From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 7 Sep 2023 15:23:17 +0000 (-0400)
Subject: add radsecret program
X-Git-Tag: release_3_2_4~144
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=16469bf33f1ea518e60e0e661a105f9bc0b00c35;p=thirdparty%2Ffreeradius-server.git

add radsecret program

and document it
---

diff --git a/debian/freeradius-utils.install b/debian/freeradius-utils.install
index ad99d21e7dd..b2f3e34120d 100644
--- a/debian/freeradius-utils.install
+++ b/debian/freeradius-utils.install
@@ -3,6 +3,7 @@ usr/bin/smbencrypt
 usr/bin/radclient
 usr/bin/radeapclient
 usr/bin/radwho
+usr/bin/radsecret
 usr/bin/radsniff
 usr/bin/radlast
 usr/bin/radtest
diff --git a/raddb/clients.conf b/raddb/clients.conf
index 60f9f4bf8a3..349efd65c77 100644
--- a/raddb/clients.conf
+++ b/raddb/clients.conf
@@ -8,6 +8,25 @@
 #
 #  Define RADIUS clients (usually a NAS, Access Point, etc.).
 
+#
+#  There are a number of security practices which are critical in the
+#  modern era.
+#
+#  * don't use RADIUS/UDP or RADIUS/TCP over the Internet.  Use RADIUS/TLS.
+#
+#  * If you do send RADIUS over UDP or TCP, don't send MS-CHAPv2.
+#    Anyone who can see the MS-CHAPv2 data can crack it in milliseconds.
+#
+#  * use the "radsecret" program to generate secrets.  It uses Perl (sorry).
+#    Every time you run it, it will generate a new strong secret.
+#
+#  * don't create shared secrets yourself.  Anything you create is likely to
+#    be in a "cracking" dictionary, and will allow a hobbyist attacker
+#    to crack the shared secret in a few minutes.
+#
+#  * Don't trust anyone who tells you to ignore the above recommendations.
+#
+
 #
 #  Defines a RADIUS client.
 #
diff --git a/redhat/freeradius.spec b/redhat/freeradius.spec
index deb41c5914d..68726458906 100644
--- a/redhat/freeradius.spec
+++ b/redhat/freeradius.spec
@@ -856,6 +856,7 @@ fi
 /usr/bin/radeapclient
 /usr/bin/radlast
 /usr/bin/radtest
+/usr/bin/radsecret
 /usr/bin/radsniff
 /usr/bin/radsqlrelay
 /usr/bin/raduat
diff --git a/src/main/all.mk b/src/main/all.mk
index 2517cd215ac..f3db386a2ad 100644
--- a/src/main/all.mk
+++ b/src/main/all.mk
@@ -1,3 +1,3 @@
 SUBMAKEFILES := radclient.mk radiusd.mk radsniff.mk radmin.mk radattr.mk \
-	radwho.mk radlast.mk radtest.mk radzap.mk checkrad.mk \
+	radwho.mk radlast.mk radtest.mk radzap.mk checkrad.mk radsecret.mk \
 	libfreeradius-server.mk unittest.mk
diff --git a/src/main/radsecret b/src/main/radsecret
new file mode 100755
index 00000000000..b53620b9f39
--- /dev/null
+++ b/src/main/radsecret
@@ -0,0 +1,7 @@
+#!/usr/bin/env perl
+#
+#  A tool which generates strong shared secrets.
+#
+use MIME::Base32;
+use Crypt::URandom();
+print join('-', unpack("(A4)*", lc encode_base32(Crypt::URandom::urandom(12)))), "\n";
diff --git a/src/main/radsecret.mk b/src/main/radsecret.mk
new file mode 100644
index 00000000000..c5f43b4109d
--- /dev/null
+++ b/src/main/radsecret.mk
@@ -0,0 +1,5 @@
+install: $(R)/$(bindir)/radsecret
+
+$(R)/$(bindir)/radsecret: ${top_srcdir}/src/main/radsecret
+	@$(ECHO) INSTALL radsecret
+	$(Q)${PROGRAM_INSTALL} -c -m 755 $< $@