#
#  Configuration for the OTP module.
#

#  This module allows you to use various handheld OTP tokens
#  for authentication (Auth-Type := otp).  These tokens are
#  available from various vendors.
#
#  It works in conjunction with otpd, which implements token
#  management and OTP verification functions; and lsmd or gsmd,
#  which implements synchronous state management functions.
#  otpd, lsmd and gsmd are available from TRI-D Systems:
#              <http://www.tri-dsystems.com/>

#  You must list this module in BOTH the authorize and authenticate
#  sections in order to use it.
otp {
	# otpd rendezvous point.
	# (default: /var/run/otpd/socket)
	#otpd_rp = /var/run/otpd/socket

	# Text to use for the challenge.  The '%' character is
	# disallowed, except that you MUST have a single "%s"
	# sequence in the string; the challenge itself is
	# inserted there.  (default "Challenge: %s\n Response: ")
	#challenge_prompt = "Challenge: %s\n Response: "

	# Length of the challenge.  Most tokens probably support a
	# max of 8 digits.  (range: 5-32 digits, default 6)
	#challenge_length = 6

	# Maximum time, in seconds, that a challenge is valid.
	# (The user must respond to a challenge within this time.)
	# It is also the minimal time between consecutive async mode
	# authentications, a necessary restriction due to an inherent
	# weakness of the RADIUS protocol which allows replay attacks.
	# (default: 30)
	#challenge_delay = 30

	# Whether or not to allow asynchronous ("pure" challenge/
	# response) mode authentication.  Since sync mode is much more
	# usable, and all reasonable tokens support it, the typical
	# use of async mode is to allow resync of event based tokens.
	# But because of the vulnerability of async mode with some tokens,
	# you probably want to disable this and require that out-of-sync
	# users resync from specifically secured terminals.
	# See the otpd docs for more info.
	# (default: no)
	#allow_async = no

	# Whether or not to allow synchronous mode authentication.
	# When using otpd with lsmd, it is *CRITICALLY IMPORTANT*
	# that if your OTP users can authenticate to multiple RADIUS
	# servers, this must be "yes" for the primary/default server,
	# and "no" for the others.  This is because lsmd does not
	# share state information across multiple servers.  Using "yes"
	# on all your RADIUS servers would allow replay attacks!
	# Also, for event based tokens, the user will be out of sync
	# on the "other" servers.  In order to use "yes" on all your
	# servers, you must either use gsmd, which synchronizes state
	# globally, or implement your own state synchronization method.
	# (default: yes)
	#allow_sync = yes

	# If both allow_async and allow_sync are "yes", a challenge is
	# always presented to the user.  This is incompatible with NAS's
	# that can't present or don't handle Access-Challenge's, e.g.
	# PPTP servers.  Even though a challenge is presented, the user
	# can still enter their synchronous passcode.

	# The following are MPPE settings.  Note that MS-CHAP (v1) is
	# strongly discouraged.  All possible values are listed as
	# {value = meaning}.  Default values are first.
	#mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden}
	#mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40}
	#mschap_mppe = {2 = required, 1 = optional, 0 = forbidden}
	#mschap_mppe_bits = {2 = 128}
}