-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
max length of radius secret in radcli #103
Comments
The question would be why the existing limit is not enough? There always be some use for an extremely large number of characters, but the default values do not necessarily need to cope for that. To change the default the best would be to understand the reason to do so. |
The "reason" is:
The max length is probably buried somewhere in https://github.com/goauthentik/authentik/tree/main/authentik/providers/radius or even higher up under https://github.com/goauthentik/authentik/tree/main. |
So it generates a 128-character secret by default or it has a max length of 128-characters? |
It's hard to infer from the source code. I'll ask the end-user... |
When authenticating using
When authenticating using
Do you have an clue where this difference come from? Could ocserv be hashing the 1234 password to something starting with |
@DimitriPapadopoulos I am not an expert in authentik, but it looks like secret is generated during radius outpost setup in authentik web interface Not sure why it is 128, I've read the I think it may be a good idea to ask @kensternberg-authentik or @BeryJu (they have touched the authentik radius wizard code corresponding to git blame 🙂 ) why 128 was chosen. |
Thank you so much for the links. They are not crystal clear to me either, but RFC2865 does say:
|
I honestly don't remember why the default secret length was set to 128, but it has been that value from the start: goauthentik/authentik@3f5effb |
However, I am not an expert of Radius, and still fail to understand how the following relate and interact:
|
The shared secret should be at least 16 octets:
A Google search came up with empirical information on upper limits:
A maximal length of 256 would cover a majority of commercial RADIUS servers, would be compatible with FreeRADIUS, and should cover most use cases in practice. |
The shared secret is the secret between ocserv and radius server. |
Yes, it took me some time, but I eventually sorted it out 😄 |
See openconnect/recipes !28:
This appears to be the source of this limitation:
radcli/include/radcli/radcli.h
Line 56 in 153452b
Would it make sense to increase it to 8 * 16?
The text was updated successfully, but these errors were encountered: