otpadm - Manage One-Time Password Authentication
otpadm [-u user] subcommand [subcommand-options]
otpadm [-u user] set <attribute[=value]> [<attribute>[=value]] ...
otpadm [-u user] get [attribute1] [attribute2] ...
otpadm [-u user] generate <attribute[=value]> [<attribute>[value]] ...
otpadm [-u user] expunge
The otpadm utility is used to display, configure and manage one-time password (OTP) based authentication. The OTP schemes based on IETF RFCs 4226 and 6238 are supported. It can also be used by an authorized administrator to manage the OTP configuration for any user.
The following option is supported:
Configures OTP for the specified user
The following subcommands are supported:
The set subcommand is used to set/modify/reset the per-user OTP attributes. If the attribute value is present in the argument, the attribute is set to this new value. If the attribute value is omitted, that attribute gets reset to the default. For more information, see the OTP 'Attributes' section
Setting the secret attribute without a value securely generates a new, random secret. If the value to the secret attribute is a file path (secret=<file>), it is set to the value present in the file
The get subcommand is used to display the current value of the per-user OTP attributes. If no attributes are specified, it prints all the attributes relevant to the current mode (timer or counter) except secret
The value of the secret attribute can be requested by getting secret. The secret is printed in base32 encoding
The generate subcommand is used to generate the current OTP auth code. The attribute/value arguments temporarily override existing user configuration. It can be used to generate an auth code for a different secret provided through a file using secret=<file> syntax similar to the set subcommand
The expunge subcommand deletes and resets the OTP state for the specified user. If no user is specified, it expunges for the current user. This implicitly resets all configuration parameters to the defaults and destroys the shared secret. Users may not expunge OTP configuration, if doing so would prevent future authentication
The following attributes are supported:
The current mode of OTP auth code generation algorithm. It can be either counter or timer. The counter mode indicates that an incrementing counter is used to generate the code (see RFC 4226) and timer mode indicates that the code gets generated based on the current timestamp (see RFC 6238). The default value is timer
The hmac-sha algorithm in use to generate the OTP auth code. It can be hmac-sha1, hmac-sha256 or hmac-sha512. The default is hmac-sha1
The number of digits in an authentication code. The default and minimum value is 6. It must be in the inclusive range of 6 to 10
The current value of the HOTP counter to be used for code generation. Setting a new HOTP secret resets the counter. The counter value may be initialized when the secret is set by setting this property. The value of hotp-counter may not be modified except when a new secret is set
The number of seconds to add to current Unix time when generating the authentication codes. It gets adjusted automatically to account for the clock drift over time. This is enabled only when totp-resync-window is 2 or greater. The default value is 15 seconds
The time of the last successful timer based authentication. This is a read-only attribute
The secret key shared between the protected system and the auth code generating device
The length of the secret key shared
A constant value OTP code used to verify correct entry of the secret values into the authentication device. This is a read-only attribute
The following authorizations control which otpadm subcommands a user may execute on behalf of others.
Allows configuration of the OTP for all users on the system
It is required for:
otpadm –u <user> set
otpadm –u <user> get
otpadm –u <user> expunge
Allows reading of all the OTP secrets
It is required for:
otpadm –u <user> set secret=<file>
otpadm –u <user> get secret
otpadm –u <user> generate
A profile, "OTP Auth Manage All Users", is shipped with the system to facilitate granting administrative authorizations.
It should be noted that otpadm generate will also succeed if the user has read-access to the secret file in question. Authorization is only required to access a user's protected OTP secret, that is, the file maintained by otpadm for system access. Alternatively, the secret for otpadm generate may be read from any file to which the user has access.
Per-user configuration is stored under /var/share/user/$user/otp file. The contents of this directory include the user's shared secret. The exact location, format and contents of this directory may change in the future and should not be relied upon.
The generate subcommand is Volatile, intended for testing only. All other subcommands are Committed.