AuthHandler] (pool-3-thread-2) failed with message: java.lang.NullPointerException
at org.keycloak.events.EventBuilder.(EventBuilder.java:55)
at com.github.vzakharchenko.radius.event.log.EventLoggerUtils.createEvent(EventLoggerUtils.java:32)
at com.github.vzakharchenko.radius.event.log.EventLoggerUtils.createMasterEvent(EventLoggerUtils.java:23)
at com.github.vzakharchenko.radius.radius.handlers.protocols.AbstractAuthProtocol.isValid(AbstractAuthProtocol.java:94)
at com.github.vzakharchenko.radius.radius.handlers.AuthHandler.channelRead0(AuthHandler.java:108)
at com.github.vzakharchenko.radius.radius.handlers.AuthHandler.lambda$channelReadRadius$0(AuthHandler.java:126)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:250)
at com.github.vzakharchenko.radius.radius.handlers.AuthHandler.channelReadRadius(AuthHandler.java:124)
at com.github.vzakharchenko.radius.radius.handlers.AuthHandler.directRead(AuthHandler.java:159)
at com.github.vzakharchenko.radsec.handlers.RadSecHandler.lambda$channelReadRadius$0(RadSecHandler.java:42)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:250)
at com.github.vzakharchenko.radsec.handlers.RadSecHandler.channelReadRadius(RadSecHandler.java:36)
at com.github.vzakharchenko.radius.radius.handlers.AbstractThreadRequestHandler.lambda$channelRead0$0(AbstractThreadRequestHandler.java:18)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
STATUS RADIUS ROUTERBOARD
I don't know where I'm going wrong.
Describe the bug
I am trying to use MariaDB as RDBS, but I get the following error during starting the services:
keycloak_1 | 11:58:42,655 FATAL [org.keycloak.services] (ServerService Thread Pool -- 66) Error during startup: java.lang.IllegalStateException: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('"' (code 34)): was expecting comma to separate Object entries keycloak_1 | at [Source: (sun.nio.ch.ChannelInputStream); line: 1, column: 105] keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.configuration.FileRadiusConfiguration.getRadiusSettings(FileRadiusConfiguration.java:52) keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.server.KeycloakRadiusServer.<init>(KeycloakRadiusServer.java:42) keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.server.RadiusServerProviderFactory.createInstance(RadiusServerProviderFactory.java:20) keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.providers.AbstractRadiusServerProviderFactory.create(AbstractRadiusServerProviderFactory.java:19) keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.providers.AbstractRadiusServerProviderFactory.lambda$postInit$0(AbstractRadiusServerProviderFactory.java:41) keycloak_1 | at [email protected]//org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:239) keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.providers.AbstractRadiusServerProviderFactory.postInit(AbstractRadiusServerProviderFactory.java:40) keycloak_1 | at [email protected]//org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:129) keycloak_1 | at [email protected]//org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:233) keycloak_1 | at [email protected]//org.keycloak.services.resources.KeycloakApplication.startup(KeycloakApplication.java:124) keycloak_1 | at [email protected]//org.keycloak.provider.wildfly.WildflyPlatform.onStartup(WildflyPlatform.java:36) keycloak_1 | at [email protected]//org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:114) keycloak_1 | at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) keycloak_1 | at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) keycloak_1 | at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) keycloak_1 | at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) keycloak_1 | at [email protected]//org.jboss.resteasy.core.ConstructorInjectorImpl.constructOutsideRequest(ConstructorInjectorImpl.java:225) keycloak_1 | at [email protected]//org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:209) keycloak_1 | at [email protected]//org.jboss.resteasy.core.providerfactory.Utils.createProviderInstance(Utils.java:102) keycloak_1 | at [email protected]//org.jboss.resteasy.core.providerfactory.ResteasyProviderFactoryImpl.createProviderInstance(ResteasyProviderFactoryImpl.java:1385) keycloak_1 | at [email protected]//org.jboss.resteasy.core.ResteasyDeploymentImpl.createApplication(ResteasyDeploymentImpl.java:418) keycloak_1 | at [email protected]//org.jboss.resteasy.core.ResteasyDeploymentImpl.initializeObjects(ResteasyDeploymentImpl.java:265) keycloak_1 | at [email protected]//org.jboss.resteasy.core.ResteasyDeploymentImpl.startInternal(ResteasyDeploymentImpl.java:137) keycloak_1 | at [email protected]//org.jboss.resteasy.core.ResteasyDeploymentImpl.start(ResteasyDeploymentImpl.java:121) keycloak_1 | at [email protected]//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:144) keycloak_1 | at [email protected]//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:42) keycloak_1 | at [email protected]//io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) keycloak_1 | at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.RunAsLifecycleInterceptor.doIt(RunAsLifecycleInterceptor.java:70) keycloak_1 | at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:76) keycloak_1 | at [email protected]//io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) keycloak_1 | at [email protected]//io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:309) keycloak_1 | at [email protected]//io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:145) keycloak_1 | at [email protected]//io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:588) keycloak_1 | at [email protected]//io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:559) keycloak_1 | at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) keycloak_1 | at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) keycloak_1 | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544) keycloak_1 | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544) keycloak_1 | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544) keycloak_1 | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544) keycloak_1 | at [email protected]//io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:601) keycloak_1 | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:106) keycloak_1 | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:87) keycloak_1 | at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) keycloak_1 | at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) keycloak_1 | at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) keycloak_1 | at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990) keycloak_1 | at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) keycloak_1 | at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) keycloak_1 | at java.base/java.lang.Thread.run(Thread.java:829) keycloak_1 | at [email protected]//org.jboss.threads.JBossThread.run(JBossThread.java:513) keycloak_1 | Caused by: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('"' (code 34)): was expecting comma to separate Object entries keycloak_1 | at [Source: (sun.nio.ch.ChannelInputStream); line: 1, column: 105] keycloak_1 | at [email protected]//com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:2337) keycloak_1 | at [email protected]//com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:710) keycloak_1 | at [email protected]//com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:635) keycloak_1 | at [email protected]//com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextFieldName(UTF8StreamJsonParser.java:1024) keycloak_1 | at [email protected]//com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:331) keycloak_1 | at [email protected]//com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:187) keycloak_1 | at [email protected]//com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:322) keycloak_1 | at [email protected]//com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4593) keycloak_1 | at [email protected]//com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3585) keycloak_1 | at [email protected]//org.keycloak.util.JsonSerialization.readValue(JsonSerialization.java:94) keycloak_1 | at [email protected]//org.keycloak.util.JsonSerialization.readValue(JsonSerialization.java:79) keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.configuration.FileRadiusConfiguration.getRadiusSettings(FileRadiusConfiguration.java:49) keycloak_1 | ... 50 more keycloak_1 | keycloak_1 | 11:58:42,664 INFO [org.jboss.as.server] (Thread-1) WFLYSRV0220: Server shutdown has been requested via an OS signal
To Reproduce
`version: '3.7'
services:
db:
image: mariadb:10.5.3
ports:
- "3306:3306"
volumes:
- ./mysql:/var/lib/mysql
environment:
- MARIADB_ROOT_PASSWORD=root
- MYSQL_ROOT_PASSWORD=root
keycloak:
image: jboss/keycloak:latest
depends_on:
- db
ports:
- "8090:8080" # UI
- "8190:8190" # DEBUG
- "1812:1812/udp" # RADIUS
- "1813:1813/udp" # RADIUS
environment:
- KEYCLOAK_IMPORT="/config/realm-example.json"
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
- DB_VENDOR=mariadb
- DB_PORT=3306
- DB_ADDR=db
- DB_DATABASE=keycloak
- DB_USER=root
- DB_PASSWORD=root
- RADIUS_SHARED_SECRET="secret"
- RADIUS_UDP=true
- RADIUS_UDP_AUTH_PORT=1812
- RADIUS_UDP_ACCOUNT_PORT=1813
- RADIUS_RADSEC=false
- RADIUS_RADSEC_PRIVATEKEY="/config/private.key"
- RADIUS_RADSEC_CERTIFICATE="/config/public.crt"
- RADIUS_DICTIONARY=""
- RADIUS_COA=false
- RADIUS_COA_PORT="3799"
- keycloak.profile.feature.upload_scripts="enabled"
volumes:
- ../cli:/opt/radius/cli
- ./scripts:/opt/radius/scripts
- ./config:/config
entrypoint: /opt/radius/scripts/docker-entrypoint.sh`
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.24.0.tgz
Path to dependency file: /Examples/WebAuthnJSExample/package.json
Path to vulnerable library: /Examples/WebAuthnJSExample/node_modules/axios/package.json,/Examples/RadiusServiceAccountJSExample/node_modules/chromedriver/node_modules/axios/package.json,/Examples/OneTimePasswordJSExample/node_modules/axios/package.json
Dependency Hierarchy:
Found in base branch: master
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.
Publish Date: 2022-05-03
URL: CVE-2022-1214
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/
Release Date: 2022-05-03
Fix Resolution: axios - v0.26.0
Step up your Open Source Security Game with WhiteSource here
When CoA requests are enabled and the server restarts, CoA request is sent on a separate thread.
Each thread runs in its own thread pool.
2021-02-05 01:45:00,118 WARNING [io.netty.channel.DefaultChannelPipeline] (nioEventLoopGroup-2-16) An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.: java.lang.OutOfMemoryError: unable to create native thread: possibly out of memory or process/resource limits reached
at java.base/java.lang.Thread.start0(Native Method)
at java.base/java.lang.Thread.start(Thread.java:803)
at java.base/java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExecutor.java:937)
at java.base/java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1354)
at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.handlers.AbstractThreadRequestHandler.channelRead0(AbstractThreadRequestHandler.java:18)
at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.handlers.AbstractThreadRequestHandler.channelRead0(AbstractThreadRequestHandler.java:10)
at [email protected]//io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at [email protected]//io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
at [email protected]//io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at [email protected]//io.netty.handler.logging.LoggingHandler.channelRead(LoggingHandler.java:271)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at [email protected]//io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1526)
at [email protected]//io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1275)
at [email protected]//io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1322)
at [email protected]//io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
at [email protected]//io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
at [email protected]//io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at [email protected]//io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at [email protected]//io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at [email protected]//io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at [email protected]//io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at [email protected]//io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at [email protected]//io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at [email protected]//io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at [email protected]//io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
CoA requests are sent without using their own thread pool, they must use the shared thread pool
Describe the bug
I'm using v1.3.8 of the plugin with KC 16.1.0, and if I configure a user to have a RADIUS password and I try and authentication as that user, I can specify any password and I get an Access-Accept. If I use CHAP or if I delete the RADIUS password (thus using the user's Keycloak password) I get expected behavior (i.e., only the correct password results in an Access-Accept).
I've tried 19 and the 1.4.8 of the plugin, but then I run into issue #698.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I expect to get an Access-Reject.
Describe the bug
(Or this may be user error - can you enable "Discussions"?)
When I install keycloak-radius-plugin over Keycloak 17.0.0, I don't get the "Update RADIUS password" action under "Required User Actions"
To Reproduce
I installed Keycloak 17.0.0 from scratch already (it's in /opt/keycloak-17.0.0
, with a symlink from /opt/keycloak
), using the now-default Quarkus version.
