Project

General

Profile

Command Line Tools Documentation

How to configure user and token authorization scripts

Since version 0.2 OTPme supports per user and token external authorization scripts which will be executed after the user was authenticated successful. There are also two new token types 'script-static' and 'script-otp' which will call an external Authentication-/Authorization-Script that can be used to verify the user credentials (e.g. using ntlm_auth against a windows domain).

You can pass the following variables to the authorization script:

AUTH_TYPE                               Authentication type of the request. Currently this can be "clear-text" or "mschap" 
AUTH_USER                               Username
AUTH_TOKEN                             Name of the token that authenticated the user
AUTH_GROUP                             Access group of the request
AUTH_CLIENT                             Client name of the request (e.g. Nas-Identifier for radius requests)
AUTH_CLIENT_IP                        Client IP address
AUTH_PASS                                Password
AUTH_OTP                                  OTP
AUTH_CHALLENGE                     MSCHAP challenge
AUTH_RESPONSE                      MSCHAP response
AUTH_NT_KEY                            NT Key
AUTH_TRUST_PASS                   Client trust password (CTP)
AUTH_TRUST_PASS_OTP          OTP that was used to generate the CTP

To prevent sensitive data (e.g. passwords) from showing up in the process list it is possible to pass every variable as an (bash) environment variable to the authorization script.

Examples:

otpme-user auth_script testuser1 '/usr/local/bin/test.sh %AUTH_TYPE %AUTH_USER %AUTH_TOKEN %AUTH_GROUP %AUTH_CLIENT %AUTH_CLIENT_IP [AUTH_OTP]' [AUTH_PASS]'
otpme-token auth_script testuser1/mobile-otp '/usr/local/bin/test.sh %AUTH_TYPE %AUTH_USER %AUTH_TOKEN %AUTH_GROUP %AUTH_CLIENT %AUTH_CLIENT_IP [AUTH_OTP]'

Every variable with a leading "%" is passed to the authorization script as an command line argument (e.g $1). If you put the variable name in "[]" it is passed as an environment varibale (e.g. $AUTH_OTP) which is not visible in the process list.

Exit code handling

User or token authorization script
Exit Code 0 = User authorization successful, authentication will succeed (if there is not any other reason why it must fail)
Exit Code 1 = User authorization failed, the request will be rejected.

Authentication-Script when used with token type 'script-otp' and 'script-static'
Exit code 0 = User credentials verified successful, authentication will succeed (if there is not any other reason why it must fail)
Exit code 1 = Verifying user credentials failed, request will be rejected.