Can I define an internal attribute for a module?

Alejandro Perez-Mendez alex.perez-mendez at jisc.ac.uk
Tue Oct 2 12:33:48 CEST 2018 

Hi,

I'm developing a Python module that implements a very simple TOTP 
functionality (it basically replaces the value of Cleartext-Password 
with the original value plus the expected TOTP code), so the user has to 
provide a concatenation of the original password and the OTP code to 
authenticate. This works well so far.

The doubt I have is where and how to store the OTP secret codes. So far, 
for development, I have a Python dictionary defined on the Python module 
with all the User-Name -> Secret key associations, but having these on 
the code is not a good practice and it requires managing two user lists, 
one for authentication (users file or SQL DB or LDAP...) plus this OTP 
secret list. This might lead to inconsistencies.

The first option I thought of was to make use of the config {} 
subsection of the python module, but it would still be a second user 
list (besides the main one used for authentication).

Then I thought that I might be able to define an internal attribute 
(similar to Cleartext-Password) that contained the OTP secret. It would 
be defined as follows:

ATTRIBUTE   OTP-Secret         3000    string

And then use it on the "users" file or on the DB as follows:

alex at test.org   Cleartext-Password := "OneTestingPassword", OTP-Secret 
:= "7MR674BRPXXNYGGMPFA52MW6GSMA6JQL"

This way I would be able to define the OTP Secret right next to the user 
password, on any backend that I'd like to use (users file, LDAP, SQL...).

I've tested it and it works, so question is: Can I define internal 
attributes for private module usage? If so, how are numbers allocated? 
Can I use any number I want if it's not currently in use?

Thanks,

-- 
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

More information about the Freeradius-Users mailing list