mirror of
https://github.com/adulau/ootp.git
synced 2024-11-26 12:07:13 +00:00
170 lines
6 KiB
Groff
170 lines
6 KiB
Groff
|
...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $
|
|||
|
...\"
|
|||
|
...\" transcript compatibility for postscript use.
|
|||
|
...\"
|
|||
|
...\" synopsis: .P! <file.ps>
|
|||
|
...\"
|
|||
|
.de P!
|
|||
|
\\&.
|
|||
|
.fl \" force out current output buffer
|
|||
|
\\!%PB
|
|||
|
\\!/showpage{}def
|
|||
|
...\" the following is from Ken Flowers -- it prevents dictionary overflows
|
|||
|
\\!/tempdict 200 dict def tempdict begin
|
|||
|
.fl \" prolog
|
|||
|
.sy cat \\$1\" bring in postscript file
|
|||
|
...\" the following line matches the tempdict above
|
|||
|
\\!end % tempdict %
|
|||
|
\\!PE
|
|||
|
\\!.
|
|||
|
.sp \\$2u \" move below the image
|
|||
|
..
|
|||
|
.de pF
|
|||
|
.ie \\*(f1 .ds f1 \\n(.f
|
|||
|
.el .ie \\*(f2 .ds f2 \\n(.f
|
|||
|
.el .ie \\*(f3 .ds f3 \\n(.f
|
|||
|
.el .ie \\*(f4 .ds f4 \\n(.f
|
|||
|
.el .tm ? font overflow
|
|||
|
.ft \\$1
|
|||
|
..
|
|||
|
.de fP
|
|||
|
.ie !\\*(f4 \{\
|
|||
|
. ft \\*(f4
|
|||
|
. ds f4\"
|
|||
|
' br \}
|
|||
|
.el .ie !\\*(f3 \{\
|
|||
|
. ft \\*(f3
|
|||
|
. ds f3\"
|
|||
|
' br \}
|
|||
|
.el .ie !\\*(f2 \{\
|
|||
|
. ft \\*(f2
|
|||
|
. ds f2\"
|
|||
|
' br \}
|
|||
|
.el .ie !\\*(f1 \{\
|
|||
|
. ft \\*(f1
|
|||
|
. ds f1\"
|
|||
|
' br \}
|
|||
|
.el .tm ? font underflow
|
|||
|
..
|
|||
|
.ds f1\"
|
|||
|
.ds f2\"
|
|||
|
.ds f3\"
|
|||
|
.ds f4\"
|
|||
|
.ta 8n 16n 24n 32n 40n 48n 56n 64n 72n
|
|||
|
.TH "\fBurd\fP" "1"
|
|||
|
.SH "NAME"
|
|||
|
\fBurd\fP \(em Micro footprint RADIUS daemon with One Time Password support\&.
|
|||
|
.SH "SYNOPSIS"
|
|||
|
.PP
|
|||
|
\fBurd\fP [-?AhdDOux] [-a\fI allowed_users_file\fP] [-b\fI local_ip\fP] [-B\fI local_port\fP] [-o\fI otp_db\fP] [-p\fI passwd_file\fP] [-P\fI pid_file\fP] [-s\fI secret_file\fP]
|
|||
|
.SH "DESCRIPTION"
|
|||
|
.PP
|
|||
|
The \fBurd\fP daemon implements a minimal subset
|
|||
|
of the RADIUS protocol for user authentication with optional
|
|||
|
One Time Passwords\&. Accounting is not supported\&. Configuration
|
|||
|
files include a \fBpasswd\fP file in Unix passwd(5)
|
|||
|
format, an optional \fBallowed_users\fP file for
|
|||
|
authenticating with a subset of the \fBpasswd\fP file, a
|
|||
|
\fBsecret\fP file for the shared RADIUS secret, and
|
|||
|
\fBotp_db\fP for One Time Password support\&.
|
|||
|
.PP
|
|||
|
The \fBpasswd_file\fP and
|
|||
|
\fBauthorized_users_file\fP are cached in memory for performance\&. To safely update these files
|
|||
|
with the server running while avoiding race conditions first remove
|
|||
|
both files, update \fBauthorized_users\fP, then use
|
|||
|
rename(2) to atomically move the new \fBpasswd\fP into
|
|||
|
place\&. \fBurd\fP will then automatically reload the newer
|
|||
|
\fBpasswd\fP and \fBauthorized_users\fP files\&. If these files are not available during a user authentication the
|
|||
|
cached in memory database is used\&. They must be available when
|
|||
|
\fBurd\fP starts\&.
|
|||
|
.PP
|
|||
|
The OTP database can safely be manipulated with \fBotp-control\fP while the server is running\&. OTP user records are locked using flock(2)
|
|||
|
before any Read Modify Write operations are performed\&.
|
|||
|
.PP
|
|||
|
An alternate OTP database can be specified as \fBotb_db\fP\&.
|
|||
|
.PP
|
|||
|
The \fBsecret\fP file contains the key shared
|
|||
|
by the RADIUS NAS and RADIUS server\&. It must be less than 32 bytes\&.
