"Fossies" - the Fresh Open Source Software Archive

Member "dacs-1.4.46/man/dacs_token.8.man" (8 Jun 2021, 10946 Bytes) of package /linux/www/dacs-1.4.46.txz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "dacs_token.8.man": 1.4.45_vs_1.4.46.

    1 DACS_TOKEN(8)              DACS Web Services Manual              DACS_TOKEN(8)
    2 
    3 
    4 
    5 NAME
    6        dacs_token - manage DACS one-time password token accounts
    7 
    8 SYNOPSIS
    9        dacs_token [dacsoptions[1]]
   10 
   11 DESCRIPTION
   12        This program is part of the DACS suite.
   13 
   14        The dacs_token web service provides limited account management
   15        operations on accounts recognized by local_token_authenticate[2], a
   16        DACS authentication module. Full administrative functionality is
   17        provided by dacstoken; refer to dacstoken(1)[3] for detailed
   18        information about one-time passwords, token devices, and user accounts.
   19        These accounts are completely separate from any other accounts and
   20        passwords.
   21 
   22        Subject to configuration and valid authorization, this web service
   23        lets:
   24 
   25        •   users set an initial PIN for their account (note that his presents
   26            a window of opportunity for an attacker that has obtained a
   27            PIN-less token);
   28 
   29        •   users change the PIN on their account;
   30 
   31        •   users synchronize their account with their token; and
   32 
   33        •   DACS administrators (see ADMIN_IDENTITY[4]) set, change, or remove
   34            the PIN on any account, synchronize an account with a token
   35            (removal depends on TOKEN_REQUIRES_PIN[5]), or obtain the next OTP
   36            for a specified account;
   37 
   38        •   anyone create and test a demonstration account (visit
   39            dacs.dss.ca[6] to try a live demonstration).
   40 
   41 
   42        Outside of demonstration mode operation, accounts are managed
   43        identically to dacstoken(1)[3] using the item types auth_token,
   44        auth_hotp_token, and auth_totp_token.
   45 
   46            Security
   47            The same account security stipulations as dacstoken apply.
   48 
   49            The web service applies access controls internally; a DACS ACL can
   50            be added to further restrict its use. The internal rules are:
   51 
   52            •   A DACS administrator can synchronize any account without
   53                providing the account´s PIN; other users must provide the
   54                account´s PIN, if there is one.
   55 
   56            •   A DACS administrator can set, change, or remove (depending on
   57                TOKEN_REQUIRES_PIN[5]) any account´s PIN; other users can set
   58                or change their account´s PIN by:
   59 
   60                •   authenticating as the username of the account being
   61                    accessed (if the account has a PIN and the user has
   62                    forgotten it, presumably a different authentication method
   63                    must be used); or
   64 
   65                •   contacting a DACS administrator.
   66 
   67                •   Demonstration mode is enabled if the item type
   68                    auth_token_demo is defined; otherwise, if
   69                    auth_token_hotp_demo is defined, then demonstration mode
   70                    for HOTP is enabled, and if auth_token_totp_demo is
   71                    defined, then demonstration mode for TOTP is enabled. If
   72                    none of these item types is enabled, which is the default,
   73                    then demonstration mode is inoperative.
   74 
   75 
   76        When validating a HOTP one-time password, the
   77        TOKEN_HOTP_ACCEPT_WINDOW[7] configuration directive can be used to
   78        allow an account´s counter value to automatically "catch up" to the
   79        token´s.
   80 
   81 OPTIONS
   82    Web Service Arguments
   83        In addition to the standard CGI arguments[8], dacs_token understands
   84        the following CGI arguments:
   85 
   86        CONFIRM_NEW_PIN
   87            Required with the SET_PIN operation, the value of this argument
   88            must be the same as the value of CONFIRM_NEW_PIN.
   89 
   90        OPERATION
   91            The following operations are supported:
   92 
   93            •   CURRENT
   94 
   95                Unlike the other operations, this operation returns a
   96                text/plain MIME type, consisting of the current moving factor
   97                (i.e., the HOTP counter value or the TOTP interval value),
   98                followed by a space and the corresponding OTP for USERNAME.
   99                This facilitates an easy-to-use, REST-type interface. In the
  100                case of HOTP, the counter value is advanced, "consuming" the
  101                OTP. Only an administrator is allowed to perform this
  102                operation, which can be used to build a simple mutual
  103                authentication capability:
  104 
  105                 1. The user gives a username to the sign-on procedure;
  106 
  107                 2. The sign-on procedure asks DACS for the OTP it expects the
  108                    user´s token to produce, based on the user´s account
  109                    parameters;
  110 
  111                 3. The sign-on procedure presents the OTP to the user, who
  112                    verifies its correctness by matching the presented OTP with
  113                    the one actually produced by the token;
  114 
  115                 4. The user continues the authentication procedure, perhaps by
  116                    providing the token´s next OTP or using another
  117                    authentication method, such as a password.
  118                    The appropriateness of TOTP mode for mutual authentication
  119                    depends on the OTP lifetime and other configuration
  120                    parameters.
