ootp/doc/urd.html

554 lines
9.3 KiB
HTML
Raw Normal View History

2017-01-03 11:10:10 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>urd</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="AEN1"
></A
><SPAN
CLASS="APPLICATION"
>urd</SPAN
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6"
></A
><H2
>Name</H2
><SPAN
CLASS="APPLICATION"
>urd</SPAN
>&nbsp;--&nbsp;Micro footprint RADIUS daemon with One Time Password support.</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>urd</B
2017-01-03 11:16:53 +00:00
> [-?AhcdDmMOux] [-a<TT
2017-01-03 11:10:10 +00:00
CLASS="REPLACEABLE"
><I
2017-01-03 11:16:53 +00:00
> authorized_users_file</I
2017-01-03 11:10:10 +00:00
></TT
>] [-b<TT
CLASS="REPLACEABLE"
><I
> local_ip</I
></TT
>] [-B<TT
CLASS="REPLACEABLE"
><I
> local_port</I
></TT
>] [-o<TT
CLASS="REPLACEABLE"
><I
> otp_db</I
></TT
>] [-p<TT
CLASS="REPLACEABLE"
><I
> passwd_file</I
></TT
>] [-P<TT
CLASS="REPLACEABLE"
><I
> pid_file</I
></TT
>] [-s<TT
CLASS="REPLACEABLE"
><I
> secret_file</I
></TT
2017-01-03 11:16:53 +00:00
>] [-S<TT
CLASS="REPLACEABLE"
><I
> auth_service_name</I
></TT
>] [-V<TT
CLASS="REPLACEABLE"
><I
> service_name</I
></TT
2017-01-03 11:14:13 +00:00
>] [-w<TT
CLASS="REPLACEABLE"
><I
> otp_window</I
></TT
2017-01-03 11:10:10 +00:00
>]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
2017-01-03 11:16:53 +00:00
NAME="AEN34"
2017-01-03 11:10:10 +00:00
></A
><H2
>DESCRIPTION</H2
><P
>The <B
CLASS="COMMAND"
>urd</B
> daemon implements a minimal subset
of the RADIUS protocol for user authentication with optional
One Time Passwords. Accounting is not supported. Configuration
files include a <TT
CLASS="FILENAME"
>passwd</TT
> file in Unix passwd(5)
format, an optional <TT
CLASS="FILENAME"
2017-01-03 11:16:53 +00:00
>authorized_users</TT
2017-01-03 11:10:10 +00:00
> file for
authenticating with a subset of the <TT
CLASS="FILENAME"
>passwd</TT
> file, a
<TT
CLASS="FILENAME"
>secret</TT
> file for the shared RADIUS secret, and
<TT
CLASS="FILENAME"
>otp_db</TT
> for One Time Password support.</P
><P
>The <TT
CLASS="FILENAME"
>passwd_file</TT
> and
<TT
CLASS="FILENAME"
>authorized_users_file</TT
>
are cached in memory for performance. To safely update these files
with the server running while avoiding race conditions first remove
both files, update <TT
CLASS="FILENAME"
>authorized_users</TT
>, then use
rename(2) to atomically move the new <TT
CLASS="FILENAME"
>passwd</TT
> into
place. <B
CLASS="COMMAND"
>urd</B
> will then automatically reload the newer
<TT
CLASS="FILENAME"
>passwd</TT
> and <TT
CLASS="FILENAME"
>authorized_users</TT
>
files. If these files are not available during a user authentication the
cached in memory database is used. They must be available when
<B
CLASS="COMMAND"
>urd</B
> starts.</P
><P
>The OTP database can safely be manipulated with <B
CLASS="COMMAND"
>otp-control</B
>
while the server is running. OTP user records are locked using flock(2)
before any Read Modify Write operations are performed.</P
><P
>An alternate OTP database can be specified as <TT
CLASS="FILENAME"
>otb_db</TT
>.</P
><P
2017-01-03 11:16:53 +00:00
>PAM authentication is optionally supported for passwords. PAM can
be configured as the sole means of authentication, or the locally
configured password file may be used as a method of selecting valid
users to later be authenticated with PAM. PAM can be used for the
reusable password, the OTP API is always used for two factor authentication.</P
><P
2017-01-03 11:10:10 +00:00
>The <TT
CLASS="FILENAME"
>secret</TT
> file contains the key shared
by the RADIUS NAS and RADIUS server. It must be less than 32 bytes.</P
><P
>Two Special user names, urd_debug and urd_stats, which if configured
to authenticate successfully will toggle debugging and dump the internal
state and request cache respectively. If these users are not configured
with a password this feature will be disabled.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
2017-01-03 11:16:53 +00:00
NAME="AEN60"
2017-01-03 11:10:10 +00:00
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
2017-01-03 11:16:53 +00:00
>-a, --authorized-users-db=<TT
2017-01-03 11:10:10 +00:00
CLASS="REPLACEABLE"
><I
2017-01-03 11:16:53 +00:00
> authorized_users_file</I
2017-01-03 11:10:10 +00:00
></TT
></DT
><DD
><P
>Specify an alternate location for the <TT
CLASS="FILENAME"
2017-01-03 11:16:53 +00:00
>authorized_users_file</TT
2017-01-03 11:10:10 +00:00
>.</P
><P
>The <TT
CLASS="FILENAME"
2017-01-03 11:16:53 +00:00
>authorized_users_file</TT
2017-01-03 11:10:10 +00:00
> contains one username per line.
