Command Line Tools Documentation¶
How to configure user and token authorization scripts¶
Since version 0.2 OTPme supports per user and token external authorization scripts which will be executed after the user was authenticated successful. There are also two new token types 'script-static' and 'script-otp' which will call an external Authentication-/Authorization-Script that can be used to verify the user credentials (e.g. using ntlm_auth against a windows domain).
You can pass the following variables to the authorization script:
AUTH_TYPE Authentication type of the request. Currently this can be "clear-text" or "mschap" AUTH_USER Username AUTH_TOKEN Name of the token that authenticated the user AUTH_GROUP Access group of the request AUTH_CLIENT Client name of the request (e.g. Nas-Identifier for radius requests) AUTH_CLIENT_IP Client IP address AUTH_PASS Password AUTH_OTP OTP AUTH_CHALLENGE MSCHAP challenge AUTH_RESPONSE MSCHAP response AUTH_NT_KEY NT Key AUTH_TRUST_PASS Client trust password (CTP) AUTH_TRUST_PASS_OTP OTP that was used to generate the CTP
To prevent sensitive data (e.g. passwords) from showing up in the process list it is possible to pass every variable as an (bash) environment variable to the authorization script.
Examples:
otpme-user auth_script testuser1 '/usr/local/bin/test.sh %AUTH_TYPE %AUTH_USER %AUTH_TOKEN %AUTH_GROUP %AUTH_CLIENT %AUTH_CLIENT_IP [AUTH_OTP]' [AUTH_PASS]' otpme-token auth_script testuser1/mobile-otp '/usr/local/bin/test.sh %AUTH_TYPE %AUTH_USER %AUTH_TOKEN %AUTH_GROUP %AUTH_CLIENT %AUTH_CLIENT_IP [AUTH_OTP]'
Every variable with a leading "%" is passed to the authorization script as an command line argument (e.g $1). If you put the variable name in "[]" it is passed as an environment varibale (e.g. $AUTH_OTP) which is not visible in the process list.
Exit code handling¶
User or token authorization script
Exit Code 0 = User authorization successful, authentication will succeed (if there is not any other reason why it must fail)
Exit Code 1 = User authorization failed, the request will be rejected.¶
Authentication-Script when used with token type 'script-otp' and 'script-static'
Exit code 0 = User credentials verified successful, authentication will succeed (if there is not any other reason why it must fail)
Exit code 1 = Verifying user credentials failed, request will be rejected.¶