blob: e42bf05e189b6272426927173033c4d6d6eae237 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
######################################################################
#
# $Id$
#
######################################################################
#
# Simple server to do TOTP and not much else.
#
server totp {
authorize {
#
# TOTP only works for PAP
#
if (!&User-Password) {
reject
}
#
# The 6-digit TOTP password should be at the end of the
# User-Password attribute. It can be at the beginning or at
# the end, it doesn't really make any difference. Just
# update the regular expression for whatever you want.
#
# If the password doesn't have 6 digits at the end, reject.
#
if (User-Password !~ /^(.*)([0-9]{6})$/) {
reject
}
#
# Separate the two fields
#
update request {
User-Password := "%{1}"
TOTP-Password := "%{2}"
}
#
# Get the users' real password and authorization credentials
# from somewhere, such as a database. This should also set
#
# &control:TOTP-Secret
#
-ldap
-sql
#
# As an example, fake out the TOTP secret
#
# The value should be the base-32 version of the TOTP secret.
#
# Note that the TOTP secret is effectively a password, and
# should be kept secret! At this time, there is no way to
# "hide" or "encrypt" the TOTP secret for a user. Even if it
# was encrypted, the server would still need a key to decrypt
# it. So encrypying this field does not offer much benefit.
#
if (&User-Name == "bob") {
&control:TOTP-Secret := 12345678901234567890
}
#
# Verify the 6-digit TOTP password. If the module does not
# return "ok", then the TOTP password is wrong.
#
totp.authenticate
if (!ok) {
reject
}
#
# Set Auth-Type = PAP
#
pap
}
authenticate {
#
# Check the User-Password against whatever we found in LDAP
# or SQL.
#
pap
}
}
|
