mirror of
https://github.com/adulau/ootp.git
synced 2024-11-22 10:07:12 +00:00
746 lines
No EOL
13 KiB
HTML
746 lines
No EOL
13 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>otp-control</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"></HEAD
|
|
><BODY
|
|
CLASS="REFENTRY"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><H1
|
|
><A
|
|
NAME="AEN1"
|
|
></A
|
|
><SPAN
|
|
CLASS="APPLICATION"
|
|
>otp-control</SPAN
|
|
></H1
|
|
><DIV
|
|
CLASS="REFNAMEDIV"
|
|
><A
|
|
NAME="AEN6"
|
|
></A
|
|
><H2
|
|
>Name</H2
|
|
><SPAN
|
|
CLASS="APPLICATION"
|
|
>otp-control</SPAN
|
|
> -- Local user database configuration for One Time Password package.</DIV
|
|
><DIV
|
|
CLASS="REFSYNOPSISDIV"
|
|
><A
|
|
NAME="AEN10"
|
|
></A
|
|
><H2
|
|
>Synopsis</H2
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>otp-control</B
|
|
> [-?hnv] [-c<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> count</I
|
|
></TT
|
|
>] [-C<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> count_ceiling</I
|
|
></TT
|
|
>] [-f<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> format</I
|
|
></TT
|
|
>] [-F<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> flag</I
|
|
></TT
|
|
>] [-H<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> sc_hostname</I
|
|
></TT
|
|
>] [-I<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> sc_index</I
|
|
></TT
|
|
>] [-k<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> key</I
|
|
></TT
|
|
>] [-l<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> location</I
|
|
></TT
|
|
>] [-m<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> command_mode</I
|
|
></TT
|
|
>] [-o<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> otp_db</I
|
|
></TT
|
|
>] [-s<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> status</I
|
|
></TT
|
|
>] [-S<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> sc_flags</I
|
|
></TT
|
|
>] [-t<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> type</I
|
|
></TT
|
|
>] [-u<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> username</I
|
|
></TT
|
|
>] [-V<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> service_name</I
|
|
></TT
|
|
>] [-w<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> window</I
|
|
></TT
|
|
>]</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="REFSECT1"
|
|
><A
|
|
NAME="AEN46"
|
|
></A
|
|
><H2
|
|
>DESCRIPTION</H2
|
|
><P
|
|
>The <B
|
|
CLASS="COMMAND"
|
|
>otp-control</B
|
|
> command is a front end to the
|
|
local One Time Password database. Users can be added, modified
|
|
and removed by <B
|
|
CLASS="COMMAND"
|
|
>otp-control.</B
|
|
></P
|
|
></DIV
|
|
><DIV
|
|
CLASS="REFSECT1"
|
|
><A
|
|
NAME="AEN51"
|
|
></A
|
|
><H2
|
|
>OPTIONS</H2
|
|
><P
|
|
></P
|
|
><DIV
|
|
CLASS="VARIABLELIST"
|
|
><DL
|
|
><DT
|
|
>-c, --count= <TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> count</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>User count. The count increases with each OTP transaction.</P
|
|
></DD
|
|
><DT
|
|
>-C, --count-ceil= <TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> count_ceiling</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>User count ceiling. Highest count allowed for this user. Configuring
|
|
the count_ceiling allows a user key to be shared among multiple
|
|
systems each with a unique count window, where count <= count_ceiling.</P
|
|
><P
|
|
>A count value must only be allowed for authentication once.</P
|
|
><P
|
|
>Example:</P
|
|
><P
|
|
>host=h1, user=bob, count_current=0, count_ceiling=10000.</P
|
|
><P
|
|
>host=h2, user=bob, count_current=10001, count_ceiling=20000.</P
|
|
><P
|
|
>The number of keys a user must possess is decreased at the expense
|
|
of security dependencies among multiple systems. If system A is
|
|
compromised, OTP's can be generated for the user(s) on system B from
|
|
the shared keys on system A. To generate an OTP out of sequence the count
|
|
must be presented to the OTP generator. The additional step of entering
|
|
the count to the OTP generator is not necessary when keys are not
|
|
shared, as the currrent count will increase on the OTP generator and
|
|
system database during authentication.</P
|
|
></DD
|
|
><DT
|
|
>-f, --format=</DT
|
|
><DD
|
|
><P
|
|
>OTP format. One of hex40 dhex40 dec31.6 dec31.7 dec31.8 dec31.9 dec31.10.