When configured this option requires a user to be listed
in <TT
CLASS="FILENAME"
2017-01-03 11:16:53 +00:00
>authorized_users_file</TT
2017-01-03 11:10:10 +00:00
> for authentication to proceed
with the password and One Time Password functions.</P
></DD
><DT
2017-01-03 11:16:53 +00:00
>-A, --disable-authorized-users</DT
2017-01-03 11:10:10 +00:00
><DD
><P
>Disable <TT
CLASS="FILENAME"
>authorized_users</TT
> feature. This option must
be set if the <TT
CLASS="FILENAME"
>authorized_users_file</TT
> is not used.</P
></DD
><DT
2017-01-03 11:16:53 +00:00
>-b, --bind-ip-address=<TT
2017-01-03 11:10:10 +00:00
CLASS="REPLACEABLE"
><I
> local_ip</I
></TT
></DT
><DD
><P
>Specify an IP address to bind(2) to. The default behavior will bind to
INADDR_ANY.</P
></DD
><DT
2017-01-03 11:16:53 +00:00
>-B, --bind-udp-port=<TT
2017-01-03 11:10:10 +00:00
CLASS="REPLACEABLE"
><I
> local_port</I
></TT
></DT
><DD
><P
>Specify the local UDP port to bind(2) to. The default behavior will bind
to UDP port 1812.</P
></DD
><DT
2017-01-03 11:16:53 +00:00
>-c, --display-count</DT
><DD
><P
>Force count to be passed to RADIUS NAS. Not all devices will be able to
display this field.</P
></DD
><DT
>-d, --debug=<TT
CLASS="REPLACEABLE"
><I
> debug_level</I
></TT
></DT
2017-01-03 11:10:10 +00:00
><DD
><P
>Enable verbose debugging.</P
></DD
><DT
2017-01-03 11:16:53 +00:00
>-D, --disable-daemon-mode</DT
2017-01-03 11:10:10 +00:00
><DD
><P
>Disable daemon mode. When specified <B
CLASS="COMMAND"
>urd</B
> will not
run in the background and stdout is available for debugging information.</P
></DD
><DT
2017-01-03 11:16:53 +00:00
>-m, --pam-authentication-enable</DT
><DD
><P
>Authenticate with PAM. The user must be present in the local password
and optionally authorized users files before PAM authentication.</P
></DD
><DT
>-M, --pam-authentication-exclusive</DT
><DD
><P
>Authenticate with PAM. The local password file is not consulted.</P
></DD
><DT
>-o, --otp-db=<TT
2017-01-03 11:10:10 +00:00
CLASS="REPLACEABLE"
><I
> otp_db</I
></TT
></DT
><DD
><P
>Specify an alternate location for the One Time Password database
<TT
CLASS="FILENAME"
>otp_db</TT
>.</P
></DD
><DT
2017-01-03 11:16:53 +00:00
>-O, --otp-disable</DT
2017-01-03 11:10:10 +00:00
><DD
><P
>Disable the use of One Time Passwords.</P
></DD
><DT
2017-01-03 11:16:53 +00:00
>-p, --password-db=<TT
2017-01-03 11:10:10 +00:00
CLASS="REPLACEABLE"
><I
> passwd_file</I
></TT
></DT
><DD
><P
>Specify an alternate location for the <TT
CLASS="FILENAME"
>passwd</TT
>
file. The <TT
CLASS="FILENAME"
>passwd</TT
> file is in Unix passwd(5) format.
