DESCRIPTION

otp-control 1 otp-control Local user database configuration for One Time Password package. otp-control -?hnv -c count -C count_ceil -F sc_flags -H sc_hostname -I sc_index -k key -m command_mode -o otpdb_pathname -u username -w window DESCRIPTION The otp-control command is a front end to the local One Time Password database. Users can be added, modified and removed by otp-control. OPTIONS -c count User count. The count increases with each OTP transaction. -C count_ceil User count ceiling. Highest count allowed for this user. Configuring the count_ceiling allows a user key to be shared among multiple systems each with a unique count window, where count <= count_ceiling. A count value must only be allowed for authentication once. Example: host=h1, user=bob, count_current=0, count_ceil=10000. host=h2, user=bob, count_current=10001, count_ceil=20000. The number of keys a user must possess is decreased at the expense of security dependencies among multiple systems. If system A is compromised, OTP's can be generated for the user(s) on system B from the shared keys on system A. To generate an OTP out of sequence the count must be presented to the OTP generator. The additional step of entering the count to the OTP generator is not necessary when keys are not shared, as the currrent count will increase on the OTP generator and system database during authentication. -h Help. -F sc_flags Set the SC flags with the list-sc command mode. 0=CHALLENGE, 1=READERKEY. -H sc_hostname Set the SC hostname with the list-sc command mode. -I sc_index Set the SC index with the list-sc command mode. -k key 160 bit shared secret key in ASCII HEX. The secret key is shared between the OTP generation hardware/software for a user and the local OTP database. Each user typically will have a unique key unless a shared key with unique count space is provisioned. Use - for stdin. Example key: C0C3D47F1CC68ECE0DF81D008F0C0D72D43EB745 -m command_mode Mode Description ------------------------------------------------- add - Add user activate - Activate user create - Create database deactivate - Deactivate user disable - Disable user dump - ASCII dump user record(s) flags-dspcnt - Set user display count flag. flags-no-dspcnt - Clear user display count flag. generate - Generate HOTP for user list - List user record (printable) list-sc - List user record (SC friendly) load - ASCII load user record(s) remove - Remove user set-count - Reset count for user set-count-ceil - Reset count ceiling for user test - Test user -n Create new database if one does not exist. -o otp_pathname Pathname of OTP database. -u username Username to perform database operation on. -v Enable verbose output (debugging). -w window Set the maximum window (count above the system count) where an OTP will successfully authenticate. For user bob with with OTP generator count_current=30, and system OTP database for bob count_current 15, the default window (10) will not allow the user to authenticate, even though the OTP is computed with a valid shared key. This can be caused by the user repeatedly generating an OTP which is not used for authentication. When generating an OTP (mode generate) the window will configure the number of tokens generated. OTP-CONTROL COMMANDS add : add user to OTP database. count_cur and count_ceiling may optionally be specified with -c and -C respectively. A random key will be generated if no key is specified with -k. activate : activate user. An active user must provide a OTP for successful authentication. An inactive user _may_ be successfully authenticated without a OTP depending on the application configuration. The pam_otp module can be configured to use this flag with the "allow_inactive" option. create : create OTP database. The OTP database is a base directory with each user stored in a separate ASCII : delimited file in base_dir/d. deactivate : deactivate user. See activate. disable : disable user. A disabled user can not successfully authenticate. dump : dump user database in ASCII. User records are separated by a newline. Fields are : separated. All fields except the username are HEX encoded. #version:user:key:status:format:type:flags:count_cur:count_ceil:last 01:test:1111111111111111111111111111111111111111:01:01:01:00:00000000000003E8:00000000000007D0:0000000000000000 flags-dspcnt : set the display count flag. An application such as pam_otp will use this flag to control the display of the OTP count when challenging a user. flags-no-dspcnt : clear the display count flag. generate : generate OTP for user. The -w flag may be used to generate multiple OTP tokens. list : list user record in user friendly format. list-sc : list user record in otp-sc import friendly format. The SC hostname must be specified with -H. The SC index and SC flags may optionally be specified with -I and -F. load : load user record(s)s in ASCII format. See dump. remove : remove user from OTP database. set-count : set count_current for user. set-count-ceil : set count_ceiling for user. A OTP will not authenticate when count_cur >= count_cieiling. test : test OTP authentication for user. EXAMPLES Create a new OTP database /etc/otpdb. Add user bob with random key. otp-control -n -f /etc/otpdb -u bob -m add Generating random 160 bit key. Adding user bob. Display user bob OTP database entry. otp-control -u bob -m list Username.......bob Key............C381739834A63A67B0B9F7F7D36C8C567F6BFB3D Count..........0 (0x0) Count Ceiling..18446744073709551615 (0xFFFFFFFFFFFFFFFF) Version........1 Status.........active (1) Format.........hex40 (1) Type...........HOTP (1) Flags..........00 Generate OTP for user bob. otp-control -u bob -m generate count=0 crsp=882B0E8410 Test OTP for user bob. otp-control -u bob -m test Testing authentication for user bob. OTP challenge for user bob (0): 882B0E8410 Success. Dump OTP database to stdout. Fields other than username are hex encoded. Use the load command to import records in this format. otp-control -m dump #version:user:key:status:format:type:flags:count_cur:count_ceil:last 01:bob:C381739834A63A67B0B9F7F7D36C8C567F6BFB3D:01:01:01:00:0000000000000001:FFFFFFFFFFFFFFFF:000000004AA02F9E Dump OTP user to stdout in format friendly to otp-sca. Note the hostname must be set with -H. The index will default to 0 if not specified with -I. SC flags may be set with -F. otp-control -u test -m list-sc -H dev1 #index:count:hostname:key 00:000003E8:646576310000000000000000:1111111111111111111111111111111111111111 AUTHOR Mark Fullmer maf@splintered.net SEE ALSO otp-sca(1) otp-sct(1) pam_otp(1) htsoft-downloader(1) otp-ov-plugin(1) urd(1) bcload(1) spyrus-par2(7)