|
|
hex40 (40 bit hex) is the default. dec31.6 (31 bit decimal truncated to 6
|
|
digits) is suggested by RFC 4226 and may be required to interoperate with
|
|
other HOTP implementations. dhex40 uses the dynamic truncate function
|
|
in RFC 4226, where hex40 always uses the top 40 bits. dhex40 may be the
|
|
default in future releases.</P
|
|
></DD
|
|
><DT
|
|
>-F, --flag=</DT
|
|
><DD
|
|
><P
|
|
>OTP flag. All flags are unset by default.
|
|
<PRE
|
|
CLASS="SCREEN"
|
|
> Flag Description
|
|
-----------------------------------------------------------------
|
|
display-count : Display HOTP count when prompted for challenge.
|
|
send-token : Send token to user out of band.</PRE
|
|
></P
|
|
></DD
|
|
><DT
|
|
>-h, --help</DT
|
|
><DD
|
|
><P
|
|
>Help.</P
|
|
></DD
|
|
><DT
|
|
>-H, --sc_hostname=<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> sc_hostname</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>Set the SC hostname for the list-sc command mode.</P
|
|
></DD
|
|
><DT
|
|
>-I, --sc_index=<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> sc_index</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>Set the SC index for the list-sc command mode.</P
|
|
></DD
|
|
><DT
|
|
>-k, --key=<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> key</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>160 bit shared secret key in ASCII HEX. The secret key is shared between
|
|
the OTP generation hardware/software for a user and the local OTP database.
|
|
Each user typically will have a unique key unless a shared key with
|
|
unique count space is provisioned. Use - for stdin. Example key:
|
|
C0C3D47F1CC68ECE0DF81D008F0C0D72D43EB745</P
|
|
></DD
|
|
><DT
|
|
>-l, --location=<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> location</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>Location to send token to when SEND_TOKEN flag is set.</P
|
|
></DD
|
|
><DT
|
|
>-m, --command_mode=<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> command_mode</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
></P
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> Mode Description
|
|
-------------------------------------------------
|
|
add - Add user
|
|
create - Create database
|
|
dump - ASCII dump user record(s)
|
|
generate - Generate HOTP for user
|
|
list - List user record (printable)
|
|
list-sc - List user record (SC friendly)
|
|
load - ASCII load user record(s)
|
|
remove - Remove user
|
|
send-token - Send token to user
|
|
set-count - Set user count
|
|
set-count-ceil - Set user count ceiling
|
|
set-flags - Set user flags
|
|
set-format - Set user format
|
|
set-status - Set user status
|
|
set-type - Set user OTP type
|
|
test - Test user</PRE
|
|
></DD
|
|
><DT
|
|
>-n, --create_database</DT
|
|
><DD
|
|
><P
|
|
>Create new database if one does not exist.</P
|
|
></DD
|
|
><DT
|
|
>-o, --otp-db=<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> otp_db</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>Pathname of OTP database.</P
|
|
></DD
|
|
><DT
|
|
>-s, --status=<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> status</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>OTP Status. The default status is active.
|
|
<PRE
|
|
CLASS="SCREEN"
|
|
> Status Description
|
|
-----------------------------------------------------------------
|
|
active : OTP is required for succesful authentication.
|
|
inactive : OTP may not be required for successful authentication.
|
|
The OTP authentication module may be configured to allow
|
|
inactive accounts to authenticate. This may be used to
|
|
temporarily remove the OTP authentication method for a
|
|
user.