Fields beyond the username and password hash are ignored. The users
password is hashed with crypt(3) and compared to the hash stored in this file
for authentication.</P
></DD
><DT
2017-01-03 11:16:53 +00:00
>-P, --pidfile=<TT
2017-01-03 11:10:10 +00:00
CLASS="REPLACEABLE"
><I
> pid_file</I
></TT
></DT
><DD
><P
>Specify an alternate location for a file containing the process ID
of the RADIUS server. If a listen IP address or non standard UDP listen
port is configured the PID filename will contain the IP address and
port to differentiate it from other instances of <B
CLASS="COMMAND"
>urd</B
>
running on the same server.</P
></DD
><DT
2017-01-03 11:16:53 +00:00
>-s, --server-secret=<TT
2017-01-03 11:10:10 +00:00
CLASS="REPLACEABLE"
><I
> secret_file</I
></TT
></DT
><DD
><P
>Specify an alternate location for the <TT
CLASS="FILENAME"
>secret_file</TT
>.
The <TT
CLASS="FILENAME"
>secret_file</TT
> contains the shared secret between
the NAS and RADIUS server and must be less than 32 bytes.</P
></DD
><DT
2017-01-03 11:16:53 +00:00
>-S, --pam-service-name=<TT
CLASS="REPLACEABLE"
><I
> auth_service_name</I
></TT
></DT
><DD
><P
>Specify an alternate name for the PAM authentication service. Defaults
to urd.</P
></DD
><DT
>-u, --otp-allow-unknown-user</DT
2017-01-03 11:10:10 +00:00
><DD
><P
>Allow users which do not exist in the OTP database to successfully
authenticate without using a One Time Password, only a valid password
will be required.</P
></DD
><DT
2017-01-03 11:16:53 +00:00
>-V, --service-name=<TT
CLASS="REPLACEABLE"
><I
> service_name</I
></TT
></DT
2017-01-03 11:10:10 +00:00
><DD
><P
2017-01-03 11:16:53 +00:00
>Set service name for send-token function.</P
></DD
><DT
>--version</DT
><DD
><P
>Display software version.</P
2017-01-03 11:10:10 +00:00
></DD
2017-01-03 11:14:13 +00:00
><DT
2017-01-03 11:16:53 +00:00
>-w, --otp-challenge-window=<TT
CLASS="REPLACEABLE"
><I
> window</I
></TT
></DT
2017-01-03 11:14:13 +00:00
><DD
><P
>Set the OTP challenge window.</P
></DD
2017-01-03 11:16:53 +00:00
><DT
>-x, --debug-drop-udp-packets</DT
><DD
><P
>Drop every other RADIUS request from a NAS. This is a debugging feature
intended to stress test the reply cache code. The reply cache
implements state retention required for the use of One Time Passwords.</P
></DD
2017-01-03 11:10:10 +00:00
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
2017-01-03 11:16:53 +00:00
NAME="AEN167"
2017-01-03 11:10:10 +00:00
></A
><H2
>EXAMPLES</H2
><DIV
CLASS="INFORMALEXAMPLE"
><P
></P
><A
2017-01-03 11:16:53 +00:00
NAME="AEN169"
2017-01-03 11:10:10 +00:00
></A
><P
>The following command will start the urd server, bind it to IP address
10.1.0.1, authenticate users with passwords in
<TT
CLASS="FILENAME"
>/var/urd/passwd</TT
>, use
<TT
CLASS="FILENAME"
>/var/urd/secret</TT
> as the shared secret with the NAS,
authenticate users using one time passwords in
<TT
CLASS="FILENAME"
>/var/urd/HOTP.db</TT
>, enable debugging, and run in the
foreground.</P
><P
><B
CLASS="COMMAND"
>urd -b 10.1.0.1 -p /var/urd/passwd -s /var/urd/secret -o /var/urd/HOTP.db -d -D</B
></P
><PRE
CLASS="SCREEN"
></PRE
><P
></P
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
2017-01-03 11:16:53 +00:00
NAME="AEN177"
2017-01-03 11:10:10 +00:00
></A
><H2
>AUTHOR</H2
><P
>Mark Fullmer
<CODE
CLASS="EMAIL"
>&#60;<A
HREF="mailto:maf@splintered.net"
>maf@splintered.net</A
>&#62;</CODE
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
2017-01-03 11:16:53 +00:00
NAME="AEN184"
2017-01-03 11:10:10 +00:00
></A
><H2
>SEE ALSO</H2
><P
><SPAN
CLASS="APPLICATION"
>otp-control</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>otp-sca</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>otp-sct</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>pam_otp</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>htsoft-downloader</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>bcload</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>otp-ov-plugin</SPAN
>(1)
<SPAN
CLASS="HARDWARE"
>spyrus-par2</SPAN
>(7)</P
></DIV
></BODY
></HTML
>