diff --git a/README.md b/README.md index c9fd709..70eb928 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,8 @@ The multiOTP class supports currently the following algorithms and RFC's: - RFC2821 SMTP (Simple Mail Transfer Protocol) - RFC2487 SMTP Service Extension for Secure SMTP over TLS +This package was initially published here : http://www.phpclasses.org/package/6373.html + TABLE OF CONTENTS ================= @@ -1125,367 +1127,367 @@ and you may also check multiotp.cli.header.php which implements the class. MULTIOTP COMMAND LINE TOOL ========================== - -multiOTP 5.0.2.6 (2016-11-04) -(c) 2010-2016 SysCo systemes de communication sa -http://www.multiOTP.net (you can try the [Donate] button ;-) - -*Script folder: D:\Data\projects\multiotp\core\ - -multiotp will check if the token of a user is correct, based on a specified -algorithm (currently Mobile-OTP (http://motp.sf.net), OATH/HOTP (RFC 4226) -and OATH/TOTP (RFC 6238) are implemented). PSKC format supported (RFC 6030). -Supported encryption methods are PAP and CHAP. -Yubico OTP format supported (44 bytes long, with prefixed serial number). -SMS-code are supported (current providers: aspsms,clickatell,intellisms). -Customized SMS sender program supported by specifying exec as SMS provider. - -Google Authenticator base32_seed tokens must be of n*8 characters. -Google Authenticator TOTP tokens must have a 30 seconds interval. -Available characters in base32 are only ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 - -To quickly create a user, use the -fastcreate option with the name of the user. -A quickly created user is compatible with Google Auth (30 seconds, 6 digits). -Depending on the prefix PIN option (WHICH IS ENABLED BY DEFAULT), a prefix PIN -will be requested or not before the displayed token. -If the PIN is not given, it is generated randomly. - -To quickly create a user without a prefix PIN request, use -fastcreatenopin - -To quickly create a user with a prefix PIN request, use -fastecreatewithpin - -If a token is locked (return code 24), you have to resync the token to unlock. -Requesting an SMS token (put sms as the password), and typing the received - token correctly will also unlock the token. - -The check will return 0 for a correct token, and the other return code means: - -Return codes: - - 0 ERROR: Authentication failed (and other possible unknown errors) - 8 INFO: Access Challenge returned back to the client - 9 INFO: User successfully created or updated -10 INFO: User successfully deleted -11 INFO: User PIN code successfully changed -12 INFO: Token has been resynchronized successfully -13 INFO: Tokens definition file successfully imported -14 INFO: QRcode successfully created -15 INFO: UrlLink successfully created - 1 INFO: Requested operation successfully done -16 ERROR: User blacklisted -17 ERROR: User doesn't exist -18 ERROR: User already exists -19 ERROR: Invalid algorithm -20 ERROR: User locked (too many tries) -21 ERROR: User delayed (too many tries, but still a hope in a few minutes) -22 ERROR: This token has already been used -23 ERROR: Resynchronization of the token has failed - 2 ERROR: Token doesn't exist -24 ERROR: At least one parameter is missing -25 ERROR: Tokens definition file doesn't exist -26 ERROR: Tokens definition file not successfully imported -27 ERROR: Encryption hash error, encryption key is not matching -28 ERROR: Linked user doesn't exist -29 ERROR: User not created -31 ERROR: Token already attributed - 3 ERROR: Requested operation aborted -33 ERROR: SQL error -40 ERROR: QRcode not created -41 ERROR: UrlLink not created (no provisionable client for this protocol) -48 ERROR: No information on where to send SMS code -49 ERROR: SMS code request received, but an error occurred during transmission -50 ERROR: SMS provider not supported -56 ERROR: Server authentication error -57 ERROR: Server request is not correctly formatted -58 ERROR: Server answer is not correctly formatted - - -Usage: - - PLEASE NOT THAT BY DEFAULT, A PREFIX PIN IS REQUIRED. - - multiotp user token (to check if the token is accepted) - multiotp -checkpam (to check with pam-script, using PAM_USER and PAM_AUTHTOK) - - multiotp -requiresms user (generate and send an SMS token to the user) - multiotp user sms (send an SMS token to the user) - - multiotp user [-chap-id=0x..] -chap-challenge=0x... -chap-password=0x... - (the first byte of the chap-password value can contain the chap-id value) - - multiotp -fastcreate user [pin] (create a Google Auth compatible token) - multiotp -fastcreatenopin user [pin] (create a user without a prefix PIN) - multiotp -fastecreatewithpin user [pin] (create a user with a prefix PIN) - multiotp -createga user base32_seed [pin] (create Google Authenticator user) - multiotp -create [-no-prefix-pin] user algo seed pin digits [pos|interval] - multiotp -create -token-id [-no-prefix-pin] [-prefix-pin] user token-id pin - - token-id: id of the previously imported token to attribute to the user - user: name of the user (should be the account name) - algo: available algorithms are mOTP, HOTP and TOTP - seed: hexadecimal seed of the token - pin: private pin code of the user - digits: number of digits given by the token - pos: for HOTP algorithm, position of the next awaited event - interval: for mOTP and TOTP algorithms, token interval time in seconds - - multiotp -import tokens_definition_file [key|pass] (auto-detect format) - multiotp -import-csv csv_tokens_file.csv (tokens definition in a file) - (serial_number;manufacturer;algorithm;seed;digits;interval_or_event) - multiotp -import-pskc pskc_tokens_file.pskc [key|pass] (PSKC format, RFC 6030) - multiotp -import-yubikey yubikey_traditional_format_log.csv (YubiKey) - multiotp -import-dat importAlpine.dat (SafeWord/Aladdin/SafeNet tokens) - multiotp -import-alpine-xml alpineXml.xml (SafeWord/Aladdin/SafeNet) - multiotp -import-xml xml_tokens_definition_file.xml (old Feitian) - multiotp -import-sql tokens_definition_file.sql (ZyXEL/Authenex) - - multiotp -qrcode user png_file_name.png (only for TOTP and HOTP) - multiotp -urllink user (only for TOTP and HOTP, generate provisioning URL) - - multiotp -scratchlist user (generate & display scratch passwords for the user) - - multiotp -resync [-status] user token1 token2 (two consecutive tokens) - multiotp -update-pin user pin - - multiotp -[des]activate user - multiotp -[un]lock user - - multiotp -delete user - - multiotp -user-info user - - multiotp -config option1=value1 option2=value2 ... optionN=valueN - options are autoresync: [0|1] enable/disable autoresync during login - attributes-to-encrypt: specific attributes list to encrypt, must be - surrounded by *, like '*token_seed*user_pin*' - backend-type: backend storage type (files|mysql) - clear-otp-attribute: attribute to return for the clear OTP - (for example 'ietf|2' for TekRADIUS) - debug: [0|1] enable/disable enhanced log information - (code result are also displayed on the console) - debug-prefix: add a prefix when using the debug mode - (for example 'Reply-Message := ' for FreeRADIUS) - default-request-prefix-pin: [0|1] prefix PIN enabled/disabled by default - default-request-ldap-pwd: [0|1] LDAP/AD password enabled/disabled by default - display-log: [0|1] enable/disable log display on the console - group-attribute: attribute to return for the group membership - (for example 'Filter-Id' for FreeRADIUS) - issuer: default name of the issuer of the (soft) token - ldap-account-suffix: LDAP/AD account suffix - ldap-activated: [0|1] enable/disable LDAP/AD support - ldap-base-dn: LDAP/AD base - ldap-bind-dn: LDAP/AD bind - ldap-cn-identifier: LDAP/AD cn identifier (default is sAMAccountName) - ldap-default-algorithm: [totp|hotp|motp] default algorithm for new users - ldap-domain-controllers: LDAP/AD domain controller(s), comma separated - ldap-group-attribute: LDAP/AD group attribute (default is memberOf) - ldap-group-cn-identifier: LDAP/AD group cn identifier - (default is sAMAccountName for AD, cn for LDAP) - ldap-in-group: LDAP/AD group(s) in which users should be in - ldap-network-timeout: LDAP/AD network timeout (in seconds) - ldap-port: LDAP/AD port (default is set to 389) - ldap-server-password: LDAP/AD server password - ldap-server-type: [1|2] LDAP/AD server type (1=AD, 2=standard LDAP) - ldap-ssl: [0|1] enable/disable LDAP/AD SSL connection - ldap-synced-user-attribute: LDAP/AD attribute used as the account name - ldap-time-limit: LDAP/AD number of sec. to wait for search results - log: [0|1] enable/disable log permanently - radius-reply-attributor: [ = |=] how to attribute a value - ('=' for TekRADIUS, ' = ' for