From: Alan T. DeKok <aland@freeradius.org>
Date: Sat, 15 Jun 2024 11:50:09 +0000 (-0400)
Subject: update advice on shared secrets
X-Git-Tag: release_3_2_5~50
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=485a39946bd4d70b5d89586a5d2cbc82fb73617e;p=thirdparty%2Ffreeradius-server.git

update advice on shared secrets
---

diff --git a/raddb/clients.conf b/raddb/clients.conf
index 349efd65c77..0d5c2c36dc1 100644
--- a/raddb/clients.conf
+++ b/raddb/clients.conf
@@ -101,17 +101,33 @@ client localhost {
 	#  Quotation marks can be entered by escaping them,
 	#	e.g. "foo\"bar"
 	#
-	#  A note on security:  The security of the RADIUS protocol
+	#  A note on security: The security of the RADIUS protocol
 	#  depends COMPLETELY on this secret!  We recommend using a
-	#  shared secret that is composed of:
-	#
-	#	upper case letters
-	#	lower case letters
-	#	numbers
-	#
-	#  And is at LEAST 8 characters long, preferably 16 characters in
-	#  length.  The secret MUST be random, and should not be words,
-	#  phrase, or anything else that is recognisable.
+	#  shared secret that at LEAST 16 characters long.  It should
+	#  preferably be 32 characters in length.  The secret MUST be
+	#  random, and should not be words, phrase, or anything else
+	#  that is recognisable.
+	#
+	#  Computing power has increased enormously since RADIUS was
+	#  first defined.  A hobbyist with a high-end GPU can try ALL
+	#  of the 8-character shared secrets in about a day.  The
+	#  security of shared secrets increases MUCH more with the
+	#  length of the shared secret, than with number of different
+	#  characters used in it.  So don't bother trying to use
+	#  "special characters" or anything else in an attempt to get
+	#  un-guessable secrets.  Instead, just get data from a secure
+	#  random number generator, and use that.
+	#
+	#  You should create shared secrets using a method like this:
+	#
+	#	d if=/dev/random bs=1 count=24 | base64
+	#
+	#  This process will give output which takes 24 random bytes,
+	#  and converts them to 32 characters of ASCII.  The output
+	#  should be accepted by all RADIUS clients.
+	#
+	#  You should NOT create shared secrets by hand.  They will
+	#  not be random.  They will will be trivial to crack.
 	#
 	#  The default secret below is only for testing, and should
 	#  not be used in any real environment.