3.87.1. AuthSelect Previous topic Parent topic Child topic Next topic

Specifies an SQL query that will be used to fetch Yubikey data from the database. Special characters are permitted, and %0 is replaced with the quoted user name, the Token ID in Base64 format in %1, the Token ID in hex format in %2 and the Token ID in modhex format in %3. The result field 0 (secret) is the base64 encoded AES secret for the key. It must be present for the authentication to succeed. All others fields are optional. If field 1 (active) is defined is must be 1 else the authentication is rejected. Field 2 (userId) is not currently used. Field 3 (counter) is the key use counter. If defined, it will be used to detect replay attacks, and must be updated by UpdateQuery. Field 4 (session_use) is the session_use counter. Field 5 is currently ignored. The static password field (field 6) contains the users correct static password in any of the formats supported by Radiator including plaintext, {SHA}, {crypt}, {MD5}, {rcrypt}, {mysql}, {mssql}, {nthash}, {dechpwd}, {NS-MTA-MD5}, {clear} etc. TranslatePasswordHook is also supported.
The default works with the sample Yubikey database created by db_schema.sql from the YubiKey Validation Server. The default is:
AuthSelect select secret, active, userId, counter, low,
high,NULL from yubikeys where userId=%0
which assumes that there is a one-to-one mapping between Yubikeys and users. It also assumes the Token ID and AES secret are in Hex (no spaces). You could support multiple tokens per user or multiple user per token with a custom AuthSelect like:
AuthSelect select secret, active, userId, counter, low,
high,NULL from yubikeys where tokenId=%1 and userId=%0