Specifies an SQL query that will be used to fetch Yubikey data
from the database. Special characters are permitted, and %0 is replaced
with the quoted user name, the Token ID in Base64 format in %1, the Token
ID in hex format in %2 and the Token ID in modhex format in %3. The result
field 0 (secret) is the base64 encoded AES secret for the key. It must be
present for the authentication to succeed. All others fields are optional.
If field 1 (active) is defined is must be 1 else the authentication is
rejected. Field 2 (userId) is not currently used. Field 3 (counter) is the
key use counter. If defined, it will be used to detect replay attacks, and
must be updated by UpdateQuery. Field 4 (session_use) is the session_use
counter. Field 5 is currently ignored. The static password field (field 6)
contains the users correct static password in any of the formats supported
by Radiator including plaintext, {SHA}, {crypt}, {MD5}, {rcrypt}, {mysql},
{mssql}, {nthash}, {dechpwd}, {NS-MTA-MD5}, {clear} etc.
TranslatePasswordHook is also supported.
The default works with the
sample Yubikey database created by db_schema.sql from the YubiKey
Validation Server. The default is:
AuthSelect select secret, active, userId, counter, low,
high,NULL from yubikeys where userId=%0
which assumes that there
is a one-to-one mapping between Yubikeys and users. It also assumes the
Token ID and AES secret are in Hex (no spaces). You could support multiple
tokens per user or multiple user per token with a custom AuthSelect
like:
AuthSelect select secret, active, userId, counter, low,
high,NULL from yubikeys where tokenId=%1 and userId=%0