[RADIATOR] AuthBy SQLTOTP doc bugs
Roy Badami
roy.badami at roboreus.com
Wed Aug 22 10:26:34 CDT 2012
While playing with the AuthBy SQLTOTP module, I came across a couple of
errors in the documentation of the AuthSelect parameter (section 5.82.2
of the reference manual).
* The description and default query are missing field 6
(last_timestep). This is particularly unfortunate, because if you use
the query from the documentation, or a similar query based on it that
omits field 6, then you lose replay protection. (The actual default
query in AuthSQLTOTP.pm is correct, however.)
* The documentation describes field 0 as the HEX encoded AES secret. In
fact, TOTP does not use AES, it uses HMAC-SHA1.
The SQLHOTP doc contains the same error re AES - I haven't verified the
query in the doc as I've not played with that module.
Regards
roy
--
Roy Badami
Roboreus Ltd
Third Floor
The Place
175 High Holborn
London WC1V 7AA
More information about the radiator
mailing list