###################################################################### # # $Id: e42bf05e189b6272426927173033c4d6d6eae237 $ # ###################################################################### # # Simple server to do TOTP and not much else. # server totp { authorize { # # TOTP only works for PAP # if (!&User-Password) { reject } # # The 6-digit TOTP password should be at the end of the # User-Password attribute. It can be at the beginning or at # the end, it doesn't really make any difference. Just # update the regular expression for whatever you want. # # If the password doesn't have 6 digits at the end, reject. # if (User-Password !~ /^(.*)([0-9]{6})$/) { reject } # # Separate the two fields # update request { User-Password := "%{1}" TOTP-Password := "%{2}" } # # Get the users' real password and authorization credentials # from somewhere, such as a database. This should also set # # &control:TOTP-Secret # -ldap -sql # # As an example, fake out the TOTP secret # # The value should be the base-32 version of the TOTP secret. # # Note that the TOTP secret is effectively a password, and # should be kept secret! At this time, there is no way to # "hide" or "encrypt" the TOTP secret for a user. Even if it # was encrypted, the server would still need a key to decrypt # it. So encrypying this field does not offer much benefit. # if (&User-Name == "bob") { &control:TOTP-Secret := 12345678901234567890 } # # Verify the 6-digit TOTP password. If the module does not # return "ok", then the TOTP password is wrong. # totp.authenticate if (!ok) { reject } # # Set Auth-Type = PAP # pap } authenticate { # # Check the User-Password against whatever we found in LDAP # or SQL. # pap } }