Section 3.32.32. ConsumePassword and LeavePassword

3.32.32. ConsumePassword and LeavePassword

ConsumePassword and LeavePassword are optional parameters that allow an AuthBy to extract and use a portion of a password. This is typically required with multiple AuthBys to implement two-factor or one-time password authentication. When set for an AuthBy, only a portion of the current password is used by the AuthBy. The remaining portion becomes the new current password. This allows each AuthBy to check separate portions of a password.

ConsumePassword causes an AuthBy to extract a portion from the beginning of the current password. Possible values for ConsumePassword are:

Positive number
This defines how many characters are extracted from the beginning of the password. If the number is larger than password length, the whole password is used and the next AuthBy gets a zero length password.
Negative number
This defines how many characters are left at the end of the password while the rest are extracted from the beginning of the password. If the number is larger than password length, zero length password is used is used and the next AuthBy gets the whole password.
One or more other characters
This defines a separator. Portion of the password before the first occurrence of separator is used. The separator is discarded and the next AuthBy gets what remains after the first separator. If the separator is not a part of the password, the password is used fully and the next AuthBy gets a zero length password.
Empty
The whole password is used. The next AuthBy gets a zero length password.

LeavePassword causes an AuthBy to extract a portion from the end of the current password. Possible values for LeavePassword are:

Positive number
This defines how many characters are left at the beginning of password while the rest are extracted from the end of the password. If the number is larger than password length, zero length password is used and the next AuthBy gets the whole password.
Negative number
This defines how many characters are extracted from the end of the password. If the number is larger than password length, the whole password is used and the next AuthBy gets a zero length password.
One or more other characters
This defines a separator. Portion of the password after the last occurrence of separator is used. The separator is discarded and the next AuthBy gets the portion before the last separator. If the separator is not a part of the password, zero length password is used and the next AuthBy gets the whole password.
Empty
Zero length password is used. The next AuthBy gets the whole password.

Examples

Notice in the examples how ConsumePassword consumes the beginning of password and LeavePassword leaves it unchanged:

If the password is part1:part2:part3 and ConsumePassword is :, the next AuthBy gets part2:part3
If the password is 987654variablepart and ConsumePassword is 6, the next AuthBy gets variablepart
If the password is variablepart987654 and ConsumePassword is -6, the next AuthBy gets 987654
If the password is part1:part2:part3 and LeavePassword is :, the next AuthBy gets part1:part2
If the password is variablepart987654 and LeavePassword is -6, the next AuthBy gets variablepart
If the password is 987654variablepart and LeavePassword is 6, the next AuthBy gets 987654

For more configuration examples, see goodies/duo.cfg and goodies/digipassStatic.cfg. This example shows how to check a password, for example variablepart987654, that has a variable length static password followed by 6 digit TOTP code.

<Handler>
    AuthByPolicy ContinueWhileAccept
    <AuthBy SQL>
        # Current password is static password followed by a token code
        # SQL configuration to check static password and other check attributes
        # Fetch reply attribute configuration

        # Use and remove static password leaving the token code
        ConsumePassword -6
    </AuthBy>
    <AuthBy SQLTOTP>
        # Current password is just the token code
    </AuthBy>
</Handler>