|
|||
|
.PP
|
|||
|
Two Special user names, urd_debug and urd_stats, which if configured
|
|||
|
to authenticate successfully will toggle debugging and dump the internal
|
|||
|
state and request cache respectively\&. If these users are not configured
|
|||
|
with a password this feature will be disabled\&.
|
|||
|
.SH "OPTIONS"
|
|||
|
.IP "-a\fI allowed_users_file\fP" 10
|
|||
|
Specify an alternate location for the \fBallowed_users_file\fP\&.
|
|||
|
.IP "" 10
|
|||
|
The \fBallowed_users_file\fP contains one username per line\&.
|
|||
|
When configured this option requires a user to be listed
|
|||
|
in \fBallowed_users_file\fP for authentication to proceed
|
|||
|
with the password and One Time Password functions\&.
|
|||
|
.IP "-A" 10
|
|||
|
Disable \fBauthorized_users\fP feature\&. This option must
|
|||
|
be set if the \fBauthorized_users_file\fP is not used\&.
|
|||
|
.IP "-b\fI local_ip\fP" 10
|
|||
|
Specify an IP address to bind(2) to\&. The default behavior will bind to
|
|||
|
INADDR_ANY\&.
|
|||
|
.IP "-B\fI local_port\fP" 10
|
|||
|
Specify the local UDP port to bind(2) to\&. The default behavior will bind
|
|||
|
to UDP port 1812\&.
|
|||
|
.IP "-d" 10
|
|||
|
Enable verbose debugging\&.
|
|||
|
.IP "-D" 10
|
|||
|
Disable daemon mode\&. When specified \fBurd\fP will not
|
|||
|
run in the background and stdout is available for debugging information\&.
|
|||
|
.IP "-o\fI otp_db\fP" 10
|
|||
|
Specify an alternate location for the One Time Password database
|
|||
|
\fBotp_db\fP\&.
|
|||
|
.IP "-O" 10
|
|||
|
Disable the use of One Time Passwords\&.
|
|||
|
.IP "-p\fI passwd_file\fP" 10
|
|||
|
Specify an alternate location for the \fBpasswd\fP file\&. The \fBpasswd\fP file is in Unix passwd(5) format\&.
|
|||
|
Fields beyond the username and password hash are ignored\&. The users
|
|||
|
password is hashed with crypt(3) and compared to the hash stored in this file
|
|||
|
for authentication\&.
|
|||
|
.IP "-P\fI pid_file\fP" 10
|
|||
|
Specify an alternate location for a file containing the process ID
|
|||
|
of the RADIUS server\&. If a listen IP address or non standard UDP listen
|
|||
|
port is configured the PID filename will contain the IP address and
|
|||
|
port to differentiate it from other instances of \fBurd\fP running on the same server\&.
|
|||
|
.IP "-s\fI secret_file\fP" 10
|
|||
|
Specify an alternate location for the \fBsecret_file\fP\&.
|
|||
|
The \fBsecret_file\fP contains the shared secret between
|
|||
|
the NAS and RADIUS server and must be less than 32 bytes\&.
|
|||
|
.IP "-u" 10
|
|||
|
Allow users which do not exist in the OTP database to successfully
|
|||
|
authenticate without using a One Time Password, only a valid password
|
|||
|
will be required\&.
|
|||
|
.IP "-x" 10
|
|||
|
Drop every other RADIUS request from a NAS\&. This is a debugging feature
|
|||
|
intended to stress test the reply cache code\&. The reply cache
|
|||
|
implements state retention required for the use of One Time Passwords\&.
|
|||
|
.SH "EXAMPLES"
|
|||
|
.PP
|
|||
|
The following command will start the urd server, bind it to IP address
|
|||
|
10\&.1\&.0\&.1, authenticate users with passwords in
|
|||
|
\fB/var/urd/passwd\fP, use
|
|||
|
\fB/var/urd/secret\fP as the shared secret with the NAS,
|
|||
|
authenticate users using one time passwords in
|
|||
|
\fB/var/urd/HOTP\&.db\fP, enable debugging, and run in the
|
|||
|
foreground\&.
|
|||
|
.PP
|
|||
|
\fBurd -b 10\&.1\&.0\&.1 -p /var/urd/passwd -s /var/urd/secret -o /var/urd/HOTP\&.db -d -D\fP
|
|||
|
.PP
|
|||
|
.nf
|
|||
|
.fi
|
|||
|
.SH "AUTHOR"
|
|||
|
.PP
|
|||
|
Mark Fullmer maf@splintered\&.net
|
|||
|
.SH "SEE ALSO"
|
|||
|
.PP
|
|||
|
\fBotp-control\fP(1)
|
|||
|
\fBotp-sca\fP(1)
|
|||
|
\fBotp-sct\fP(1)
|
|||
|
\fBpam_otp\fP(1)
|
|||
|
\fBhtsoft-downloader\fP(1)
|
|||
|
\fBbcload\fP(1)
|
|||
|
\fBotp-ov-plugin\fP(1)
|
|||
|
spyrus-par2(7)
|
|||
|
...\" created by instant / docbook-to-man, Mon 30 Nov 2009, 13:16
|