TOTP module
João Miguel Regateiro
jmregateiro at gmail.com
Thu Nov 16 14:09:54 UTC 2023
Hello,
I was testing my freeRadius server and I found out that a user can
authenticate with the same TOTP multiple times within the 30 seconds
period. From reading the RFC 6238 I understand that this must not be
possible as the One Time Password is for one time use only.
Here is my code:
authorize {
ldap
if ((ok || updated)) {
if (User-Password !~ /^(.*)([0-9]{6})$/) {
reject
}
update request {
User-Password := "%{1}"
TOTP-Password := "%{2}"
}
# gets shared secret from ldap
if ( &control:totp_teste =~
/([A-Za-z0-9]+),/ ) {
update control { TOTP-Secret :=
"%{1}" }
}
totp.authenticate
if (!ok) {
reject
}
update control {
Auth-Type := ldap
}
}
}
authenticate {
Auth-Type ldap {
ldap
}
}
Could you please provide me some guidance on what I am doing wrong here?
Thanks,
Miguel
More information about the Freeradius-Users
mailing list