Skip to content

Latest commit

 

History

History
122 lines (76 loc) · 3.18 KB

otppasswd.5.pod

File metadata and controls

122 lines (76 loc) · 3.18 KB
Raw

NAME

otppasswd - secrets file for otpd

DESCRIPTION

The /etc/otppasswd file contains the secrets used to authenticate users that hold One-Time Password (OTP) tokens. Each entry is a single line with colon-delimited fields of the form:

username:tokenid:key[:pin]

The pin field is optional.

The key and pin fields may be encrypted; see otp.conf for a description of valid encryption modes and key specification.

VALID CHARACTERS

In addition to the restrictions noted below, the : (colon) and (space) characters are not valid for any field.

username

<, =, >, * and ~ are invalid characters. ! (bang) by itself (as a single character username) is also invalid. All other printing characters are valid.

tokenid

All printing characters are valid for the tokenid field.

key

Only hex digits are valid for the key field: [0-9a-fA-F]. The key field can be up to 256 octets (512 hex digits) long, however the valid size is determined by the type of token.

pin

Only hex digits are valid for the pin field: [0-9a-fA-F]. The pin field should consist of the hex value for an ASCII PIN. PINs can be up to 16 characters (32 hex digits) long. Note that since the PIN is represented as hex, the : (colon) and (space) restriction noted earlier does not apply.

EXAMPLE

The entry

bob:trid-hard-hotp-d6-e8:000102030405060708090A0B0C0D0E0F10111213:3132333435

defines the user bob, who holds a trid-hard-hotp-d6-e8 token, with key 00...13, and PIN 12345. (Somebody change the combination on my luggage.)

TOKEN IDS

Token support for otpd(8) is provided by plug-in cardops modules. This section describes the token ids supported by modules that are included with otpd(8).

cryptocard

The cryptocard module supports tokens made by CRYPTOCard. These tokens are event synchronous and use the X9.9 algorithm.

cryptocard-display-mode

display specifies both the representation (h for hex or d for decimal) and the number of digits (7, 8, or p for phone). Phone mode is the same as 7-digit mode, except that the user is expected to actually enter the - (dash) shown on the token display in 7-digit mode. For example, h8 describes an 8-digit hex display, and dp describes a 7-digit decimal display using phone mode.

mode specifies the token's sync mode settings; rc for "random challenge" or async-only mode, es for "event sync" or sync-only mode, and rs for "random sync" or either mode.

For example, cryptocard-d7-es.

hotp

The hotp module supports a generic event synchronous HOTP token, using a 160-bit key and varying response lengths.

hotp-ddigits

digits is the number of OTP digits (6-9). For example, hotp-d6.

x99

The x99 module supports a generic asynchronous X9.9 token, with 7 or 8 digit hex or decimal response.

x99-display

display specifies both the representation (h for hex or d for decimal) and the number of digits (7 or 8). For example, x99-d7.

SEE ALSO

otpd(8), README

URL

http://otpd.googlecode.com/