I unzipped the relevant parts of keycloak-radius-plugin over it. Note that kc.sh build
appears to be necessary to pick up the radius plugin.
unzip -d /opt/keycloak-17.0.0 -n keycloak-radius.zip 'config/**' 'providers/**' 'themes/**'
systemctl stop keycloak
/opt/keycloak/bin/kc.sh build --db=postgres --metrics-enabled=true
systemctl start keycloak
I was then able to add a client name "radius", protocol "radius-protocol", and it responds to RADIUS requests. It works if I do simple Access-Request and I set the Keycloak password on an account:
# radtest brian xyzzy 127.0.0.1 1 secret
Sent Access-Request Id 245 from 0.0.0.0:34311 to 127.0.0.1:1812 length 75
User-Name = "brian"
User-Password = "xyzzy"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1
Message-Authenticator = 0x00
Cleartext-Password = "xyzzy"
Received Access-Accept Id 245 from 127.0.0.1:1812 to 127.0.0.1:34311 length 20
However, I'm having difficulty setting the separate RADIUS password.
I set the realm admin console theme to "radius". However when I go to the Users > (username) > Details page, I do not see any option for "Update RADIUS password"
I restarted keycloak just to be sure.
There is also no RADIUS option under "Users > (username) > Credentials > Credential Reset"
Expected behavior
The documentation shows a new option "Update Radius password" should be available:
Screenshots
Inline above
Additional context
My goal is to disallow users from setting a Keycloak password (using IDP links to login to Keycloak), and use the RADIUS password only for RADIUS authentication.
Warnings are generated by kc.sh build
showing that the RADIUS modules are being picked up:
root@keycloak1:~# /opt/keycloak/bin/kc.sh build --db=postgres --metrics-enabled=true
Updating the configuration and installing your custom providers, if any. Please wait.
2022-03-02 16:34:31,816 WARN [org.keycloak.services] (build-42) KC-SERVICES0047: mikrotik-password (com.github.vzakharchenko.radius.password.RadiusCredentialProviderFactory) is implementing the internal SPI credential. This SPI is internal and may change without notice
2022-03-02 16:34:32,282 WARN [org.keycloak.services] (build-42) KC-SERVICES0047: radius (com.github.vzakharchenko.radius.dm.api.RadiusServiceImpl) is implementing the internal SPI realm-restapi-extension. This SPI is internal and may change without notice
2022-03-02 16:34:32,428 WARN [org.keycloak.services] (build-42) KC-SERVICES0047: radius-protocol (com.github.vzakharchenko.radius.client.RadiusLoginProtocolFactory) is implementing the internal SPI login-protocol. This SPI is internal and may change without notice
2022-03-02 16:34:32,760 WARN [org.keycloak.services] (build-42) KC-SERVICES0047: oidc-radius-password (com.github.vzakharchenko.radius.mappers.RadiusPasswordMapper) is implementing the internal SPI protocol-mapper. This SPI is internal and may change without notice
2022-03-02 16:34:32,806 WARN [org.keycloak.services] (build-42) KC-SERVICES0047: radius-disconnect-message-factory (com.github.vzakharchenko.radius.dm.jpa.RadiusLogoutJpaEntityProviderFactory) is implementing the internal SPI jpa-entity-provider. This SPI is internal and may change without notice
2022-03-02 16:34:34,554 WARN [org.keycloak.services] (build-42) KC-SERVICES0047: UPDATE_RADIUS_PASSWORD (com.github.vzakharchenko.radius.password.UpdateRadiusPassword) is implementing the internal SPI required-action. This SPI is internal and may change without notice
2022-03-02 16:34:57,866 INFO [io.quarkus.deployment.QuarkusAugmentor] (main) Quarkus augmentation completed in 37347ms
Server configuration updated and persisted. Run the following command to review the configuration:
kc.sh show-config
I am just wondering if this plugin could work with latest Version 17.0.0
Thx
There is a radius sever Radiusdesk, where i can configure profiles for connection restriction.
But it has own database.
We want to use KeyCloak for SSO and this plugin for radius features.
Is it possible to configure radius server like in this post?
https://gremaudpi.emf-informatique.ch/how-to-build-a-captive-portal-with-radiusdesk-and-coova-chilli-on-raspberry-pi-running-openwrt/
Hi,
we have an Active Directory Environment and sync users via LDAP into keycloak. All users have an OTP enrolled and I have a radius client that is using PAP as protocol. I was not able resolve the following issues:
Thanks
Tobias
Has anyone integrated this Radius implementation on Keycloak with SMS per this procedure?
https://www.n-k.de/2020/12/keycloak-2fa-sms-authentication.html
Note that my setup includes an AWS AD with MFA enabled. SMS messages aren't happening for AD login credentials. Local login to Keycloak does prompt SMS message.
Hello,
Thanks for integrating radius into keycloak.
I am trying to run radtest -t mschap testuser testuserpassword keycloak-radius-server 1812 secret, I do not get any response from the embedded radius server. However, when I run radtest testuser testuserpassword keycloak-radius-server 1812 secret, the radius server authenticates the testuser properly. The plugin that I have used is mikrotik since according to your description, it supports mschapv2.
Thanks for your help!
JSON Web Token implementation (symmetric and asymmetric)
Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz
Path to dependency file: /Examples/RadiusServiceAccountJSExample/package.json
Path to vulnerable library: /Examples/RadiusServiceAccountJSExample/node_modules/jsonwebtoken/package.json
Dependency Hierarchy:
Found in base branch: master
node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions <= 8.5.1
of jsonwebtoken
library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey
argument from the readme link of the jwt.verify()
function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the jwt.verify()
on a host that you control. This issue has been fixed, please update to version 9.0.0.
Publish Date: 2022-12-21
URL: CVE-2022-23529
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-27h2-hvpr-p74q
Release Date: 2022-12-21
Fix Resolution: jsonwebtoken - 9.0.0
Step up your Open Source Security Game with Mend here
Describe the bug
Proxying to upstream radius server doesn't work
To Reproduce
Steps to reproduce the behavior:
docker run --rm --name my-radius -t -p 1812-1813:1812-1813/udp freeradius/freeradius-server -X
issue radtest bob test 127.0.0.1 0 testing123
and found the radius server received the login attempt and reject. It shows the radius server is working.
