Can I define an internal attribute for a module?
Hi, I'm developing a Python module that implements a very simple TOTP functionality (it basically replaces the value of Cleartext-Password with the original value plus the expected TOTP code), so the user has to provide a concatenation of the original password and the OTP code to authenticate. This works well so far. The doubt I have is where and how to store the OTP secret codes. So far, for development, I have a Python dictionary defined on the Python module with all the User-Name -> Secret key associations, but having these on the code is not a good practice and it requires managing two user lists, one for authentication (users file or SQL DB or LDAP...) plus this OTP secret list. This might lead to inconsistencies. The first option I thought of was to make use of the config {} subsection of the python module, but it would still be a second user list (besides the main one used for authentication). Then I thought that I might be able to define an internal attribute (similar to Cleartext-Password) that contained the OTP secret. It would be defined as follows: ATTRIBUTE OTP-Secret 3000 string And then use it on the "users" file or on the DB as follows: alex@test.org Cleartext-Password := "OneTestingPassword", OTP-Secret := "7MR674BRPXXNYGGMPFA52MW6GSMA6JQL" This way I would be able to define the OTP Secret right next to the user password, on any backend that I'd like to use (users file, LDAP, SQL...). I've tested it and it works, so question is: Can I define internal attributes for private module usage? If so, how are numbers allocated? Can I use any number I want if it's not currently in use? Thanks, -- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On Oct 2, 2018, at 6:33 AM, Alejandro Perez-Mendez <alex.perez-mendez@jisc.ac.uk> wrote:
The doubt I have is where and how to store the OTP secret codes. So far, for development, I have a Python dictionary defined on the Python module with all the User-Name -> Secret key associations, but having these on the code is not a good practice and it requires managing two user lists, one for authentication (users file or SQL DB or LDAP...) plus this OTP secret list. This might lead to inconsistencies.
The first option I thought of was to make use of the config {} subsection of the python module, but it would still be a second user list (besides the main one used for authentication).
Then I thought that I might be able to define an internal attribute (similar to Cleartext-Password) that contained the OTP secret. It would be defined as follows:
ATTRIBUTE OTP-Secret 3000 string
That's possible...
And then use it on the "users" file or on the DB as follows:
alex@test.org Cleartext-Password := "OneTestingPassword", OTP-Secret := "7MR674BRPXXNYGGMPFA52MW6GSMA6JQL"
This way I would be able to define the OTP Secret right next to the user password, on any backend that I'd like to use (users file, LDAP, SQL...).
I've tested it and it works, so question is: Can I define internal attributes for private module usage? If so, how are numbers allocated? Can I use any number I want if it's not currently in use?
The "on the wire" numbers are allocated by IANA. The "internal" numbers are allocated by us, via dictionary.freeradius.internal. The question is: who is going to use this functionality? If it's just you, then use raddb/dictionary, and the numbers there. If it's the general FreeRADIUS community, then send a pull request for dictionary.freeradius.internal. If it's some people but not a lot, then it's difficult to say what the best choice is. Alan DeKok.
On Tue, 2018-10-02 at 06:53 -0400, Alan DeKok wrote:
On Oct 2, 2018, at 6:33 AM, Alejandro Perez-Mendez <alex.perez-mendez @jisc.ac.uk> wrote:
Then I thought that I might be able to define an internal attribute (similar to Cleartext-Password) that contained the OTP secret. It would be defined as follows:
The question is: who is going to use this functionality? If it's just you, then use raddb/dictionary, and the numbers there. If it's the general FreeRADIUS community, then send a pull request for dictionary.freeradius.internal. If it's some people but not a lot, then it's difficult to say what the best choice is.
Jisc could assign it and put it in dictionary.ukerna. But it sounds like a private thing, so as given is probably best. -- Matthew
El 2/10/18 a las 13:01, Matthew Newton escribió:
On Tue, 2018-10-02 at 06:53 -0400, Alan DeKok wrote:
On Oct 2, 2018, at 6:33 AM, Alejandro Perez-Mendez <alex.perez-mendez @jisc.ac.uk> wrote:
Then I thought that I might be able to define an internal attribute (similar to Cleartext-Password) that contained the OTP secret. It would be defined as follows: The question is: who is going to use this functionality? If it's just you, then use raddb/dictionary, and the numbers there. If it's the general FreeRADIUS community, then send a pull request for dictionary.freeradius.internal. If it's some people but not a lot, then it's difficult to say what the best choice is. Jisc could assign it and put it in dictionary.ukerna. Yes, that's exactly what Stefan Paetow recommended me on private, to add it as a Vendor-Specific attribute. I did not think of this at first because I thought it *needed* to be "internal" to be protected from being sent by the server, but then I learned that it's all about of which VPS list you are putting it. So, as long as the attribute is included only in the "config" list, there should not be any problem.
But it sounds like a private thing, so as given is probably best.
It is actually meant for the whole Moonshot community, so not just me. But I think the Vendor Specific thing is the best way to go. Thanks, -- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
participants (3)
-
Alan DeKok -
Alejandro Perez-Mendez -
Matthew Newton