FreeRADIUS) - radius-reply-separator: [,|:|;|cr|crlf] returned attributes separator - ('crlf' for TekRADIUS, ',' for FreeRADIUS) - self-registration: [1|0] enable/disable self-registration of tokens - server-cache-level: [0|1] enable/allow cache from server to client - server-cache-lifetime: lifetime in seconds of the cached information - server-secret: shared secret used for client/server operation - server-timeout: timeout value for the connection to the server - server-type: [xml] type of the server - (only xml server are able to do caching) - server-url: full url of the server for client/server mode - (server_url_1;server_url_2 is accepted) - sms-api-id: SMS API id (clickatell only, give your XML API id) - with exec as provider, define the script to call - (available variables: %from, %to, %msg) - sms-message: SMS message to display before the OTP - sms-originator: SMS sender (if authorized by provider) - sms-password: SMS account password - sms-provider: SMS provider (aspsms,clickatell,intellisms,exec) - sms-userkey: SMS account username or userkey - sql-server: SQL server (FQDN or IP) - sql-username: SQL username - sql-password: SQL password - sql-database: SQL database - sql-config-table: SQL config table, default is multiotp_config - sql-devices-table: SQL devices table, default is multiotp_devices - sql-log-table: SQL log table, default is multiotp_log - sql-tokens-table: SQL tokens table, default is multiotp_tokens - sql-users-table: SQL users table, default is multiotp_users - tel-default-country-code: Default country code for phone number - token-serial-number-length: Length of the serial number of the tokens - (used for self-registration) - - multiotp -initialize-backend (when all options are set, it will initialize - the backend, including creating the tables) - - multiotp -set user option1=value1 option2=value2 ... optionN=valueN - options are email: update the email of the user - description: set a description to the user, used for example during - the QRcode generation as the description of the account - group: set/update the group of the user - ldap-pwd: [0|1] the LDAP/AD password is used instead of the pin - pin: set/update the private pin code of the user - prefix-pin: [0|1] the pin and the token must by merged by the user - (if your pin is 1234 and your token displays 5556677, - you will have to type 1234556677) - sms: set/update the sms phone number of the user - - -LDAP/AD integration: - - multiotp -ldap-check - multiotp -ldap-user-info user - multiotp -ldap-users-list - multiotp -ldap-users-sync - - -Backup/restore commands: - - multiotp -backup-config password [file-name] - multiotp -restore-config password file-name - By default, the file name is multiotp.cfg in the current folder. - The file name *MUST BE* multiotp.cfg to be restored in a commercial edition. - - -Other commands: - - multiotp -phpinfo - multiotp -showlog - multiotp -tokenslist - multiotp -userslist - multiotp -lockeduserslist - - -Other parameters: - - -base-dir=/full/path/to/the/main/folder/of/multiotp/ - (if the script folder is wrongly detected, this will fix the issue) - - -Switches: - - -debug Enhanced log information activated and code result on console - (the permanent state of debug can be set with -config debug=1) - -display-log Log information will also be displayed on the console - (the permanent state can be set with -config display-log=1) - -network-info Display network info (mode, ip, mask, gateway, dns1, dns2) - -help Display this help page - -keep-local Keep local user even if the server doesn't have it - (if the server doesn't have it, the local one will be checked) - -log Log operation in the log subdirectory or in the database - (the permanent state of log can be set with -config log=1) - -mysql MySQL connection information, comma separated (server,user, - password,database[,log_table[,users_table[,tokens_table]]]) - (this switch is DEPRECATED, use the -config switch instead) - -no-prefix-pin No prefix pin must be merged with the token by the user - (this switch is DEPRECATED, use the -set switch instead) - -param All parameters are logged for debugging purposes - -prefix-pin The pin and the token must be typed merged by the user - (if you pin is 1234 and your token displays 5556677, - you will have to type 1234556677) - (this switch is DEPRECATED, use