[RADIATOR] AuthSQLYubikey
Jérôme Fleury
jeje at jeje.org
Tue Oct 6 03:11:10 CDT 2009
Hi Mike:
On Mon, Oct 5, 2009 at 00:19, Mike McCauley <mikem at open.com.au> wrote:
>
> Hmmm, this is a difficult problem: without some hard knowledge about the
> length of the (optional) static password and/or the length of the string sent
> by the key, it cant tell where the static password ends and the token string
> starts.
>
> If _all_ your keys are configured for the _same_ non-standard token string
> length, then there might be a chance to add a new Radiator config parameter
> that specifies how long your token string is. Is that viable?
This is viable, however, in my mind, for 2 factor auth you were supposed to use
password:otp
with : as a marker for separation. This character is never used in
OTPs so you can't be wrong in detecting it.
Correct me if I'm wrong.
>
> The reason it is done this way it to support the case where multiple Radiator
> hosts access a single SQL server. If the clocks on the Radiator hosts where
> wrong, then clock skew could cause errors in the database.
>
> We have now added to the AuthBy SQLYUBIKEY UpdateQuery parameter a new
> positional parameter %5,
> which is replaced by the current unix time on the Radiator host.
>
> So now you could have something like:
> UpdateQuery update yubikeys set accessed=%5, counter=%0, low=%1, high=%2 where
> tokenId=%4
>
> The change is now available in the latest patch set.
Nice. However I found a simpler patch. I just replaced the use of
now() by current_timestamp() in the code, which seems a little more
"standardized"
Cheers,
Jerome.
More information about the radiator
mailing list