[secret] # Whether to encrypt the secret when we generate it. Encrypting the secret # with the user's pincode means that even if the .totp file is leaked, an # attacker will not be able to get the secret without knowing the user's # pincode. The downside is that if a user forgets their pincode, both the # pincode and the secret will need to be fully re-provisioned. # Setting to "True" will also turn off scratch-token support. encrypt_secret = False # You can allow for some clock drift between the client and server by setting # the permitted window size. Window size is calculated in 10-second intervals, # so a window size of 6 allows clock drift of 60 seconds in either direction. window_size = 6 # First value is the number of times. Second value is the number of seconds. # So, "3, 30" means "3 falures within 30 seconds" rate_limit = 3, 30 # How many scratch tokens to generate. Note, that this setting is ignored # if encrypt_secret is set to True. scratch_tokens_n = 5 # This identifies the token in the Google Authenticator application. It comes # very handy when users have more than one token, so set this to something # descriptive of your environment. {% if env == "staging" %} totp_user_mask = $username@stg.fedoraproject.org {% else %} totp_user_mask = $username@fedoraproject.org {% endif %} # Used by provisioning.cgi # Where the provisioning CGI is located, with regards to the web root. action_url = /totpcgiprovision/index.cgi # Used by provisioning.cgi # Where provisioning.css and provisioning-print.css are located with regards # to the web root. css_root = /totpcgiprovision/ # Used by provisioning.cgi # Where to find the templates files. templates_dir = /etc/totpcgi # Used by provisioning.cgi # Whether to rely on HTTP auth to handle authentication. # As we don't get the password, only the username, turning this on # will automatically set encrypt_secret to false. # # Be careful turning this on. trust_http_auth = True [pincode] # Which hashing mechanism to use. Valid entries: md5, bcrypt, sha256, sha512 usehash = sha256 # Whether to compile the DBM database (only meaningful with the file backend) makedb = True # The backends are pretty much the same as in totpcgi.conf, except if you # are using the postgresql secret backend, you need to connect as a user # that is allowed to modify user records (e.g. totpcgi_admin). [secret_backend] ;engine = file ;secrets_dir = /etc/totpcgi/totp ; For PostgreSQL backend: engine = pgsql pg_connect_string = user={{ totpcgiadminDBUser }} password={{ totpcgiadminDBPassword }} host=db-fas01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org dbname=totpcgi [pincode_backend] engine = pgsql pg_connect_string = user={{ totpcgiadminDBUser }} password={{ totpcgiadminDBPassword }} host=db-fas01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org dbname=totpcgi ; For LDAP backend (simple bind auth): ;engine = ldap ;ldap_url = ldaps://ipa.example.com:636/ ;ldap_dn = uid=$username,cn=users,cn=accounts,dc=example,dc=com ;ldap_cacert = /etc/pki/tls/certs/ipa-ca.crt [state_backend] ;engine = file ;state_dir = /var/lib/totpcgi ; For PostgreSQL backend: engine = pgsql pg_connect_string = user={{ totpcgiadminDBUser }} password={{ totpcgiadminDBPassword }} host=db-fas01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org dbname=totpcgi