From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 3 Jun 2021 14:31:48 +0000 (-0400)
Subject: added simple TOTP example
X-Git-Tag: release_3_0_23~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c1913717977c9a090fd6905ec5ba090b2e07cb5;p=thirdparty%2Ffreeradius-server.git

added simple TOTP example
---

diff --git a/raddb/sites-available/totp b/raddb/sites-available/totp
new file mode 100644
index 00000000000..e42bf05e189
--- /dev/null
+++ b/raddb/sites-available/totp
@@ -0,0 +1,85 @@
+######################################################################
+#
+#	$Id$
+#
+######################################################################
+#
+#  Simple server to do TOTP and not much else.
+#
+server totp {
+authorize {
+	#
+	#  TOTP only works for PAP
+	#
+	if (!&User-Password) {
+		reject
+	}
+
+	#
+	#  The 6-digit TOTP password should be at the end of the
+	#  User-Password attribute.  It can be at the beginning or at
+	#  the end, it doesn't really make any difference.  Just
+	#  update the regular expression for whatever you want.
+	#
+	#  If the password doesn't have 6 digits at the end, reject.
+	#
+	if (User-Password !~ /^(.*)([0-9]{6})$/) {
+		reject
+	}
+
+	#
+	#  Separate the two fields
+	#
+	update request {
+		User-Password := "%{1}"
+		TOTP-Password := "%{2}"
+	}
+
+	#
+	#  Get the users' real password and authorization credentials
+	#  from somewhere, such as a database.  This should also set
+	#
+	#	&control:TOTP-Secret
+	#
+	-ldap
+	-sql
+
+	#
+	#  As an example, fake out the TOTP secret
+	#
+	#  The value should be the base-32 version of the TOTP secret.
+	#
+	#  Note that the TOTP secret is effectively a password, and
+	#  should be kept secret!  At this time, there is no way to
+	#  "hide" or "encrypt" the TOTP secret for a user.  Even if it
+	#  was encrypted, the server would still need a key to decrypt
+	#  it.  So encrypying this field does not offer much benefit.
+	#
+	if (&User-Name == "bob") {
+		&control:TOTP-Secret := 12345678901234567890
+	}
+
+	#
+	#  Verify the 6-digit TOTP password.  If the module does not
+	#  return "ok", then the TOTP password is wrong.
+	#
+	totp.authenticate
+	if (!ok) {
+		reject
+	}
+
+	#
+	#  Set Auth-Type = PAP
+	#
+	pap
+}
+
+authenticate {
+	#
+	#  Check the User-Password against whatever we found in LDAP
+	#  or SQL.
+	#
+	pap
+}
+
+}