#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
+#
+# There are a number of security practices which are critical in the
+# modern era.
+#
+# * don't use RADIUS/UDP or RADIUS/TCP over the Internet. Use RADIUS/TLS.
+#
+# * If you do send RADIUS over UDP or TCP, don't send MS-CHAPv2.
+# Anyone who can see the MS-CHAPv2 data can crack it in milliseconds.
+#
+# * use the "radsecret" program to generate secrets. It uses Perl (sorry).
+# Every time you run it, it will generate a new strong secret.
+#
+# * don't create shared secrets yourself. Anything you create is likely to
+# be in a "cracking" dictionary, and will allow a hobbyist attacker
+# to crack the shared secret in a few minutes.
+#
+# * Don't trust anyone who tells you to ignore the above recommendations.
+#
+
#
# Defines a RADIUS client.
#
SUBMAKEFILES := radclient.mk radiusd.mk radsniff.mk radmin.mk radattr.mk \
- radwho.mk radlast.mk radtest.mk radzap.mk checkrad.mk \
+ radwho.mk radlast.mk radtest.mk radzap.mk checkrad.mk radsecret.mk \
libfreeradius-server.mk unittest.mk
--- /dev/null
+#!/usr/bin/env perl
+#
+# A tool which generates strong shared secrets.
+#
+use MIME::Base32;
+use Crypt::URandom();
+print join('-', unpack("(A4)*", lc encode_base32(Crypt::URandom::urandom(12)))), "\n";
--- /dev/null
+install: $(R)/$(bindir)/radsecret
+
+$(R)/$(bindir)/radsecret: ${top_srcdir}/src/main/radsecret
+ @$(ECHO) INSTALL radsecret
+ $(Q)${PROGRAM_INSTALL} -c -m 755 $< $@
projects / thirdparty / freeradius-server.git / commitdiff