  121 
  122                •   SET_PIN
  123 
  124                    Set or change the PIN associated with the account for
  125                    USERNAME. This operation requires the NEW_PIN,
  126                    CONFIRM_NEW_PIN, MODE, and USERNAME arguments.
  127 
  128                •   SYNC
  129 
  130                    Synchronize the account for USERNAME so that the next
  131                    password produced by the token is expected to be valid.
  132                    This operation requires the PASSWORD, MODE, and USERNAME
  133                    arguments.
  134 
  135                •   DEMO_CREATE
  136 
  137                    Create a demonstration account according to the given
  138                    arguments, configuration values, and defaults. Required
  139                    arguments: MODE, KEY, KEY_ENCODING. Optional arguments:
  140                    NEW_PIN, CONFIRM_NEW_PIN, NDIGITS, BASE, SERIAL. Optional
  141                    HOTP argument: COUNTER. Optional TOTP arguments:
  142                    DIGEST_NAME, TIME_STEP. The KEY_ENCODING argument, which
  143                    indicates how the KEY string has been encoded, must be one
  144                    of hex, base32, or none.
  145 
  146                •   DEMO_SYNC
  147 
  148                    Synchronize a demonstration account using USERNAME, a
  149                    one-time password or password sequence (SYNC), and optional
  150                    PIN.
  151 
  152                •   DEMO_VALIDATE
  153 
  154                    Validate the given demonstration account (USERNAME),
  155                    one-time password (PASSWORD), and PIN (PIN) in
  156                    demonstration mode. No credentials are actually issued.
  157 
  158                MODE
  159                    This argument is the device mode, which may be (case
  160                    insensitively) counter or hotp for counter mode, or time or
  161                    totp for time-based mode.
  162 
  163                NEW_PIN
  164                    With the SET_PIN operation, this is the new PIN to
  165                    associate with the account. An administrator can remove the
  166                    PIN entirely, provided it is allowed by
  167                    TOKEN_REQUIRES_PIN[5], by omitting (or not providing a
  168                    value for) both NEW_PIN and CONFIRM_NEW_PIN.
  169 
  170                PASSWORD
  171                    If the request is not accompanied by credentials for
  172                    USERNAME or an administrator identity, this one-time
  173                    password must validate against the expected value for
  174                    USERNAME.
  175 
  176                PIN
  177 
  178                USERNAME
  179                    The DACS username of interest.
  180 
  181 DIAGNOSTICS
  182        The program exits 0 if everything was fine, 1 if an error occurred.
  183 
  184 BUGS
  185        This version only provides self-service operations for users and
  186        limited account management for a DACS administrator; administrators
  187        must use dacstoken(1)[3] for everything else. Full-blown web-based
  188        token account management should either be provided by dacs_token or
  189        dacs_admin(8)[9].
  190 
  191        Demonstration mode accounts should be manually deleted from time to
  192        time.
  193 
  194        The FORMAT is not understood. XML responses should be implemented.
  195 
  196 SEE ALSO
  197        dacstoken(1)[3], dacs.conf(5)[10], dacs_authenticate(8)[11]. Also see
  198        the OTP token demonstration, token_demo.html.
  199 
  200 AUTHOR
  201        Distributed Systems Software (www.dss.ca[12])
  202 
  203 COPYING
  204        Copyright © 2003-2018 Distributed Systems Software. See the LICENSE[13]
  205        file that accompanies the distribution for licensing information.
  206 
  207 NOTES
  208         1. dacsoptions
  209            http://dacs.dss.ca/man/dacs.1.html#dacsoptions
  210 
  211         2. local_token_authenticate
  212            http://dacs.dss.ca/man/dacs_authenticate.8.html#local_token_authenticate
  213 
  214         3. dacstoken(1)
  215            http://dacs.dss.ca/man/dacstoken.1.html
  216 
  217         4. ADMIN_IDENTITY
  218            http://dacs.dss.ca/man/dacs.conf.5.html#ADMIN_IDENTITY
  219 
  220         5. TOKEN_REQUIRES_PIN
  221            http://dacs.dss.ca/man/dacs.conf.5.html#TOKEN_REQUIRES_PIN
  222 
  223         6. dacs.dss.ca
  224            https://dacs.dss.ca
  225 
  226         7. TOKEN_HOTP_ACCEPT_WINDOW
  227            http://dacs.dss.ca/man/dacs.conf.5.html#TOKEN_HOTP_ACCEPT_WINDOW
  228 
  229         8. standard CGI arguments
  230            http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args
  231 
  232         9. dacs_admin(8)
  233            http://dacs.dss.ca/man/dacs_admin.8.html
  234 
  235        10. dacs.conf(5)
  236            http://dacs.dss.ca/man/dacs.conf.5.html
  237 
  238        11. dacs_authenticate(8)
  239            http://dacs.dss.ca/man/dacs_authenticate.8.html
  240 
  241        12. www.dss.ca
  242            https://www.dss.ca
  243 
  244        13. LICENSE
  245            http://dacs.dss.ca/man/../misc/LICENSE
  246 
  247 
  248 
  249 DACS 1.4.46                       06/08/2021                     DACS_TOKEN(8)