mirror of
https://github.com/adulau/ootp.git
synced 2024-11-22 10:07:12 +00:00
192 lines
7.4 KiB
Groff
192 lines
7.4 KiB
Groff
...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $
|
||
...\"
|
||
...\" transcript compatibility for postscript use.
|
||
...\"
|
||
...\" synopsis: .P! <file.ps>
|
||
...\"
|
||
.de P!
|
||
\\&.
|
||
.fl \" force out current output buffer
|
||
\\!%PB
|
||
\\!/showpage{}def
|
||
...\" the following is from Ken Flowers -- it prevents dictionary overflows
|
||
\\!/tempdict 200 dict def tempdict begin
|
||
.fl \" prolog
|
||
.sy cat \\$1\" bring in postscript file
|
||
...\" the following line matches the tempdict above
|
||
\\!end % tempdict %
|
||
\\!PE
|
||
\\!.
|
||
.sp \\$2u \" move below the image
|
||
..
|
||
.de pF
|
||
.ie \\*(f1 .ds f1 \\n(.f
|
||
.el .ie \\*(f2 .ds f2 \\n(.f
|
||
.el .ie \\*(f3 .ds f3 \\n(.f
|
||
.el .ie \\*(f4 .ds f4 \\n(.f
|
||
.el .tm ? font overflow
|
||
.ft \\$1
|
||
..
|
||
.de fP
|
||
.ie !\\*(f4 \{\
|
||
. ft \\*(f4
|
||
. ds f4\"
|
||
' br \}
|
||
.el .ie !\\*(f3 \{\
|
||
. ft \\*(f3
|
||
. ds f3\"
|
||
' br \}
|
||
.el .ie !\\*(f2 \{\
|
||
. ft \\*(f2
|
||
. ds f2\"
|
||
' br \}
|
||
.el .ie !\\*(f1 \{\
|
||
. ft \\*(f1
|
||
. ds f1\"
|
||
' br \}
|
||
.el .tm ? font underflow
|
||
..
|
||
.ds f1\"
|
||
.ds f2\"
|
||
.ds f3\"
|
||
.ds f4\"
|
||
.ta 8n 16n 24n 32n 40n 48n 56n 64n 72n
|
||
.TH "\fBurd\fP" "1"
|
||
.SH "NAME"
|
||
\fBurd\fP \(em Micro footprint RADIUS daemon with One Time Password support\&.
|
||
.SH "SYNOPSIS"
|
||
.PP
|
||
\fBurd\fP [-?AhcdDmMOux] [-a\fI authorized_users_file\fP] [-b\fI local_ip\fP] [-B\fI local_port\fP] [-o\fI otp_db\fP] [-p\fI passwd_file\fP] [-P\fI pid_file\fP] [-s\fI secret_file\fP] [-S\fI auth_service_name\fP] [-V\fI service_name\fP] [-w\fI otp_window\fP]
|
||
.SH "DESCRIPTION"
|
||
.PP
|
||
The \fBurd\fP daemon implements a minimal subset
|
||
of the RADIUS protocol for user authentication with optional
|
||
One Time Passwords\&. Accounting is not supported\&. Configuration
|
||
files include a \fBpasswd\fP file in Unix passwd(5)
|
||
format, an optional \fBauthorized_users\fP file for
|
||
authenticating with a subset of the \fBpasswd\fP file, a
|
||
\fBsecret\fP file for the shared RADIUS secret, and
|
||
\fBotp_db\fP for One Time Password support\&.
|
||
.PP
|
||
The \fBpasswd_file\fP and
|
||
\fBauthorized_users_file\fP are cached in memory for performance\&. To safely update these files
|
||
with the server running while avoiding race conditions first remove
|
||
both files, update \fBauthorized_users\fP, then use
|
||
rename(2) to atomically move the new \fBpasswd\fP into
|
||
place\&. \fBurd\fP will then automatically reload the newer
|
||
\fBpasswd\fP and \fBauthorized_users\fP files\&. If these files are not available during a user authentication the
|
||
cached in memory database is used\&. They must be available when
|
||
\fBurd\fP starts\&.
|
||
.PP
|
||
The OTP database can safely be manipulated with \fBotp-control\fP while the server is running\&. OTP user records are locked using flock(2)
|
||
before any Read Modify Write operations are performed\&.
|
||
.PP
|
||
An alternate OTP database can be specified as \fBotb_db\fP\&.
|
||
.PP
|
||
PAM authentication is optionally supported for passwords\&. PAM can
|
||
be configured as the sole means of authentication, or the locally
|
||
configured password file may be used as a method of selecting valid
|
||
users to later be authenticated with PAM\&. PAM can be used for the
|
||
reusable password, the OTP API is always used for two factor authentication\&.
|
||
.PP
|
||
The \fBsecret\fP file contains the key shared
|
||
by the RADIUS NAS and RADIUS server\&. It must be less than 32 bytes\&.
|
||
.PP
|
||
Two Special user names, urd_debug and urd_stats, which if configured
|
||
to authenticate successfully will toggle debugging and dump the internal
|
||
state and request cache respectively\&. If these users are not configured
|
||
with a password this feature will be disabled\&.
|
||
.SH "OPTIONS"
|
||
.IP "-a, --authorized-users-db=\fI authorized_users_file\fP" 10
|
||
Specify an alternate location for the \fBauthorized_users_file\fP\&.