|
|
disabled : Account is disabled. OTP authentication will fail.</PRE
|
|
></P
|
|
></DD
|
|
><DT
|
|
>-S, --sc-flags=<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> sc_flags</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>Set the SC flags for the list-sc command mode. 0=CHALLENGE, 1=READERKEY.</P
|
|
></DD
|
|
><DT
|
|
>-t, --type=<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> type</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>OTP Type. RFC 4226 HOTP is only supported type.</P
|
|
></DD
|
|
><DT
|
|
>-u, --username=<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> username</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>Username to perform database operation on.</P
|
|
></DD
|
|
><DT
|
|
>-v, --verbose</DT
|
|
><DD
|
|
><P
|
|
>Enable verbose output (debugging).</P
|
|
></DD
|
|
><DT
|
|
>-V, --service-name=<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> service_name</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>Set service name for send-token function.</P
|
|
></DD
|
|
><DT
|
|
>--version</DT
|
|
><DD
|
|
><P
|
|
>Display software version.</P
|
|
></DD
|
|
><DT
|
|
>-w, --challenge-window=<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
> window</I
|
|
></TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>Set the maximum window (count above the system count) where an OTP
|
|
will successfully authenticate. For user bob with with OTP generator
|
|
count_current=30, and system OTP database for bob count_current 15, the
|
|
default window (10) will not allow the user to authenticate, even though
|
|
the OTP is computed with a valid shared key. This can be caused by the
|
|
user repeatedly generating an OTP which is not used for authentication.</P
|
|
><P
|
|
>When generating an OTP (mode generate) the window will configure the number
|
|
of tokens generated.</P
|
|
></DD
|
|
></DL
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="REFSECT1"
|
|
><A
|
|
NAME="AEN157"
|
|
></A
|
|
><H2
|
|
>OTP-CONTROL COMMANDS</H2
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>add</B
|
|
>
|
|
: add user to OTP database. count_cur and count_ceiling may optionally
|
|
be specified with -c and -C respectively. A random key will be generated
|
|
if no key is specified with -k. The format, flags, status, and type
|
|
may be altered from the defaults with -f, -F, -s, and -t respectively.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>create</B
|
|
>
|
|
: create OTP database. The OTP database is a base directory with each
|
|
user stored in a separate ASCII : delimited file in base_dir/d.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>dump</B
|
|
>
|
|
: dump user database in ASCII. User records are separated by a newline.
|
|
Fields are : separated. All fields except the username are HEX encoded.</P
|
|
><P
|
|
>#version:user:key:status:format:type:flags:count_cur:count_ceiling:last
|
|
01:test:1111111111111111111111111111111111111111:01:01:01:00:00000000000003E8:00000000000007D0:0000000000000000</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>generate</B
|
|
>
|
|
: generate OTP for user. The -w flag may be used to generate multiple
|
|
OTP tokens.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>list</B
|
|
>
|
|
: list user record in user friendly format.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>list-sc</B
|
|
>
|
|
: list user record in otp-sc import friendly format. The SC hostname
|
|
must be specified with -H. The SC index and SC flags may optionally be
|
|
specified with -I and -F.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>load</B
|
|
>
|
|
: load user record(s)s in ASCII format. See dump.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>remove</B
|
|
>
|
|
: remove user from OTP database.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>set-count</B
|
|
>
|
|
: set count_current for user.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>set-count-ceil</B
|
|
>
|
|
: set count_ceiling for user. A OTP will not authenticate when
|
|
count_cur >= count_cieiling.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>set-flags</B
|
|
>
|
|
: set flags for user. See option -F.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>set-format</B
|
|
>
|
|
: set format for user. See option -f.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>set-status</B
|
|
>
|
|
: set status for user. See option -s.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>set-type</B
|
|
>
|
|
: set status for user. See option -t.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>test</B
|
|
>
|
|
: test OTP authentication for user.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="REFSECT1"
|
|
><A
|
|
NAME="AEN190"
|
|
></A
|
|
><H2
|
|
>EXAMPLES</H2
|
|
><DIV
|
|
CLASS="INFORMALEXAMPLE"
|
|
><P
|
|
></P
|
|
><A
|
|
NAME="AEN192"
|
|
></A
|
|
><P
|
|
>Create a new OTP database /etc/otpdb. Add user bob with random key.</P
|
|
><P
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>otp-control -n -f /etc/otpdb -u bob -m add</B
|
|
></P
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>Generating random 160 bit key.