Running a keycloak radius plugin instance by
sh bin/kc.sh --debug 8190 start-dev --http-port=8090
as per the https://github.com/vzakharchenko/keycloak-radius-plugin/releases v1.4.2-17.0.0 steps
5. Configure the proxy as per the doc: https://github.com/vzakharchenko/keycloak-radius-plugin/tree/master/keycloak-plugins/proxy-radius-plugin
6. When logging into the keycloak instance, no log from radius server. And the logging is success without any issue
Expected behavior
A Handlebars view engine for Express which doesn't suck.
Library home page: https://registry.npmjs.org/express-handlebars/-/express-handlebars-5.3.2.tgz
Path to dependency file: keycloak-radius-plugin/Examples/OTPPasswordJSExample/package.json
Path to vulnerable library: keycloak-radius-plugin/Examples/OTPPasswordJSExample/node_modules/express-handlebars/package.json,keycloak-radius-plugin/Examples/ConditionAccessRequestJSExample/node_modules/express-handlebars/package.json,keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/express-handlebars/package.json,keycloak-radius-plugin/Examples/RadiusDefaultRealmJSExample/node_modules/express-handlebars/package.json,keycloak-radius-plugin/Examples/RadiusAuthorizationJSExample/node_modules/express-handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: f42eb0ebaedc72304029b423e82fc408cd7863b8
Found in base branch: master
Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.
Publish Date: 2021-05-14
URL: CVE-2021-32820
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Is your feature request related to a problem? Please describe.
I'm trying to integrate the RADIUS functionality with our UniFi setup. It works fine for VPN login, but for WPA2/3 Enterprise, our clients need EAP support. macOS and iOS only support EAP protocols (like PEAP).
Describe the solution you'd like
It would be great if this plugin would support at least LEAP, better would be PEAP.
Describe alternatives you've considered
There aren't many alternatives here. At least I couldn't think of any.
Additional context
None
I've set up this plugin in our Keycloak instance, but I can't figure out which Authentication Flow is being used.
Background is, that our users are required to have an OTP setup, but the OTP is only necessary for the certain flows (mainly the Browser flow). Other flows still allow usage of the OTP but do not require it, since logins with these flows is restricted to certain clients and users.
With this radius plugin, I'm able to log in using the password plus OTP, but am not able to log in using only the password.
Is there a way to tell this plugin to use a separate authentication flow which only requires the password and optionally takes the OTP?
Describe the bug
I tried to add https://github.com/dasniko/keycloak-2fa-sms-authenticator (build with V 17.0.0 keycloak-quarkus) as provider to your build.
bin/kc.sh build
Updating the configuration and installing your custom providers, if any. Please wait.
2022-02-19 15:36:46,867 WARN [org.keycloak.services] (build-64) KC-SERVICES0047: mikrotik-password (com.github.vzakharchenko.radius.password.RadiusCredentialProviderFactory) is implementing the internal SPI credential. This SPI is internal and may change without notice
2022-02-19 15:36:46,930 WARN [org.keycloak.services] (build-64) KC-SERVICES0047: radius (com.github.vzakharchenko.radius.dm.api.RadiusServiceImpl) is implementing the internal SPI realm-restapi-extension. This SPI is internal and may change without notice
2022-02-19 15:36:46,976 WARN [org.keycloak.services] (build-64) KC-SERVICES0047: radius-protocol (com.github.vzakharchenko.radius.client.RadiusLoginProtocolFactory) is implementing the internal SPI login-protocol. This SPI is internal and may change without notice
2022-02-19 15:36:47,043 WARN [org.keycloak.services] (build-64) KC-SERVICES0047: oidc-radius-password (com.github.vzakharchenko.radius.mappers.RadiusPasswordMapper) is implementing the internal SPI protocol-mapper. This SPI is internal and may change without notice
2022-02-19 15:36:47,081 WARN [org.keycloak.services] (build-64) KC-SERVICES0047: radius-disconnect-message-factory (com.github.vzakharchenko.radius.dm.jpa.RadiusLogoutJpaEntityProviderFactory) is implementing the internal SPI jpa-entity-provider. This SPI is internal and may change without notice
2022-02-19 15:36:47,199 WARN [org.keycloak.services] (build-64) KC-SERVICES0047: sms-authenticator (dasniko.keycloak.authenticator.SmsAuthenticatorFactory) is implementing the internal SPI authenticator. This SPI is internal and may change without notice
ERROR: Failed to run 'build' command.
