hostapd.conf ..

/etc/hostapd.conf:
interface=ath0
bridge=br0
driver=madwifi //generic linux driver is wext
debug=0
ssid=my-net
macaddr_acl=0
auth_algs=3
wpa=1
wpa_psk_file==eth/hostapd_wpa_psk
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP


/etc/hostapd_wpa_psk:
00:00:00:00:00:00 password_for_any_client //all zeros direct to accept all MAC addresses.
11:22:33:44:55:66 waylongpassword
10:20:30:40:50:60 another_password_for_another_client


/etc/wpa_supplicant.conf:
network={
ssid="my-net"
psk="waylongpassword" //it takes time to compute it each time. To save that time use wpa_password to encrypt passphrase, and then copy result into place
pairwise=CCMP //much stronger than RC4 that is default WEP
group=CCMP
ky_mgmt=WPA-PSK

wpa_supplicant -iath0 -c/etc/wpa_supplicant.conf -Dmadwifi -w
to make it permanent on debian and call wpa_supplicant automatically:
/etc/network/interfaces:
auto ath0
iface ath0 inet dhcp
pre-up wpa_supplacant -iath0 -Dmadwifi -Bw -c/etc/wpa_supplicant/wpa_supplicant.conf
post-down killall -q wpa_supplicant