|
|
Adding user bob.</PRE
|
|
><P
|
|
></P
|
|
></DIV
|
|
><DIV
|
|
CLASS="INFORMALEXAMPLE"
|
|
><P
|
|
></P
|
|
><A
|
|
NAME="AEN197"
|
|
></A
|
|
><P
|
|
>Display user bob OTP database entry.</P
|
|
><P
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>otp-control -u bob -m list</B
|
|
></P
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>Username.......bob
|
|
Key............C381739834A63A67B0B9F7F7D36C8C567F6BFB3D
|
|
Count..........0 (0x0)
|
|
Count Ceiling..18446744073709551615 (0xFFFFFFFFFFFFFFFF)
|
|
Version........1
|
|
Status.........active (1)
|
|
Format.........hex40 (1)
|
|
Type...........HOTP (1)
|
|
Flags..........[] (0x00)</PRE
|
|
><P
|
|
></P
|
|
></DIV
|
|
><DIV
|
|
CLASS="INFORMALEXAMPLE"
|
|
><P
|
|
></P
|
|
><A
|
|
NAME="AEN202"
|
|
></A
|
|
><P
|
|
>Generate OTP for user bob.</P
|
|
><P
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>otp-control -u bob -m generate</B
|
|
></P
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>count=0 crsp=882B0E8410</PRE
|
|
><P
|
|
></P
|
|
></DIV
|
|
><DIV
|
|
CLASS="INFORMALEXAMPLE"
|
|
><P
|
|
></P
|
|
><A
|
|
NAME="AEN207"
|
|
></A
|
|
><P
|
|
>Test OTP for user bob.</P
|
|
><P
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>otp-control -u bob -m test</B
|
|
></P
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>Testing authentication for user bob.
|
|
OTP challenge for user bob (0): 882B0E8410
|
|
Success.</PRE
|
|
><P
|
|
></P
|
|
></DIV
|
|
><DIV
|
|
CLASS="INFORMALEXAMPLE"
|
|
><P
|
|
></P
|
|
><A
|
|
NAME="AEN212"
|
|
></A
|
|
><P
|
|
>Dump OTP database to stdout. Fields other than username are hex encoded.
|
|
Use the load command to import records in this format.</P
|
|
><P
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>otp-control -m dump</B
|
|
></P
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>#version:user:key:status:format:type:flags:count_cur:count_ceiling:last
|
|
01:bob:C381739834A63A67B0B9F7F7D36C8C567F6BFB3D:01:01:01:00:0000000000000001:FFFFFFFFFFFFFFFF:000000004AA02F9E</PRE
|
|
><P
|
|
></P
|
|
></DIV
|
|
><DIV
|
|
CLASS="INFORMALEXAMPLE"
|
|
><P
|
|
></P
|
|
><A
|
|
NAME="AEN217"
|
|
></A
|
|
><P
|
|
>Dump OTP user to stdout in format friendly to <B
|
|
CLASS="COMMAND"
|
|
>otp-sca</B
|
|
>. Note the
|
|
hostname must be set with -H. The index will default to 0 if not specified
|
|
with -I. SC flags may be set with -F.</P
|
|
><P
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>otp-control -u test -m list-sc -H dev1</B
|
|
></P
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
><SAMP
|
|
CLASS="COMPUTEROUTPUT"
|
|
>#index:count:hostname:key
|
|
00:000003E8:646576310000000000000000:1111111111111111111111111111111111111111</SAMP
|
|
> </PRE
|
|
><P
|
|
></P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="REFSECT1"
|
|
><A
|
|
NAME="AEN224"
|
|
></A
|
|
><H2
|
|
>AUTHOR</H2
|
|
><P
|
|
>Mark Fullmer
|
|
<CODE
|
|
CLASS="EMAIL"
|
|
><<A
|
|
HREF="mailto:maf@splintered.net"
|
|
>maf@splintered.net</A
|
|
>></CODE
|
|
></P
|
|
></DIV
|
|
><DIV
|
|
CLASS="REFSECT1"
|
|
><A
|
|
NAME="AEN231"
|
|
></A
|
|
><H2
|
|
>SEE ALSO</H2
|
|
><P
|
|
><SPAN
|
|
CLASS="APPLICATION"
|
|
>otp-sca</SPAN
|
|
>(1)
|
|
<SPAN
|
|
CLASS="APPLICATION"
|
|
>otp-sct</SPAN
|
|
>(1)
|
|
<SPAN
|
|
CLASS="APPLICATION"
|
|
>pam_otp</SPAN
|
|
>(1)
|
|
<SPAN
|
|
CLASS="APPLICATION"
|
|
>htsoft-downloader</SPAN
|
|
>(1)
|
|
<SPAN
|
|
CLASS="APPLICATION"
|
|
>otp-ov-plugin</SPAN
|
|
>(1)
|
|
<SPAN
|
|
CLASS="APPLICATION"
|
|
>urd</SPAN
|
|
>(1)
|
|
<SPAN
|
|
CLASS="APPLICATION"
|
|
>bcload</SPAN
|
|
>(1)
|
|
<SPAN
|
|
CLASS="HARDWARE"
|
|
>spyrus-par2</SPAN
|
|
>(7)</P
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |