Today I needed to make one of my Django sites authenticate against the same usebase as one of my FreeRADIUS servers. Now, given that the RADIUS userbase is in PostgreSQL, this could have been done without touching RADIUS per se, however that would not have been nearly as interesting or elegant as making Django speak RADIUS. (And given the strange record format that FreeRADIUS uses, would have taken nearly as long to implement) After about half an hour of hacking on a Django custom Authentication Backend I now have a Django happily authenticating from my FreeRADIUS server with all the flexibility that implies (Being able to proxy requests to third parties, set time of day restrictions, use multiple clustered backends etc etc). Without further ado, here is the first cut:

from django.conf import settings
from django.contrib.auth.models import User
import pyrad.packet
from pyrad.client import Client
from pyrad.dictionary import Dictionary

class RadiusBackend:
    """
    Authenticate against a RADIUS Server.

    You must have a working RADIUS Server and Secret
    configured in settings.py. For example:

    RADIUS_SERVER = '127.0.0.1'
    RADIUS_SECRET = 'testing123'
    """
    def authenticate(self, username=None, password=None):

        srv=Client(server=settings.RADIUS_SERVER, 
                        secret=settings.RADIUS_SECRET,
                        dict=Dictionary("/usr/share/pyrad/dictionary"))

        req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest)
        req["User-Name"] = username
        req["User-Password"] = req.PwCrypt(password)
        req["NAS-Identifier"] = "django"

        reply=srv.SendPacket(req)
        if reply.code==pyrad.packet.AccessAccept:
            print "access accepted"
            try:
                user = User.objects.get(username=username)
            except User.DoesNotExist:
                # Create a new user. Note that we can set password
                # to anything, because it won't be checked; the password
                # configured on the RADIUS server will.
                user = User(username=username, password='Koh8oF7eiRou4xahxoob')
		#TODO: Use user.set_unusable_password() once
                # Django SVN > 5608 + openSUSE 10.3 bug is fixed
                user.is_staff = False
                user.is_superuser = False
                user.save()
            return user
        else:
            print "access denied"
            return None

    def get_user(self, user_id):
        try:
            return User.objects.get(pk=user_id)
        except User.DoesNotExist:
            return None

Just copy and paste this code into myproj/radiusauth.py and then stick the following in settings.py:

AUTHENTICATION_BACKENDS = (
    'myproj.radiusauth.RadiusBackend',
    'django.contrib.auth.backends.ModelBackend',
)

This code makes use of Wiggy’s wonderfull Pyrad library, so you will need to have it installed also to make things work.

My morning mail traffic contained a very sobering post to one of the security mailing lists I follow regarding the security of industrial control systems. Choice quotes include:

The typical lifetime of an industrial control system is can be 10 to 15 years. Chew on that for a minute. What were YOU playing with 15 years ago?

And:

There is much to be afraid of. Cities depend on an infrastructure that runs all too well; utilities are so reliable that we forget about how integral they are to daily life. We’re nearly invisible until something breaks. Think of this the next time you flush your toilet. How long could a large city last without water? The only people who sleep well in my industry are those who do not understand the problem.

Makes you think…

As it turns out my new company requires a PPTP VPN connection to be able to check email from outside the LAN. While some might argue that you are better off not having access to work email from home, it is a necessary evil for most of us. While I personally think that an industry standard SSL encrypted IMAP connection is at least as secure as the broken PPTP protocol, there is something to be said for hiding Exchange Servers behind firewalls (Have that firewall be a Microsoft server itself, on the other hand is obviously a questionable gain in security).

Anyway, without more ado, here is the proceedure to painlessly (Without booting Windows) connect Linux to a MS PPTP Server:

Install the NetworkManager-pptp package (openSUSE users can find it at http://repos.opensuse.org/home:/hgraeber)

Restart NetworkManager (It may be easier to simply reboot)

Right Click on the NetworkManager icon in the GNOME/KDE sytem tray (next to the clock) and select “Options / Configure”

Select “VPN Connections / Add”

From the “Service” list select “ppp” (If you run KDE you will now see “You have the GNOME configuration applet installed and can use this to configure the VPN connection……” Press OK to run the GNOME configuration applet)

Select “Add

Select “Next / PPTP Tunnel / Next”

Give a “Connection Name”, Select type of “Windows VPN (PPTP)” and put in the hostname of your Windows VPN server

On the “Authentication” tab select “Refuse EAP” (Otherwise Windows rejects the connection attempt)

Optionally enable deflate and BSD compression modules from the “Compression and Encryption” tab

Click “Forward”, then “Apply”, then “Close”

You should now have a new selection with the name you selected for the VPN connection in NetworkManager’s “VPN COnnections submenu. Click on it and you should be able to connect to your VPN server (After entering a valid username and password)

Well, as many of you know, things with my company Suntel have been a bit unclear since my business partner went to work for our largest partner company (Vodafone). After many discussions, much soul searching, and several months of uncertainty (Including considering a move back to Australia) I am happy to say that I have started working with a great team of people at AirTies Wireless Networks as the “R&D Manager, VoIP Systems”.

AirTies is very strong in the ADSL and Wireless market in Turkey with several million deployed devices, but is really just getting started in the voice market (To be fair the voice market is just getting started in Turkey also). We have some existing combo VoIP Gateway / Router products, but we have significant work ahead of us to become a serious player in the VoIP industry.

Turk Telekom is currently in the process of un-bundling the local loop, and alternate operators should be able to assign and route local Turkish telephone numbers over IP by the end of the year, so it should be an exciting ride!