|DACS_TOKEN(8)||DACS Web Services Manual||DACS_TOKEN(8)|
NAME¶dacs_token - manage DACS one-time password token accounts
DESCRIPTION¶This program is part of the DACS suite.
The dacs_token web service provides limited account management operations on accounts recognized by local_token_authenticate, a DACS authentication module. Full administrative functionality is provided by dacstoken; refer to dacstoken(1) for detailed information about one-time passwords, token devices, and user accounts. These accounts are completely separate from any other accounts and passwords.
Subject to configuration and valid authorization, this web service lets:
Outside of demonstration mode operation, accounts are managed identically to dacstoken(1) using the item types auth_token, auth_hotp_token, and auth_totp_token.
The same account security stipulations as dacstoken apply.
The web service applies access controls internally; a DACS ACL can be added to further restrict its use. The internal rules are:
When validating a HOTP one-time password, the TOKEN_HOTP_ACCEPT_WINDOW configuration directive can be used to allow an account's counter value to automatically "catch up" to the token's.
Web Service Arguments¶In addition to the standard CGI arguments, dacs_token understands the following CGI arguments:
Unlike the other operations, this operation returns a text/plain MIME type, consisting of the current moving factor (i.e., the HOTP counter value or the TOTP interval value), followed by a space and the corresponding OTP for USERNAME. This facilitates an easy-to-use, REST-type interface. In the case of HOTP, the counter value is advanced, "consuming" the OTP. Only an administrator is allowed to perform this operation, which can be used to build a simple mutual authentication capability:
The appropriateness of TOTP mode for mutual authentication depends on the OTP lifetime and other configuration parameters.
Set or change the PIN associated with the account for USERNAME. This operation requires the NEW_PIN, CONFIRM_NEW_PIN, MODE, and USERNAME arguments.
Synchronize the account for USERNAME so that the next password produced by the token is expected to be valid. This operation requires the PASSWORD, MODE, and USERNAME arguments.
Create a demonstration account according to the given arguments, configuration values, and defaults. Required arguments: MODE, KEY, KEY_ENCODING. Optional arguments: NEW_PIN, CONFIRM_NEW_PIN, NDIGITS, BASE, SERIAL. Optional HOTP argument: COUNTER. Optional TOTP arguments: DIGEST_NAME, TIME_STEP. The KEY_ENCODING argument, which indicates how the KEY string has been encoded, must be one of hex, base32, or none.
Synchronize a demonstration account using USERNAME, a one-time password or password sequence (SYNC), and optional PIN.
Validate the given demonstration account (USERNAME), one-time password (PASSWORD), and PIN (PIN) in demonstration mode. No credentials are actually issued.
DIAGNOSTICS¶The program exits 0 if everything was fine, 1 if an error occurred.
BUGS¶This version only provides self-service operations for users and limited account management for a DACS administrator; administrators must use dacstoken(1) for everything else. Full-blown web-based token account management should either be provided by dacs_token or dacs_admin(8).
Demonstration mode accounts should be manually deleted from time to time.
The FORMAT is not understood. XML responses should be implemented.
SEE ALSO¶dacstoken(1), dacs.conf(5), dacs_authenticate(8). Also see the OTP token demonstration, token_demo.html.
AUTHOR¶Distributed Systems Software (www.dss.ca)
COPYING¶Copyright © 2003-2015 Distributed Systems Software. See the LICENSE file that accompanies the distribution for licensing information.
- standard CGI arguments