forked from Exhar/otpd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
otpd.conf
267 lines (240 loc) · 11.6 KB
/
otpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
#
# Configuration for otpd.
#
# Boolean options must be the keywords 'yes' or 'no' (unquoted).
# Filename args that contain whitespace must be quoted.
# Integer options must be positive integers 0 and up.
# Comments begin with '#' and go to the end of the line.
#
otpd {
# The user to run as. The default is not to change uid.
#user = root
# The syslog facility to use for logging. The default is auth.
#log_facility = auth
# The debug level of the server. All logging is done via syslog.
# This setting controls the maximum severity that will be logged.
# Use syslog priority levels emerg through debug, and the additional
# levels debug1 through debug8 (useful for source code debugging).
# The debug1 through debug8 levels are logged at syslog debug priority.
#
# The default is debug, with filtering to a more reasonable verbosity
# (info or notice) expected to be done in syslog.conf.
#log_level = debug
# Where to listen for connections from plugins.
# The default is "/var/run/otpd/socket".
#plugin_rp = /var/run/otpd/socket
# The backend to use to obtain per-user token data, file or ldap.
# The default is file.
#backend = file
#file {
# The file to use for user:card mappings. See otppasswd(5).
# The default is "/etc/otppasswd".
#passwd = /etc/otppasswd
# How the key and PIN fields are encrypted in the otppasswd file.
# clear: key and PIN fields are not encrypted
# pin: key field is encrypted with the PIN (not recommended)
# pin-md5: key field is encrypted with the md5 of the PIN
# <keyid>: key and PIN fields are encrypted with key <keyid>
# The default is clear.
#encrypt = clear
# gsmd to use in global mode (see state section below). No default.
#state_server =
#}
#ldap {
# The directory server/port.
# The default host is localhost.
# The default port is obtained using getservbyname("ldap", "tcp")
# (which uses nsswitch to pick a source, but generally this is
# /etc/services), falling back to a default of 389.
#host =
#port =
# The user/pass to bind as. The default is anonymous.
#binddn =
#bindpw =
# Where in the DIT to find user information (with token data).
# No default. (Eg. ou=People,dc=example,dc=com)
#basedn =
# The search filter. A single %u will be substituted with the username.
# No default. (Eg. uid=%u)
#filter =
# Search scope (one or sub). The default is sub.
#scope = sub
# TLS settings. The default is to not use TLS.
#tls {
# How to configure TLS (off, on, or bind-only).
# off: don't use TLS
# on: use START TLS
# bind-only: protect the bind operation with TLS, but not searches
# The default is off.
#mode = off
# How to verify the server certificate (ignore, check, or crl).
# ignore: don't verify server cert (NOT RECOMMENDED)
# check: verify the cert
# crl: verify the cert and check CRLs.
# CRLs must be in cacertdir; OCSP is not supported.
# The default is crl.
#verify_cert = crl
# File containing CA certificates in PEM format. No default.
#cacertfile =
# Directory containing CA certificates in PEM format. No default.
#cacertdir =
# File containing a client certificate. No default.
#certfile =
# File containing a client key. No default.
#keyfile =
#} # tls
#} # ldap
# Keys used for encryption of otppasswd or LDAP data.
# Multiple key sections are allowed.
#passwdkey {
# Numeric key identifier. Start at 0.
#id =
# The key itself (any length).
#key =
#}
# Timeout, in ms, for each request. This includes time to look the
# user up (really only relevant with LDAP), time to lock state
# (really only relevant when using gsmd), validate the OTP, and then
# to update state (again, really only relevant with gsmd). This must
# be less than the client (e.g. RADIUS client on a VPN server)
# failover timeout, so that clients do not failover to other auth
# servers while we are still doing work. If this value is too high,
# then in the worst case allowing clients to failover will cause a
# spiralling load problem which will be unrecoverable. In the best
# case, the system will do extra work, which will be ignored by the
# client (since it has already timed out).
#
# This value is not absolute; timing data is not perfectly accounted
# for throughout the OTP authentication path, and may slip beyond the
# configured value. Additionally, the start time of a request, as
# recorded by otpd, may already be well behind the actual time of the
# initial request for many reasons, e.g. the initial request of a
# RADIUS client to a RADIUS server may have been dropped by the
# network, and the first packet the RADIUS server sees is actually a
# retransmission 3s later.
#
# Also, due to a deficiency in the OpenLDAP library, the timeout is
# not taken into account when setting up an SSL/TLS connection to
# an LDAP server. otpd reuses connections to the LDAP server, so
# this only comes into play when an LDAP connection is not available
# and a new one has to be established.
#
# The default is 11,700 ms, to account for aggressive (but typical)
# RADIUS client settings of 3s retransmissions with 3 retries, with
# a generous 300ms padding to absorb our own timing errors and allow
# for retransmission with gsmd.
#
# Different otpd's can safely have different timeout settings. The
# value should be chosen based on the auth server interface to each
# otpd. That is, for an otpd on a RADIUS server, check the settings
# (and consistency!) for timeouts on the RADIUS clients, but
# generally the default 11,700ms is good. But for an otpd that
# authenticates ssh logins, the timeout can be much longer, slightly
# less than the LoginGraceTime setting, 120s by default, so 118,500
# might be good (since the timeout here is so long, we can afford to
# include much more slop). For an otpd that serves multiple
# authentication servers, the timeout must be the smallest one that
# prevents client timeout. It may make more sense to run multiple
# instances of otpd.
#timeout = 11700
# Some tokens have what we call a "hard PIN"; users enter a PIN into
# the token to activate it. This has the advantage that only the
# user knows the PIN, and that it is only entered into a secure
# device, however, it has a usability disadvantage.
#
# Other tokens do not have a keypad, and the user enters a "soft PIN"
# as part of the passcode. This has the advantage of a better UI,
# but has the disadvantages that the PIN is susceptible to capture,
# which can reduce the token to a single factor device; and that the
# server admins know the PIN. (Note that it doesn't matter for hard
# PIN devices that admins don't know the PIN, since they know the
# token secret; the loss incurred by admin exposure is not for security
# of the device, but compromise of personal information.)
#
# For simple guessing attacks, soft PIN (especially our implementation,
# which allows alphanumeric PINs) improves security by increasing
# the amount of guesswork an attacker has to do.
#
# The prepend_pin setting toggles whether the user must prepend (yes)
# or append (no) the soft PIN; the default is yes (prepend). Note
# that hard PIN devices can utilize a soft PIN as well.
# The defalt is yes.
#prepend_pin = yes
# The number of consecutive failed logins before a user is locked out.
# A locked out user must have their state reset by an adminstrator.
# A value of 0 disables this function.
# The default is 0.
#hardfail = 0
# Since hardfail isn't very useful (ANYONE can lock out ANY user),
# we also have a softfail option.
#
# After <softfail> consecutive failures, the user is put into "delay
# mode". In this mode, a minimum delay between authentication
# attempts is imposed, during which time all attempts fail regardless
# of passcode correctness. The delay starts at 1 minute and doubles,
# up to a maximum of 32 minutes, for each additional attempt.
#
# Either hardfail or softfail is required to prevent a passcode
# guessing attack; with such a small passcode space, such an attack
# would be trivial without an imposed rate limit.
# The default is 5.
#softfail = 5
# Tokens that are event synchronous can easily lose sync with the
# server, e.g. if the user plays with the token they will increment
# the token's event counter, leaving the server behind. Or if they
# simply mistype the passcode they will also be out of sync.
#
# So, we need to allow for the user's token to get ahead of the
# server's state. This value is the max number of events the server
# will tolerate the user being ahead. BE CAREFUL setting this value,
# it is also the number of responses that will be accepted. Doubling
# this value also doubles the chance of a random guess being correct!
#
# The default is 5. Before increasing this value, please read our
# passcode guessing paper (at http://www.tri-dsystems.com/) to
# understand the implications of setting this too high.
#ewindow_size = 5
# A small value of ewindow_size is paramount to defending against
# brute force guessing, however it is at odds with the very common
# situation of the user's token getting "very" far ahead of the
# server's state.
#
# A small value of softfail is also critical to security, but
# the delay mode is frustrating to legitimate users.
#
# To overcome these two issues, this option sets the "resync window",
# which is how far the server will look ahead, without any forced
# delay, if the user enters TWO CONSECUTIVE CORRECT passcodes.
#
# The default is 25. Because it is exponentially more difficult
# to guess TWO passcodes, it is safe to use a largish value here.
# A value of 0 disables this feature.
#rwindow_size = 25
#state {
# Local or global (gsmd) mode. The default is local.
#mode = local
# When running in local mode, the directory where state data
# can be found.
# The default is "/etc/otpstate".
#statedir = /etc/otpstate
# The default server (gsmd) port to use. The default is obtained
# using getservbyname("gsmd", "udp") (which uses nsswitch to pick
# a source, but generally this is /etc/services), falling back to
# a default of 1220.
#port = 1220
# Server sub-sections define each gsmd when run in global mode.
#server {
# You must specify a nickname for this server.
# LDAP entries refer to this nickname.
#name = localhost
# Primary hostname or IP is required.
#primary = 127.0.0.1
# Backup hostname or IP is optional.
#backup = 127.0.0.2
# You must specify a 256-bit key.
#key = 0000000000000000000000000000000000000000000000000000000000000000
# Server-specific gsmd port, overriding default in parent section.
#gsmd_port = 1220
#}
#} # state
}