urd 1 urd Micro footprint RADIUS daemon with One Time Password support. urd -?AhdDOux -a allowed_users_file -b local_ip -B local_port -o otp_db -p passwd_file -P pid_file -s secret_file DESCRIPTION The urd daemon implements a minimal subset of the RADIUS protocol for user authentication with optional One Time Passwords. Accounting is not supported. Configuration files include a passwd file in Unix passwd(5) format, an optional allowed_users file for authenticating with a subset of the passwd file, a secret file for the shared RADIUS secret, and otp_db for One Time Password support. The passwd_file and authorized_users_file are cached in memory for performance. To safely update these files with the server running while avoiding race conditions first remove both files, update authorized_users, then use rename(2) to atomically move the new passwd into place. urd will then automatically reload the newer passwd and authorized_users files. If these files are not available during a user authentication the cached in memory database is used. They must be available when urd starts. The OTP database can safely be manipulated with otp-control while the server is running. OTP user records are locked using flock(2) before any Read Modify Write operations are performed. An alternate OTP database can be specified as otb_db. The secret file contains the key shared by the RADIUS NAS and RADIUS server. It must be less than 32 bytes. Two Special user names, urd_debug and urd_stats, which if configured to authenticate successfully will toggle debugging and dump the internal state and request cache respectively. If these users are not configured with a password this feature will be disabled. OPTIONS -a allowed_users_file Specify an alternate location for the allowed_users_file. The allowed_users_file contains one username per line. When configured this option requires a user to be listed in allowed_users_file for authentication to proceed with the password and One Time Password functions. -A Disable authorized_users feature. This option must be set if the authorized_users_file is not used. -b local_ip Specify an IP address to bind(2) to. The default behavior will bind to INADDR_ANY. -B local_port Specify the local UDP port to bind(2) to. The default behavior will bind to UDP port 1812. -d Enable verbose debugging. -D Disable daemon mode. When specified urd will not run in the background and stdout is available for debugging information. -o otp_db Specify an alternate location for the One Time Password database otp_db. -O Disable the use of One Time Passwords. -p passwd_file Specify an alternate location for the passwd file. The passwd file is in Unix passwd(5) format. Fields beyond the username and password hash are ignored. The users password is hashed with crypt(3) and compared to the hash stored in this file for authentication. -P pid_file Specify an alternate location for a file containing the process ID of the RADIUS server. If a listen IP address or non standard UDP listen port is configured the PID filename will contain the IP address and port to differentiate it from other instances of urd running on the same server. -s secret_file Specify an alternate location for the secret_file. The secret_file contains the shared secret between the NAS and RADIUS server and must be less than 32 bytes. -u Allow users which do not exist in the OTP database to successfully authenticate without using a One Time Password, only a valid password will be required. -x Drop every other RADIUS request from a NAS. This is a debugging feature intended to stress test the reply cache code. The reply cache implements state retention required for the use of One Time Passwords. EXAMPLES The following command will start the urd server, bind it to IP address 10.1.0.1, authenticate users with passwords in /var/urd/passwd, use /var/urd/secret as the shared secret with the NAS, authenticate users using one time passwords in /var/urd/HOTP.db, enable debugging, and run in the foreground. urd -b 10.1.0.1 -p /var/urd/passwd -s /var/urd/secret -o /var/urd/HOTP.db -d -D AUTHOR Mark Fullmer maf@splintered.net SEE ALSO otp-control(1) otp-sca(1) otp-sct(1) pam_otp(1) htsoft-downloader(1) bcload(1) otp-ov-plugin(1) spyrus-par2(7)