urd 1 urd Micro footprint RADIUS daemon with One Time Password support. urd -?AhcdDmMOux -a authorized_users_file -b local_ip -B local_port -o otp_db -p passwd_file -P pid_file -s secret_file -S auth_service_name -V service_name -w otp_window The urd daemon implements a minimal subset of the RADIUS protocol for user authentication with optional One Time Passwords. Accounting is not supported. Configuration files include a passwd file in Unix passwd(5) format, an optional authorized_users file for authenticating with a subset of the passwd file, a secret file for the shared RADIUS secret, and otp_db for One Time Password support. The passwd_file and authorized_users_file are cached in memory for performance. To safely update these files with the server running while avoiding race conditions first remove both files, update authorized_users, then use rename(2) to atomically move the new passwd into place. urd will then automatically reload the newer passwd and authorized_users files. If these files are not available during a user authentication the cached in memory database is used. They must be available when urd starts. The OTP database can safely be manipulated with otp-control while the server is running. OTP user records are locked using flock(2) before any Read Modify Write operations are performed. An alternate OTP database can be specified as otb_db. PAM authentication is optionally supported for passwords. PAM can be configured as the sole means of authentication, or the locally configured password file may be used as a method of selecting valid users to later be authenticated with PAM. PAM can be used for the reusable password, the OTP API is always used for two factor authentication. The secret file contains the key shared by the RADIUS NAS and RADIUS server. It must be less than 32 bytes. Two Special user names, urd_debug and urd_stats, which if configured to authenticate successfully will toggle debugging and dump the internal state and request cache respectively. If these users are not configured with a password this feature will be disabled. -a, --authorized-users-db= authorized_users_file Specify an alternate location for the authorized_users_file. The authorized_users_file contains one username per line. When configured this option requires a user to be listed in authorized_users_file for authentication to proceed with the password and One Time Password functions. -A, --disable-authorized-users Disable authorized_users feature. This option must be set if the authorized_users_file is not used. -b, --bind-ip-address= local_ip Specify an IP address to bind(2) to. The default behavior will bind to INADDR_ANY. -B, --bind-udp-port= local_port Specify the local UDP port to bind(2) to. The default behavior will bind to UDP port 1812. -c, --display-count Force count to be passed to RADIUS NAS. Not all devices will be able to display this field. -d, --debug= debug_level Enable verbose debugging. -D, --disable-daemon-mode Disable daemon mode. When specified urd will not run in the background and stdout is available for debugging information. -m, --pam-authentication-enable Authenticate with PAM. The user must be present in the local password and optionally authorized users files before PAM authentication. -M, --pam-authentication-exclusive Authenticate with PAM. The local password file is not consulted. -o, --otp-db= otp_db Specify an alternate location for the One Time Password database otp_db. -O, --otp-disable Disable the use of One Time Passwords. -p, --password-db= passwd_file Specify an alternate location for the passwd file. The passwd file is in Unix passwd(5) format. Fields beyond the username and password hash are ignored. The users password is hashed with crypt(3) and compared to the hash stored in this file for authentication. -P, --pidfile= pid_file Specify an alternate location for a file containing the process ID of the RADIUS server. If a listen IP address or non standard UDP listen port is configured the PID filename will contain the IP address and port to differentiate it from other instances of urd running on the same server. -s, --server-secret= secret_file Specify an alternate location for the secret_file. The secret_file contains the shared secret between the NAS and RADIUS server and must be less than 32 bytes. -S, --pam-service-name= auth_service_name Specify an alternate name for the PAM authentication service. Defaults to urd. -u, --otp-allow-unknown-user Allow users which do not exist in the OTP database to successfully authenticate without using a One Time Password, only a valid password will be required. -V, --service-name= service_name Set service name for send-token function. --version Display software version. -w, --otp-challenge-window= window Set the OTP challenge window. -x, --debug-drop-udp-packets Drop every other RADIUS request from a NAS. This is a debugging feature intended to stress test the reply cache code. The reply cache implements state retention required for the use of One Time Passwords. The following command will start the urd server, bind it to IP address 10.1.0.1, authenticate users with passwords in /var/urd/passwd, use /var/urd/secret as the shared secret with the NAS, authenticate users using one time passwords in /var/urd/HOTP.db, enable debugging, and run in the foreground. urd -b 10.1.0.1 -p /var/urd/passwd -s /var/urd/secret -o /var/urd/HOTP.db -d -D Mark Fullmer maf@splintered.net otp-control(1) otp-sca(1) otp-sct(1) pam_otp(1) htsoft-downloader(1) bcload(1) otp-ov-plugin(1) spyrus-par2(7)