pap
PAP directive for plaintext password authentication
pap
Validates passwords using the Password Authentication Protocol (PAP). PAP transmits passwords in cleartext over the authentication protocol (though the protocol itself may be encrypted, such as RADIUS over TLS).
Context
Valid inside authentication blocks. Can be combined with other authentication methods like totp or hotp for two-factor authentication.
Basic Syntax
authentication {
backend {
name "USERS";
query "FIND_USER";
}
# Validate password
pap;
}
Parameters
range
Extracts a substring from the password field for validation. This enables two-factor authentication by splitting the password field into password and one-time code components.
Syntax: range <start> <end> [exclusive]
<start>- Starting index (negative values count from end)<end>- Ending index (negative values count from end)exclusive- Optional keyword to invert the range (extract everything except the specified range)- Indices are 0-based
Examples:
# Extract last 6 characters
pap {
range -6 0;
}
# Extract all but last 6 characters (typical for password in 2FA)
pap {
range -6 0 exclusive;
}
# Extract first 10 characters
pap {
range 0 10;
}
# Extract characters 5-15
pap {
range 5 15;
}
# Extract all but last 8 characters (for 8-digit OTP)
pap {
range -8 0 exclusive;
}
Backend Mapping
The backend must populate the user password:
backends {
sqlite "USERS" {
filename "users.db";
query "FIND_USER" {
statement "SELECT username, password FROM users WHERE username = ?";
bindings {
aaa.identity;
}
mapping {
user.username = username;
user.password = password; # Required for PAP
}
}
}
}
Required context variables:
user.password- User's password for comparison
Related Actions
http-basic-auth- HTTP Basic Authentication for HTTP server handlerstotp- Time-based OTP for 2FAhotp- Counter-based OTP for 2FAchap- Challenge-response authenticationmschapv2- Microsoft CHAP v2 authentication