|
||
.IP "" 10
|
||
The \fBauthorized_users_file\fP contains one username per line\&.
|
||
When configured this option requires a user to be listed
|
||
in \fBauthorized_users_file\fP for authentication to proceed
|
||
with the password and One Time Password functions\&.
|
||
.IP "-A, --disable-authorized-users" 10
|
||
Disable \fBauthorized_users\fP feature\&. This option must
|
||
be set if the \fBauthorized_users_file\fP is not used\&.
|
||
.IP "-b, --bind-ip-address=\fI local_ip\fP" 10
|
||
Specify an IP address to bind(2) to\&. The default behavior will bind to
|
||
INADDR_ANY\&.
|
||
.IP "-B, --bind-udp-port=\fI local_port\fP" 10
|
||
Specify the local UDP port to bind(2) to\&. The default behavior will bind
|
||
to UDP port 1812\&.
|
||
.IP "-c, --display-count" 10
|
||
Force count to be passed to RADIUS NAS\&. Not all devices will be able to
|
||
display this field\&.
|
||
.IP "-d, --debug=\fI debug_level\fP" 10
|
||
Enable verbose debugging\&.
|
||
.IP "-D, --disable-daemon-mode" 10
|
||
Disable daemon mode\&. When specified \fBurd\fP will not
|
||
run in the background and stdout is available for debugging information\&.
|
||
.IP "-m, --pam-authentication-enable" 10
|
||
Authenticate with PAM\&. The user must be present in the local password
|
||
and optionally authorized users files before PAM authentication\&.
|
||
.IP "-M, --pam-authentication-exclusive" 10
|
||
Authenticate with PAM\&. The local password file is not consulted\&.
|
||
.IP "-o, --otp-db=\fI otp_db\fP" 10
|
||
Specify an alternate location for the One Time Password database
|
||
\fBotp_db\fP\&.
|
||
.IP "-O, --otp-disable" 10
|
||
Disable the use of One Time Passwords\&.
|
||
.IP "-p, --password-db=\fI passwd_file\fP" 10
|
||
Specify an alternate location for the \fBpasswd\fP file\&. The \fBpasswd\fP file is in Unix passwd(5) format\&.
|
||
Fields beyond the username and password hash are ignored\&. The users
|
||
password is hashed with crypt(3) and compared to the hash stored in this file
|
||
for authentication\&.
|
||
.IP "-P, --pidfile=\fI pid_file\fP" 10
|
||
Specify an alternate location for a file containing the process ID
|
||
of the RADIUS server\&. If a listen IP address or non standard UDP listen
|
||
port is configured the PID filename will contain the IP address and
|
||
port to differentiate it from other instances of \fBurd\fP running on the same server\&.
|
||
.IP "-s, --server-secret=\fI secret_file\fP" 10
|
||
Specify an alternate location for the \fBsecret_file\fP\&.
|
||
The \fBsecret_file\fP contains the shared secret between
|
||
the NAS and RADIUS server and must be less than 32 bytes\&.
|
||
.IP "-S, --pam-service-name=\fI auth_service_name\fP" 10
|
||
Specify an alternate name for the PAM authentication service\&. Defaults
|
||
to urd\&.
|
||
.IP "-u, --otp-allow-unknown-user" 10
|
||
Allow users which do not exist in the OTP database to successfully
|
||
authenticate without using a One Time Password, only a valid password
|
||
will be required\&.
|
||
.IP "-V, --service-name=\fI service_name\fP" 10
|
||
Set service name for send-token function\&.
|
||
.IP "--version" 10
|
||
Display software version\&.
|
||
.IP "-w, --otp-challenge-window=\fI window\fP" 10
|
||
Set the OTP challenge window\&.
|
||
.IP "-x, --debug-drop-udp-packets" 10
|
||
Drop every other RADIUS request from a NAS\&. This is a debugging feature
|
||
intended to stress test the reply cache code\&. The reply cache
|
||
implements state retention required for the use of One Time Passwords\&.
|
||
.SH "EXAMPLES"
|
||
.PP
|
||
The following command will start the urd server, bind it to IP address
|
||
10\&.1\&.0\&.1, authenticate users with passwords in
|
||
\fB/var/urd/passwd\fP, use
|
||
\fB/var/urd/secret\fP as the shared secret with the NAS,
|
||
authenticate users using one time passwords in
|
||
\fB/var/urd/HOTP\&.db\fP, enable debugging, and run in the
|
||
foreground\&.
|
||
.PP
|
||
\fBurd -b 10\&.1\&.0\&.1 -p /var/urd/passwd -s /var/urd/secret -o /var/urd/HOTP\&.db -d -D\fP
|
||
.PP
|
||
.nf
|
||
.fi
|
||
.SH "AUTHOR"
|
||
.PP
|
||
Mark Fullmer maf@splintered\&.net
|
||
.SH "SEE ALSO"
|
||
.PP
|
||
\fBotp-control\fP(1)
|
||
\fBotp-sca\fP(1)
|
||
\fBotp-sct\fP(1)
|
||
\fBpam_otp\fP(1)
|
||
\fBhtsoft-downloader\fP(1)
|
||
\fBbcload\fP(1)
|
||
\fBotp-ov-plugin\fP(1)
|
||
spyrus-par2(7)
|
||
...\" created by instant / docbook-to-man, Sun 12 Jun 2011, 15:01
|