ERROR: io.quarkus.builder.BuildException: Build failure: Build failed due to errors
[error]: Build step org.keycloak.quarkus.deployment.KeycloakProcessor#configureProviders threw an exception: java.util.ServiceConfigurationError: com.github.vzakharchenko.radius.providers.IRadiusAuthHandlerProviderFactory: Provider com.github.vzakharchenko.radius.radius.handlers.AuthHandler could not be instantiated
at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:582)
at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:804)
at java.base/java.util.ServiceLoader$ProviderImpl.get(ServiceLoader.java:722)
at java.base/java.util.ServiceLoader$3.next(ServiceLoader.java:1395)
at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:94)
at org.keycloak.quarkus.deployment.KeycloakProcessor.loadFactories(KeycloakProcessor.java:456)
at org.keycloak.quarkus.deployment.KeycloakProcessor.configureProviders(KeycloakProcessor.java:254)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at io.quarkus.deployment.ExtensionLoader$2.execute(ExtensionLoader.java:882)
at io.quarkus.builder.BuildContext.run(BuildContext.java:277)
at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
at java.base/java.lang.Thread.run(Thread.java:829)
at org.jboss.threads.JBossThread.run(JBossThread.java:501)
Caused by: java.lang.LinkageError: loader constraint violation: when resolving method 'org.slf4j.ILoggerFactory org.slf4j.impl.StaticLoggerBinder.getLoggerFactory()' the class loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @49cb9cb5 of the current class, org/slf4j/LoggerFactory, and the class loader java.net.URLClassLoader @35d019a3 for the method's defining class, org/slf4j/impl/StaticLoggerBinder, have different Class objects for the type org/slf4j/ILoggerFactory used in the signature (org.slf4j.LoggerFactory is in unnamed module of loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @49cb9cb5, parent loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @1f760b47; org.slf4j.impl.StaticLoggerBinder is in unnamed module of loader java.net.URLClassLoader @35d019a3, parent loader 'app')
at org.slf4j.LoggerFactory.getILoggerFactory(LoggerFactory.java:423)
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:362)
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:388)
at org.tinyradius.server.handler.RequestHandler.(RequestHandler.java:11)
at com.github.vzakharchenko.radius.radius.handlers.AbstractThreadRequestHandler.(AbstractThreadRequestHandler.java:10)
at com.github.vzakharchenko.radius.radius.handlers.AbstractHandler.(AbstractHandler.java:15)
at com.github.vzakharchenko.radius.radius.handlers.AuthHandler.(AuthHandler.java:30)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:780)
... 17 more
ERROR: Build failure: Build failed due to errors
[error]: Build step org.keycloak.quarkus.deployment.KeycloakProcessor#configureProviders threw an exception: java.util.ServiceConfigurationError: com.github.vzakharchenko.radius.providers.IRadiusAuthHandlerProviderFactory: Provider com.github.vzakharchenko.radius.radius.handlers.AuthHandler could not be instantiated
at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:582)
at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:804)
at java.base/java.util.ServiceLoader$ProviderImpl.get(ServiceLoader.java:722)
at java.base/java.util.ServiceLoader$3.next(ServiceLoader.java:1395)
at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:94)
at org.keycloak.quarkus.deployment.KeycloakProcessor.loadFactories(KeycloakProcessor.java:456)
at org.keycloak.quarkus.deployment.KeycloakProcessor.configureProviders(KeycloakProcessor.java:254)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at io.quarkus.deployment.ExtensionLoader$2.execute(ExtensionLoader.java:882)
at io.quarkus.builder.BuildContext.run(BuildContext.java:277)
at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
at java.base/java.lang.Thread.run(Thread.java:829)
at org.jboss.threads.JBossThread.run(JBossThread.java:501)
Caused by: java.lang.LinkageError: loader constraint violation: when resolving method 'org.slf4j.ILoggerFactory org.slf4j.impl.StaticLoggerBinder.getLoggerFactory()' the class loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @49cb9cb5 of the current class, org/slf4j/LoggerFactory, and the class loader java.net.URLClassLoader @35d019a3 for the method's defining class, org/slf4j/impl/StaticLoggerBinder, have different Class objects for the type org/slf4j/ILoggerFactory used in the signature (org.slf4j.LoggerFactory is in unnamed module of loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @49cb9cb5, parent loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @1f760b47; org.slf4j.impl.StaticLoggerBinder is in unnamed module of loader java.net.URLClassLoader @35d019a3, parent loader 'app')
at org.slf4j.LoggerFactory.getILoggerFactory(LoggerFactory.java:423)
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:362)
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:388)
at org.tinyradius.server.handler.RequestHandler.(RequestHandler.java:11)
at com.github.vzakharchenko.radius.radius.handlers.AbstractThreadRequestHandler.(AbstractThreadRequestHandler.java:10)
at com.github.vzakharchenko.radius.radius.handlers.AbstractHandler.(AbstractHandler.java:15)
at com.github.vzakharchenko.radius.radius.handlers.AuthHandler.(AuthHandler.java:30)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:780)
... 17 more
ERROR: com.github.vzakharchenko.radius.providers.IRadiusAuthHandlerProviderFactory: Provider com.github.vzakharchenko.radius.radius.handlers.AuthHandler could not be instantiated
ERROR: loader constraint violation: when resolving method 'org.slf4j.ILoggerFactory org.slf4j.impl.StaticLoggerBinder.getLoggerFactory()' the class loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @49cb9cb5 of the current class, org/slf4j/LoggerFactory, and the class loader java.net.URLClassLoader @35d019a3 for the method's defining class, org/slf4j/impl/StaticLoggerBinder, have different Class objects for the type org/slf4j/ILoggerFactory used in the signature (org.slf4j.LoggerFactory is in unnamed module of loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @49cb9cb5, parent loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @1f760b47; org.slf4j.impl.StaticLoggerBinder is in unnamed module of loader java.net.URLClassLoader @35d019a3, parent loader 'app')
For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.
Working Configs:
sms:
bin/kc.sh show-config
Current Mode: none
Runtime Configuration:
kc.cache = ispn (PersistedConfigSource)
kc.config.args = show-config (SysPropConfigSource)
kc.db = mariadb (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.db-password = ******* (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.db-url = jdbc:mariadb://localhost/keycloak (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.db-url-host = localhost (KcEnvVarConfigSource)
kc.db-username = keycloak (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.db.url.host = localhost (EnvConfigSource)
kc.home.dir = /opt/keycloak/keycloak-17.0.0/bin/../ (SysPropConfigSource)
kc.hostname = nfkeycloak-dev.itxworks.eu (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.http-enabled = false (PropertiesConfigSource[source=jar:file:///opt/keycloak/keycloak-17.0.0/lib/lib/main/org.keycloak.keycloak-quarkus-server-17.0.0.jar!/META-INF/keycloak.conf])
kc.http-relative-path = / (PersistedConfigSource)
kc.https-certificate-file = /opt/keycloak/current/conf/nfkeycloak.itxworks.eu.fullchain.pem (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.https-certificate-key-file = /opt/keycloak/current/conf/nfkeycloak.itxworks.eu.key.pem (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.metrics-enabled = true (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.provider.file.keycloak-2fa-sms-authenticator-1.0.1-SNAPSHOT.jar.last-modified = 1645296593132 (PersistedConfigSource)
kc.proxy = edge (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.quarkus-properties-enabled = false (PersistedConfigSource)
kc.show.config = none (SysPropConfigSource)
kc.spi-sticky-session-encoder-infinispan-should-attach-route = false (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.version = 17.0.0 (SysPropConfigSource)
Radius:
bin/kc.sh show-config
Current Mode: none
Runtime Configuration:
kc.cache = ispn (PersistedConfigSource)
kc.config.args = show-config (SysPropConfigSource)
kc.db = dev-file (PersistedConfigSource)
kc.db-url-host = localhost (KcEnvVarConfigSource)
kc.db.url.host = localhost (EnvConfigSource)
kc.home.dir = /opt/keycloak/keycloak-radius/bin/../ (SysPropConfigSource)
kc.http-enabled = false (PropertiesConfigSource[source=jar:file:///opt/keycloak/keycloak-radius/lib/lib/main/org.keycloak.keycloak-quarkus-server-17.0.0.jar!/META-INF/keycloak.conf])
kc.http-relative-path = / (PersistedConfigSource)
kc.metrics-enabled = false (PersistedConfigSource)
kc.provider.file.chillispot-radius-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.provider.file.cisco-radius-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.provider.file.mikrotik-radius-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.provider.file.proxy-radius-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.provider.file.rad-sec-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.provider.file.radius-disconnect-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.provider.file.radius-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.quarkus-properties-enabled = false (PersistedConfigSource)
kc.show.config = none (SysPropConfigSource)
kc.version = 17.0.0 (SysPropConfigSource)
Would like to use both together ... appreciate your help...
Thank you.
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/package.json
Path to vulnerable library: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: ac339c95216ca41a1d00b041526faacaabae2626
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
I'm attempting to integrate AWS Directory Services with Keycloak radius server and I get the following. This results when using the AWS console to enable 2FA.
2022-05-11 16:45:24,683 WARN [org.keycloak.events] (pool-6-thread-3) type=LOGIN_ERROR, realmId=Radius, clientId=radius, userId=ba222699-c4a3-4765-88fc-b785bdbe2011, ipAddress=10.0.131.229, error=RADIUS ERROR, RADIUS='Login to RADIUS fail for user fakeusername, please check password and try again', RADIUS_HOST=10.0.131.229
2022-05-11 16:45:24,683 WARN [org.keycloak.events] (pool-6-thread-4) type=LOGIN_ERROR, realmId=Radius, clientId=radius, userId=ba222699-c4a3-4765-88fc-b785bdbe2011, ipAddress=10.0.87.184, error=RADIUS ERROR, RADIUS='Login to RADIUS fail for user fakeusername, please check password and try again', RADIUS_HOST=10.0.87.184
10.0.131.229 and 10.0.87.184 are two addressed associated with AWS Directory Services AD. I can log into the Keycloak console using fake username and password just fine.
Anybody ever tried this?
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.9.7.tgz
Path to dependency file: /Examples/WebAuthnJSExample/package.json
Path to vulnerable library: /Examples/WebAuthnJSExample/node_modules/qs/package.json,/Examples/OneTimePasswordJSExample/node_modules/qs/package.json,/Examples/LdapOtpExample/node_modules/qs/package.json,/Examples/ConditionAccessRequestJSExample/node_modules/qs/package.json,/Examples/OTPPasswordJSExample/node_modules/qs/package.json,/Examples/RadiusServiceAccountJSExample/node_modules/qs/package.json,/Examples/RadiusAuthorizationJSExample/node_modules/qs/package.json,/Examples/RadiusDefaultRealmJSExample/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 8c44b2a0c6ccaa9c54f09217700309204f8ac5f4
Found in base branch: master
A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.
Publish Date: 2022-03-17
URL: CVE-2021-44907
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44907
Release Date: 2022-03-17
Fix Resolution: GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;cloudscribe.templates - 5.2.0;KnstAsyncApiUI - 1.0.2-pre;Romano.Vue - 1.0.1;Yarnpkg.Yarn - 0.26.1;VueJS.NetCore - 1.1.1;NativeScript.Sidekick.Standalone.Shell - 1.9.1-v2018050205;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.2;Fable.Template.Elmish.React - 0.1.6;Fable.Snowpack.Template - 2.1.0;Yarn.MSBuild - 0.22.0,0.24.6
Step up your Open Source Security Game with WhiteSource here
Describe the bug
Hello. I faced an issue when the request doesn't contain a realm name. Please, see the log below.
Everything is OK when I send the realm name explicitly, but Unifi doesn't support setting a realm name.
To Reproduce
Use an example with a default realm name
Expected behavior
Get SUCCESS status
Desktop (please complete the following information):
Additional context
Logs:
15:21:01,456 ERROR [stderr] (pool-19-thread-1) Exception in thread "pool-19-thread-1" java.lang.NoClassDefFoundError: org/apache/commons/lang3/StringUtils 15:21:01,457 ERROR [stderr] (pool-19-thread-1) at keycloak.plugins.radius//com.github.vzakharchenko.radius.RadiusHelper.getRealmFromUserName(RadiusHelper.java:190) 15:21:01,457 ERROR [stderr] (pool-19-thread-1) at keycloak.plugins.radius//com.github.vzakharchenko.radius.RadiusHelper.getRealm(RadiusHelper.java:214) 15:21:01,458 ERROR [stderr] (pool-19-thread-1) at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.handlers.protocols.AbstractAuthProtocol.isValid(AbstractAuthProtocol.java:90) 15:21:01,458 ERROR [stderr] (pool-19-thread-1) at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.handlers.AuthHandler.channelRead0(AuthHandler.java:102) 15:21:01,458 ERROR [stderr] (pool-19-thread-1) at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.handlers.AuthHandler.lambda$channelReadRadius$0(AuthHandler.java:120) 15:21:01,458 ERROR [stderr] (pool-19-thread-1) at [email protected]//org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:228) 15:21:01,458 ERROR [stderr] (pool-19-thread-1) at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.handlers.AuthHandler.channelReadRadius(AuthHandler.java:118) 15:21:01,458 ERROR [stderr] (pool-19-thread-1) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) 15:21:01,459 ERROR [stderr] (pool-19-thread-1) Caused by: java.lang.ClassNotFoundException: org.apache.commons.lang3.StringUtils from [Module "keycloak.plugins.radius" from local module loader @13d9b21f (finder: local module finder @2826f61 (roots: /opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/keycloak,/opt/jboss/keycloak/modules/system/layers/base))]
i have two question, need you help.
1.When I run the expamle program "Assign attributes dynamically using javascript policy", do I need to run "keyclock-radius-plugin" + "free radius" , or just need to run the "keycloak-radius-plugin"?
2. when i only run the "keycloak-radius-plugin" programe, then run example program "Assign attributes dynamically using javascript policy", find out the error information: "Error: Timed out after 2500ms(1 retries)
thank you very much.
Is your feature request related to a problem? Please describe.
I am trying to use keycloak-radius-plugin for OTP token verification configured as a secondary RADIUS service with the Cisco AnyConnect VPN stuff. The primary RADIUS service is AD/Windows and performs all the usual authentication and authorization for VPN login.
Cisco just sends the username and OTP token to the secondary RADIUS service and prefers to use PAP. The switch to MSCHAPv2 comes with some other drawbacks and it does not seem to be possible to force the VPN to send password and OTP token to the secondary RADIUS service. Since the password is already checked, it also makes sense not to send it to other services without a need to do so .
I have not found any reference to why OTP-only mode is limited to CHAP/MSCHAPv2 and does not work with PAP. Only the code shows me that someone did a very good job by explicitly excluding PAP from the OTP configuration flag. This is so well done that there must be a very good reason for this, which I am very curious to know.
Describe the solution you'd like
A) Let PAP behave like CHAP/MSCHAPv2. Would be most consistent.
Describe alternatives you've considered
B) Add an additional configuration flag for PAP or change the otp
flag to a list of PAP, CHAP, MSCHAPv2. (true
means CHAP, MSCHAPv2 for compatibillity).
C) Discard the otp
flag in the configuration, move it to the client configuration with the possibility to change the behavior for all or PAP, CHAP, MSCHAPv2 separately.
(I'm not sure if this will work, since the client seems to provide at best a realm, but no client ID. Therefore a configuration in the realm would also be thinkable).
Additional context
I think I could create a PR for it (if it doesn't get too deep into Keycloak internals), but I'd like to know beforehand if this is a completely stupid idea respectively which variant would be preferred.
And many thanks to @vzakharchenko for his great work on this plugin.
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/package.json
Path to vulnerable library: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: 95bc7f43a12af6f4636b8768a5ca53fe0cac6b1e
all versions before 6.5.2 of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Hi Vasiliy,
I plan to use your software and was a bit down when I found out that you are from Ukraine.
But after your recent commits, I really hope you are doing well and am very overwhelmed that you are continuing to work under the circumstances of the Russian invasion.
I wanted to ask if it is possible to send you a donation for your hard work, maybe it can help you even in these hard times.
Thanks to Ukraine for fighting for democracy and against populism, fascism and oligarchy! The whole western world is in your debt.
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.2.tgz
Path to dependency file: keycloak-radius-plugin/Examples/OneTimePasswordJSExample/package.json
Path to vulnerable library: keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/axios/package.json
Dependency Hierarchy:
Found in HEAD commit: 41e65dde1e03f0ffb3b2bf3a97cfbaecd6211e78
Found in base branch: master
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Is your feature request related to a problem? Please describe.
A new keycloak has been issued
Describe the solution you'd like
Update your distribution of the combined kit?
Describe alternatives you've considered
N/A
Additional context
Are the delays caused by the situation in your country?
arm, arm64 and amd64 images would be helpful.
only amd64 images provided on docker hub.
upstream keycloak only supports amd64 and arm64 images, thats why I created multiarch keycloak releases, see:
https://github.com/maltegrosse/keycloak-multiarch
in order to switch to multiarch for the radius plugin, only minor changes to a github workflow/action need to be done, see:
https://github.com/maltegrosse/keycloak-radius-multiarch/blob/main/.github/workflows/container.yml#L24
Describe the bug
The plugin requires the config file to be: /config/radius.conf
instead of ${KEYCLOAK_PATH}/config/radius.conf
To Reproduce
Steps to reproduce the behavior:
Add plugins to existing keycloak and try to start ...
Expected behavior
Well that the file could be kept within the keycloak directory
Screenshots
NA
Desktop (please complete the following information):
Smartphone (please complete the following information):
Not relevant
Additional context
Add any other context about the problem here.
I have successfully created the radius as it is authenticating with the local username and password.
after connect to azure active directory i am able to login to the application with azure Username and Password
but when try authenticate my radius client with the same username and password its is not working.
Hi, Vasiliy!
I assume there is a typo in --dependencies option of the "setup radius-disconnect plugin" command: keycloak-model-jpa -> org.keycloak.keycloak-model-jpa. Otherwise, it throws an exception (ModuleNotFoundException) at keycloak startup.
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.
I am following along and trying to build a Radius Client to support a MikroTik router. I create a realm for the Mikrotik devices. I then get to building the client. When I click "create" I get this error:
Cannot read properties of undefined (reading 'length')
(In the Webapp)
The keycloak binary was downloaded from github using wget: wget https://github.com/vzakharchenko/keycloak-radius-plugin/releases/download/v1.4.8-19.0.1/keycloak-radius.zip
The application temporarily run from the command line using: bin/kc.sh start-dev
I have looked through the 16 issues and don't see anything related. My suspicion is that I am missing some command line argument.
Thank you!
Git repository issue.
[INFO] Reactor Summary for Keycloak Radius Server 1.4.4-SNAPSHOT:
[INFO]
[INFO] Keycloak Radius Server ............................. SUCCESS [ 3.930 s]
[INFO] Radius plugin ...................................... FAILURE [ 0.851 s]
[INFO] Mikrotik Radius plugin ............................. SKIPPED
[INFO] Cisco Radius plugin ................................ SKIPPED
[INFO] RadSec(Radius over TLS) plugin ..................... SKIPPED
[INFO] Radius Disconnect-Messages plugin .................. SKIPPED
[INFO] Proxy Radius plugin ................................ SKIPPED
[INFO] radius-theme ....................................... SKIPPED
[INFO] Chillispot Radius plugin ........................... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.923 s
[INFO] Finished at: 2022-04-15T16:30:12Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal pl.project13.maven:git-commit-id-plugin:4.9.10:revision (validate-the-git-infos) on project radius-plugin: .git directory is not found! Please specify a valid [dotGitDirectory] in your pom.xml -> [Help 1]
Please install our new product, Sonatype Lift with advanced features
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /Examples/OneTimePasswordJSExample/package.json
Path to vulnerable library: /Examples/OneTimePasswordJSExample/node_modules/minimist/package.json,/Examples/RadiusAuthorizationJSExample/node_modules/minimist/package.json,/Examples/ConditionAccessRequestJSExample/node_modules/minimist/package.json,/Examples/WebAuthnJSExample/node_modules/minimist/package.json,/Examples/OTPPasswordJSExample/node_modules/minimist/package.json,/Examples/LdapOtpExample/node_modules/minimist/package.json,/Examples/RadiusDefaultRealmJSExample/node_modules/minimist/package.json,/Examples/RadiusServiceAccountJSExample/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 8c44b2a0c6ccaa9c54f09217700309204f8ac5f4
Found in base branch: master
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44906
Release Date: 2022-03-17
Fix Resolution: BumperLane.Public.Service.Contracts - 0.23.35.214-prerelease;cloudscribe.templates - 5.2.0;Virteom.Tenant.Mobile.Bluetooth - 0.21.29.159-prerelease;ShowingVault.DotNet.Sdk - 0.13.41.190-prerelease;Envisia.DotNet.Templates - 3.0.1;Yarnpkg.Yarn - 0.26.1;Virteom.Tenant.Mobile.Framework.UWP - 0.20.41.103-prerelease;Virteom.Tenant.Mobile.Framework.iOS - 0.20.41.103-prerelease;BumperLane.Public.Api.V2.ClientModule - 0.23.35.214-prerelease;VueJS.NetCore - 1.1.1;Dianoga - 4.0.0,3.0.0-RC02;Virteom.Tenant.Mobile.Bluetooth.iOS - 0.20.41.103-prerelease;Virteom.Public.Utilities - 0.23.37.212-prerelease;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;Virteom.Tenant.Mobile.Framework - 0.21.29.159-prerelease;Virteom.Tenant.Mobile.Bluetooth.Android - 0.20.41.103-prerelease;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 1.0.7;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;SitecoreMaster.TrueDynamicPlaceholders - 1.0.3;Virteom.Tenant.Mobile.Framework.Android - 0.20.41.103-prerelease;Fable.Template.Elmish.React - 0.1.6;BlazorPolyfill.Build - 6.0.100.2;Fable.Snowpack.Template - 2.1.0;BumperLane.Public.Api.Client - 0.23.35.214-prerelease;Yarn.MSBuild - 0.22.0,0.24.6;Blazor.TailwindCSS.BUnit - 1.0.2;Bridge.AWS - 0.3.30.36;tslint - 5.6.0;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Step up your Open Source Security Game with WhiteSource here
Is your feature request related to a problem? Please describe.
Keycloak-radius-plugin manages a separate RADIUS password, which is essential for CHAP/MSCHAPv2. It is a good idea anyway to allow RADIUS access without risk of exposing the primary Keycloak password. This would be especially useful for wifi, where the RADIUS password is stored on the client device and not suitable for TOTP or frequent updates. Also, users may misconfigure certificate validation which makes it easy to steal the password via a rogue access point.
However, there are a couple of practical problems at the moment:
Describe the solution you'd like
Part 1: add a button to the /account/
page where users can reset their RADIUS password. I think this is needed anyway.
Part 2: I would like to configure the RADIUS password to be set completely at random. This could occur by an administrator action as today (e.g. "Generate Radius Password"). It would be displayed to the user once, and when they click "OK" they'd never see it again.
A suitable strong password would be a sequence of 16 letters, as Google use for their app specific passwords (this has 75.2 bits of entropy), although you might want this to be configurable:
Describe alternatives you've considered
It would be possible to apply Keycloak password policies to RADIUS passwords. However, this still encourages people to try to pick "memorable" passwords instead of a proper strong one.
I also have a problem that I want to disable passwords entirely for Keycloak logins, forcing users to use IDP links instead: and at the moment the only way I can see to do this is to set an impossible password policy like regex .{400}
. I don't want that to prevent setting a RADIUS password, so in that case I'd need a separate password policy for RADIUS.
Random passwords are inherently more secure than user-chosen passwords, and uncorrelated to the main Keycloak password (if any).
Additional context
n/a
I think this should be engine.engine()
otherwise it throw an error TypeError: engine is not a function
.
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /Examples/RadiusServiceAccountJSExample/package.json
Path to vulnerable library: /Examples/RadiusServiceAccountJSExample/node_modules/glob-parent/package.json,/Examples/WebAuthnJSExample/node_modules/glob-parent/package.json,/Examples/OneTimePasswordJSExample/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 7b55223b123b87ca05baee2f1273af7fdbffd30b
Found in base branch: master
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
Base Score Metrics:
Type: Upgrade version
Origin: gulpjs/glob-parent#49
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.