...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $ ...\" ...\" transcript compatibility for postscript use. ...\" ...\" synopsis: .P! ...\" .de P! \\&. .fl \" force out current output buffer \\!%PB \\!/showpage{}def ...\" the following is from Ken Flowers -- it prevents dictionary overflows \\!/tempdict 200 dict def tempdict begin .fl \" prolog .sy cat \\$1\" bring in postscript file ...\" the following line matches the tempdict above \\!end % tempdict % \\!PE \\!. .sp \\$2u \" move below the image .. .de pF .ie \\*(f1 .ds f1 \\n(.f .el .ie \\*(f2 .ds f2 \\n(.f .el .ie \\*(f3 .ds f3 \\n(.f .el .ie \\*(f4 .ds f4 \\n(.f .el .tm ? font overflow .ft \\$1 .. .de fP .ie !\\*(f4 \{\ . ft \\*(f4 . ds f4\" ' br \} .el .ie !\\*(f3 \{\ . ft \\*(f3 . ds f3\" ' br \} .el .ie !\\*(f2 \{\ . ft \\*(f2 . ds f2\" ' br \} .el .ie !\\*(f1 \{\ . ft \\*(f1 . ds f1\" ' br \} .el .tm ? font underflow .. .ds f1\" .ds f2\" .ds f3\" .ds f4\" .ta 8n 16n 24n 32n 40n 48n 56n 64n 72n .TH "\fBurd\fP" "1" .SH "NAME" \fBurd\fP \(em Micro footprint RADIUS daemon with One Time Password support\&. .SH "SYNOPSIS" .PP \fBurd\fP [-?AhcdDmMOux] [-a\fI authorized_users_file\fP] [-b\fI local_ip\fP] [-B\fI local_port\fP] [-o\fI otp_db\fP] [-p\fI passwd_file\fP] [-P\fI pid_file\fP] [-s\fI secret_file\fP] [-S\fI auth_service_name\fP] [-V\fI service_name\fP] [-w\fI otp_window\fP] .SH "DESCRIPTION" .PP The \fBurd\fP daemon implements a minimal subset of the RADIUS protocol for user authentication with optional One Time Passwords\&. Accounting is not supported\&. Configuration files include a \fBpasswd\fP file in Unix passwd(5) format, an optional \fBauthorized_users\fP file for authenticating with a subset of the \fBpasswd\fP file, a \fBsecret\fP file for the shared RADIUS secret, and \fBotp_db\fP for One Time Password support\&. .PP The \fBpasswd_file\fP and \fBauthorized_users_file\fP are cached in memory for performance\&. To safely update these files with the server running while avoiding race conditions first remove both files, update \fBauthorized_users\fP, then use rename(2) to atomically move the new \fBpasswd\fP into place\&. \fBurd\fP will then automatically reload the newer \fBpasswd\fP and \fBauthorized_users\fP files\&. If these files are not available during a user authentication the cached in memory database is used\&. They must be available when \fBurd\fP starts\&. .PP The OTP database can safely be manipulated with \fBotp-control\fP while the server is running\&. OTP user records are locked using flock(2) before any Read Modify Write operations are performed\&. .PP An alternate OTP database can be specified as \fBotb_db\fP\&. .PP PAM authentication is optionally supported for passwords\&. PAM can be configured as the sole means of authentication, or the locally configured password file may be used as a method of selecting valid users to later be authenticated with PAM\&. PAM can be used for the reusable password, the OTP API is always used for two factor authentication\&. .PP The \fBsecret\fP file contains the key shared by the RADIUS NAS and RADIUS server\&. It must be less than 32 bytes\&. .PP Two Special user names, urd_debug and urd_stats, which if configured to authenticate successfully will toggle debugging and dump the internal state and request cache respectively\&. If these users are not configured with a password this feature will be disabled\&. .SH "OPTIONS" .IP "-a, --authorized-users-db=\fI authorized_users_file\fP" 10 Specify an alternate location for the \fBauthorized_users_file\fP\&. .IP "" 10 The \fBauthorized_users_file\fP contains one username per line\&. When configured this option requires a user to be listed in \fBauthorized_users_file\fP for authentication to proceed with the