88 lines
3.1 KiB
Django/Jinja
88 lines
3.1 KiB
Django/Jinja
[secret]
|
|
# Whether to encrypt the secret when we generate it. Encrypting the secret
|
|
# with the user's pincode means that even if the .totp file is leaked, an
|
|
# attacker will not be able to get the secret without knowing the user's
|
|
# pincode. The downside is that if a user forgets their pincode, both the
|
|
# pincode and the secret will need to be fully re-provisioned.
|
|
# Setting to "True" will also turn off scratch-token support.
|
|
encrypt_secret = False
|
|
|
|
# You can allow for some clock drift between the client and server by setting
|
|
# the permitted window size. Window size is calculated in 10-second intervals,
|
|
# so a window size of 6 allows clock drift of 60 seconds in either direction.
|
|
window_size = 3
|
|
|
|
# First value is the number of times. Second value is the number of seconds.
|
|
# So, "3, 30" means "3 falures within 30 seconds"
|
|
rate_limit = 3, 30
|
|
|
|
# How many scratch tokens to generate. Note, that this setting is ignored
|
|
# if encrypt_secret is set to True.
|
|
scratch_tokens_n = 5
|
|
|
|
# This identifies the token in the Google Authenticator application. It comes
|
|
# very handy when users have more than one token, so set this to something
|
|
# descriptive of your environment.
|
|
{% if env == "staging" %}
|
|
totp_user_mask = $username@stg.fedoraproject.org
|
|
{% else %}
|
|
totp_user_mask = $username@fedoraproject.org
|
|
{% endif %}
|
|
|
|
# Used by provisioning.cgi
|
|
# Where the provisioning CGI is located, with regards to the web root.
|
|
action_url = /totpcgiprovision/index.cgi
|
|
|
|
# Used by provisioning.cgi
|
|
# Where provisioning.css and provisioning-print.css are located with regards
|
|
# to the web root.
|
|
css_root = /totpcgiprovision/
|
|
|
|
# Used by provisioning.cgi
|
|
# Where to find the templates files.
|
|
templates_dir = /etc/totpcgi/templates
|
|
|
|
# Used by provisioning.cgi
|
|
# Whether to rely on HTTP auth to handle authentication.
|
|
# As we don't get the password, only the username, turning this on
|
|
# will automatically set encrypt_secret to false.
|
|
#
|
|
# Be careful turning this on.
|
|
trust_http_auth = True
|
|
|
|
|
|
[pincode]
|
|
# Which hashing mechanism to use. Valid entries: md5, bcrypt, sha256, sha512
|
|
usehash = sha256
|
|
|
|
# Whether to compile the DBM database (only meaningful with the file backend)
|
|
makedb = True
|
|
|
|
# The backends are pretty much the same as in totpcgi.conf, except if you
|
|
# are using the postgresql secret backend, you need to connect as a user
|
|
# that is allowed to modify user records (e.g. totpcgi_admin).
|
|
[secret_backend]
|
|
;engine = file
|
|
;secrets_dir = /etc/totpcgi/totp
|
|
|
|
; For PostgreSQL backend:
|
|
engine = pgsql
|
|
pg_connect_string = user={{ totpcgiadminDBUser }} password={{ totpcgiadminDBPassword }} host=db-fas01 dbname=totpcgi
|
|
|
|
[pincode_backend]
|
|
engine = pgsql
|
|
pg_connect_string = user={{ totpcgiadminDBUser }} password={{ totpcgiadminDBPassword }} host=db-fas01 dbname=totpcgi
|
|
|
|
; For LDAP backend (simple bind auth):
|
|
;engine = ldap
|
|
;ldap_url = ldaps://ipa.example.com:636/
|
|
;ldap_dn = uid=$username,cn=users,cn=accounts,dc=example,dc=com
|
|
;ldap_cacert = /etc/pki/tls/certs/ipa-ca.crt
|
|
|
|
[state_backend]
|
|
;engine = file
|
|
;state_dir = /var/lib/totpcgi
|
|
|
|
; For PostgreSQL backend:
|
|
engine = pgsql
|
|
pg_connect_string = user={{ totpcgiadminDBUser }} password={{ totpcgiadminDBPassword }} host=db-fas01 dbname=totpcgi
|