EAP-TLS and random_file

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Feb 10 17:49:26 CET 2014

On 10 Feb 2014, at 16:22, Gregory Sloop <gregs at sloop.net> wrote:

> I'm curious about the many "examples" of EAP-TLS setup "how-to's" on
> the web.
> [I did some searches of the list and elsewhere, and came up dry,
> though I didn't spend a long time on it...]
> In many of them, the random_file is a pre-generated random set of
> data.
> Knowing what [modest amount] I do, this seems like an incredibly bad
> idea. [At least with a functional random number generator at your
> disposal.]
> There is at least one newer one using /dev/urandom [pseudo-random]. The
> stock eap.conf file in Ubuntu also does this.
> I'm curious about why it would have ever been a pre-generated set of
> bits, which essentially have no entropy once they're given out/used -
> because they're not random any more, they're predictable.
> If some kind soul would give me the trivia edition of why this was
> a common solution, I'd be grateful. [Or school me, nicely or course,
> about why you think it's an "Ok" practice.]

I'd quite like to know too. I've always set it to /dev/urandom in any 
configs i've deployed.


Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140210/18c55c1a/attachment.pgp>

More information about the Freeradius-Users mailing list