password and One Time Password functions\&. .IP "-A, --disable-authorized-users" 10 Disable \fBauthorized_users\fP feature\&. This option must be set if the \fBauthorized_users_file\fP is not used\&. .IP "-b, --bind-ip-address=\fI local_ip\fP" 10 Specify an IP address to bind(2) to\&. The default behavior will bind to INADDR_ANY\&. .IP "-B, --bind-udp-port=\fI local_port\fP" 10 Specify the local UDP port to bind(2) to\&. The default behavior will bind to UDP port 1812\&. .IP "-c, --display-count" 10 Force count to be passed to RADIUS NAS\&. Not all devices will be able to display this field\&. .IP "-d, --debug=\fI debug_level\fP" 10 Enable verbose debugging\&. .IP "-D, --disable-daemon-mode" 10 Disable daemon mode\&. When specified \fBurd\fP will not run in the background and stdout is available for debugging information\&. .IP "-m, --pam-authentication-enable" 10 Authenticate with PAM\&. The user must be present in the local password and optionally authorized users files before PAM authentication\&. .IP "-M, --pam-authentication-exclusive" 10 Authenticate with PAM\&. The local password file is not consulted\&. .IP "-o, --otp-db=\fI otp_db\fP" 10 Specify an alternate location for the One Time Password database \fBotp_db\fP\&. .IP "-O, --otp-disable" 10 Disable the use of One Time Passwords\&. .IP "-p, --password-db=\fI passwd_file\fP" 10 Specify an alternate location for the \fBpasswd\fP file\&. The \fBpasswd\fP file is in Unix passwd(5) format\&. Fields beyond the username and password hash are ignored\&. The users password is hashed with crypt(3) and compared to the hash stored in this file for authentication\&. .IP "-P, --pidfile=\fI pid_file\fP" 10 Specify an alternate location for a file containing the process ID of the RADIUS server\&. If a listen IP address or non standard UDP listen port is configured the PID filename will contain the IP address and port to differentiate it from other instances of \fBurd\fP running on the same server\&. .IP "-s, --server-secret=\fI secret_file\fP" 10 Specify an alternate location for the \fBsecret_file\fP\&. The \fBsecret_file\fP contains the shared secret between the NAS and RADIUS server and must be less than 32 bytes\&. .IP "-S, --pam-service-name=\fI auth_service_name\fP" 10 Specify an alternate name for the PAM authentication service\&. Defaults to urd\&. .IP "-u, --otp-allow-unknown-user" 10 Allow users which do not exist in the OTP database to successfully authenticate without using a One Time Password, only a valid password will be required\&. .IP "-V, --service-name=\fI service_name\fP" 10 Set service name for send-token function\&. .IP "--version" 10 Display software version\&. .IP "-w, --otp-challenge-window=\fI window\fP" 10 Set the OTP challenge window\&. .IP "-x, --debug-drop-udp-packets" 10 Drop every other RADIUS request from a NAS\&. This is a debugging feature intended to stress test the reply cache code\&. The reply cache implements state retention required for the use of One Time Passwords\&. .SH "EXAMPLES" .PP The following command will start the urd server, bind it to IP address 10\&.1\&.0\&.1, authenticate users with passwords in \fB/var/urd/passwd\fP, use \fB/var/urd/secret\fP as the shared secret with the NAS, authenticate users using one time passwords in \fB/var/urd/HOTP\&.db\fP, enable debugging, and run in the foreground\&. .PP \fBurd -b 10\&.1\&.0\&.1 -p /var/urd/passwd -s /var/urd/secret -o /var/urd/HOTP\&.db -d -D\fP .PP .nf .fi .SH "AUTHOR" .PP Mark Fullmer maf@splintered\&.net .SH "SEE ALSO" .PP \fBotp-control\fP(1) \fBotp-sca\fP(1) \fBotp-sct\fP(1) \fBpam_otp\fP(1) \fBhtsoft-downloader\fP(1) \fBbcload\fP(1) \fBotp-ov-plugin\fP(1) spyrus-par2(7) ...\" created by instant / docbook-to-man, Sun 15 May 2011, 23:57