the -set switch instead) - -request-nt-key This will return the NT_KEY to the radius server - -status Display a status bar during resynchronization - -version Display the current version of the library - -php-version Display the current version of the running PHP interpreter - - -Examples: - - multiotp -display-log -log -debug jimmy ea2315 - multiotp -display-log -log anna 546078 - multiotp -display-log -log -checkpam - multiotp john 5678124578 - - multiotp jimmy sms - - multiotp -fastcreate gademo - multiotp -debug -createga gauser 2233445566777733 - multiotp -debug -create -prefix-pin alan TOTP 3683453456769abc3452 2233 6 60 - multiotp -debug -create -prefix-pin anna TOTP 56821bac24fbd2343393 4455 6 30 - multiotp -debug -create -prefix-pin john HOTP 31323334353637383930 5678 6 137 - multiotp -debug -create -token-id -prefix-pin rick 2010090201901 2345 - multiotp -log -create jimmy mOTP 004f5a158bca13984d349a7f23 1234 6 10 - - multiotp -scratchlist gademo - - multiotp -set gademo description="VPN code for gademo" - multiotp -set gademo sms=41791234567 - - multiotp -debug -import tokens.pskc "1234 5678 9012 3456 7890 1234 5678 9012" - multiotp -debug -import-pskc tokens.pskc "qwerty" - multiotp -debug -import 10OTP_data01_upgrade.sql - multiotp -debug -import-dat importAlpine.dat - - multiotp -debug -qrcode gademo gademo.png - multiotp -debug -urllink john - - multiotp -resync john 5678456789 5678345231 - multiotp -resync -status anna 4455487352 4455983513 - multiotp -update-pin alan 4417 - - multiotp -config debug-prefix="Reply-Message := " - - multiotp -config server-cache-level=1 server-cache-lifetime=15552000 - multiotp -config server-secret=MySharedSecret server-type=xml - multiotp -config server-timeout=3 - multiotp -config server-url=http://my.server/multiotp/;my.server2:8112/secure/ - - multiotp -config sms-provider=clickatell sms-userkey=CL1 sms-password=PASS - multiotp -config sms-api-id=1234567 - multiotp -config sms-message="Your SMS-code is:" sms-originator=Company - multiotp -config sms-message="Type %s as code" sms-originator=0041797654321 - - multiotp -config sms-provider=exec sms-api-id="/path/to/app %from %to "%msg"" - - multiotp -config token-serial-number-length=10,12 - - multiotp -config backend-type=mysql sql-server=fqdn.or.ip sql-database=dbname - multiotp -config sql-username=user sql-password=pass - multiotp -initialize-backend - - -multiOTP web service is working fine with any web server supporting PHP. - - nginx is a light one under Linux (http://nginx.org/) - - Mongoose is a light one under Windows (http://code.google.com/p/mongoose/) - - and many others like Apache HTTP Server (http://httpd.apache.org/) - -multiOTP is working fine with FreeRADIUS under Linux (http://freeradius.org/) - -multiOTP is working fine under Windows with WinRADIUS, a port of FreeRADIUS -(http://winradius.eu/) - -multiOTP is also working fine with another port of FreeRADIUS -for Windows (http://sourceforge.net/projects/freeradius/) - -multiOTP can be combined with a Raspberry Pi (http://www.raspberrypi.org/) in -order to have a very low budget strong authentication device. Please look at -the readme file in order to learn how to set it up in a few steps. - -When used with TekRADIUS (http://www.tekradius.com) the External-Executable -must be called like this: C:\multiotp\multiotp.exe %ietf|1% %ietf|2% - -Some of other products and services based on multiOTP - - multiOTP Pro 501V Pro version with full web GUI in a tiny virtual appliance - (http://www.multiOTP.com) - - multiOTP Pro 520B Pro version with full web GUI in a tiny hardware device - (http://www.multiOTP.com) - - secuPASS.net simple SMS trusting service for free WLAN Hotspot - (http://www.secuPASS.net) - - mOTP-CP an Open-Source Credential Provider for the Windows Logon - (https://goo.gl/Y8g4ON) - - ownCloud OTP One Time Password app for ownCloud (http://owncloud.org) - (http://goo.gl/mKjt43) - -Visit http://forum.multiotp.net/ for additional support - - + +multiOTP 5.0.2.6 (2016-11-04) +(c) 2010-2016 SysCo systemes de communication sa +http://www.multiOTP.net (you can try the [Donate] button ;-) + +*Script folder: D:\Data\projects\multiotp\core\ + +multiotp will check if the token of a user is correct, based on a specified +algorithm (currently Mobile-OTP (http://motp.sf.net), OATH/HOTP (RFC 4226) +and OATH/TOTP (RFC 6238) are implemented). PSKC format supported (RFC 6030). +Supported encryption methods are PAP and CHAP. +Yubico OTP format supported (44 bytes long, with prefixed serial number). +SMS-code are supported (current providers: aspsms,clickatell,intellisms). +Customized SMS sender program supported by specifying exec as SMS provider. + +Google Authenticator base32_seed tokens must be of n*8 characters. +Google Authenticator TOTP tokens must have a 30 seconds interval. +Available characters in base32 are only ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 + +To quickly create a user, use the -fastcreate option with the name of the user. +A quickly created user is compatible with Google Auth (30 seconds, 6 digits). +Depending on the prefix PIN option (WHICH IS ENABLED BY DEFAULT), a prefix PIN +will be requested or not before the displayed token. +If the PIN is not given, it is generated randomly. + +To quickly create a user without a prefix PIN request, use -fastcreatenopin + +To quickly create a user with a prefix PIN request, use -fastecreatewithpin + +If a token is locked (return code 24), you have to resync the token to unlock. +Requesting an SMS token (put sms as the password), and typing the received + token correctly will also unlock the token. + +The check will return 0 for a correct token, and the other return code means: + +Return codes: + + 0 ERROR: Authentication failed (and other possible unknown errors) + 8 INFO: Access Challenge returned back to the client + 9 INFO: User successfully created or updated +10 INFO: User successfully deleted +11 INFO: User PIN code successfully changed +12 INFO: Token has been resynchronized successfully +13 INFO: Tokens definition file successfully imported +14 INFO: QRcode successfully created +15 INFO: UrlLink successfully created + 1 INFO: Requested operation successfully done +16 ERROR: User blacklisted +17 ERROR: User doesn't exist +18 ERROR: User already exists +19 ERROR: Invalid algorithm +20 ERROR: User locked (too many tries) +21 ERROR: User delayed (too many tries, but still a hope in a few minutes) +22 ERROR: This token has already been used +23 ERROR: Resynchronization of the token has failed + 2 ERROR: Token doesn't exist +24 ERROR: At least one parameter is missing +25 ERROR: Tokens definition file doesn't exist +26 ERROR: Tokens definition file not successfully imported +27 ERROR: Encryption hash error, encryption key is not matching +28 ERROR: Linked user doesn't exist +29 ERROR: User not created +31 ERROR: Token already attributed + 3 ERROR: Requested operation aborted +33 ERROR: SQL error +40 ERROR: QRcode not created +41 ERROR: UrlLink not created (no provisionable client for this protocol) +48 ERROR: No information on where to send SMS code +49 ERROR: SMS code request received, but an error occurred during transmission +50 ERROR: SMS provider not supported +56 ERROR: Server authentication error +57 ERROR: Server request is not correctly formatted +58 ERROR: Server answer is not correctly formatted + + +Usage: + + PLEASE NOT THAT BY DEFAULT, A PREFIX PIN IS REQUIRED. + + multiotp user token (to check if the token is accepted) + multiotp -checkpam (to check with pam-script, using PAM_USER and PAM_AUTHTOK) + + multiotp -requiresms user (generate and send an SMS token to the user) + multiotp user sms (send an SMS token to the user) + + multiotp user [-chap-id=0x..] -chap-challenge=0x... -chap-password=0x... + (the first byte of the chap-password value can contain the chap-id value) + + multiotp -fastcreate user [pin] (create a Google Auth compatible token) + multiotp -fastcreatenopin user [pin] (create a user without a prefix PIN) + multiotp -fastecreatewithpin user [pin] (create a user with a prefix PIN) + multiotp -createga user base32_seed [pin] (create Google Authenticator user) + multiotp -create [-no-prefix-pin] user algo seed pin digits [pos|interval] + multiotp -create -token-id [-no-prefix-pin] [-prefix-pin] user token-id pin + + token-id: id of the previously imported token to attribute to the user + user: name of the user (should be the account name) + algo: available algorithms are mOTP, HOTP and TOTP + seed: hexadecimal seed of the token + pin: private pin code of the user + digits: number of digits given by the token + pos: for HOTP algorithm, position of the next awaited event + interval: for mOTP and TOTP algorithms, token interval time in seconds + + multiotp -import tokens_definition_file [key|pass] (auto-detect format) + multiotp -import-csv csv_tokens_file.csv (tokens definition in a file) + (serial_number;manufacturer;algorithm;seed;digits;interval_or_event) + multiotp -import-pskc pskc_tokens_file.pskc [key|pass] (PSKC format, RFC 6030) + multiotp -import-yubikey yubikey_traditional_format_log.csv (YubiKey) + multiotp -import-dat importAlpine.dat (SafeWord/Aladdin/SafeNet tokens) + multiotp -import-alpine-xml alpineXml.xml (SafeWord/Aladdin/SafeNet) + multiotp -import-xml xml_tokens_definition_file.xml (old Feitian) + multiotp -import-sql tokens_definition_file.sql (ZyXEL/Authenex) + + multiotp -qrcode user png_file_name.png (only for TOTP and HOTP) + multiotp -urllink user (only for TOTP and HOTP, generate provisioning URL) + + multiotp -scratchlist user (generate & display scratch passwords for the user) + + multiotp -resync [-status] user token1 token2 (two consecutive tokens) + multiotp -update-pin user pin + + multiotp -[des]activate user + multiotp -[un]lock user + + multiotp -delete user + + multiotp -user-info user + + multiotp -config option1=value1 option2=value2 ... optionN=valueN + options are autoresync: [0|1] enable/disable autoresync during login + attributes-to-encrypt: specific attributes list to encrypt, must be + surrounded by *, like '*token_seed*user_pin*' + backend-type: backend storage type (files|mysql) + clear-otp-attribute: attribute to return for the clear OTP + (for example 'ietf|2' for TekRADIUS) + debug: [0|1] enable/disable enhanced log information + (code result are also displayed on the console) + debug-prefix: add a prefix when using the debug mode + (for example 'Reply-Message := ' for FreeRADIUS) + default-request-prefix-pin: [0|1] prefix PIN enabled/disabled by default + default-request-ldap-pwd: [0|1] LDAP/AD password enabled/disabled by default + display-log: [0|1] enable/disable log display on the console + group-attribute: attribute to return for the group membership + (for example 'Filter-Id' for FreeRADIUS) + issuer: default name of the issuer of the (soft) token + ldap-account-suffix: LDAP/AD account suffix + ldap-activated: [0|1] enable/disable LDAP/AD support + ldap-base-dn: LDAP/AD base + ldap-bind-dn: LDAP/AD bind + ldap-cn-identifier: LDAP/AD cn identifier (default is sAMAccountName) + ldap-default-algorithm: [totp|hotp|motp] default algorithm for new users + ldap-domain-controllers: LDAP/AD domain controller(s), comma separated + ldap-group-attribute: LDAP/AD group attribute (default is memberOf) + ldap-group-cn-identifier: LDAP/AD group cn identifier + (default is sAMAccountName for AD, cn for LDAP) + ldap-in-group: LDAP/AD group(s) in which users should be in + ldap-network-timeout: LDAP/AD network timeout (in seconds) + ldap-port: LDAP/AD port (default is set to 389) + ldap-server-password: LDAP/AD server password + ldap-server-type: [1|2] LDAP/AD server type (1=AD, 2=standard LDAP) + ldap-ssl: [0|1] enable/disable LDAP/AD SSL connection + ldap-synced-user-attribute: LDAP/AD attribute used as the account name + ldap-time-limit: LDAP/AD number of sec. to wait for search results + log: [0|1] enable/disable log permanently + radius-reply-attributor: [ = |=] how to attribute a value + ('=' for TekRADIUS, ' = ' for FreeRADIUS) + radius-reply-separator: [,|:|;|cr|crlf] returned attributes separator + ('crlf' for TekRADIUS, ',' for FreeRADIUS) + self-registration: [1|0] enable/disable self-registration of tokens + server-cache-level: [0|1] enable/allow cache from server to client + server-cache-lifetime: lifetime in seconds of the cached information + server-secret: shared secret used for client/server operation + server-timeout: timeout value for the connection to the server + server-type: [xml] type of the server + (only xml server are able to do caching) + server-url: full url of the server for client/server mode + (server_url_1;server_url_2 is accepted) + sms-api-id: SMS API id (clickatell only, give your XML API id) + with exec as provider, define the script to call + (available variables: %from, %to, %msg) + sms-message: SMS message to display before the OTP + sms-originator: SMS sender (if authorized by provider) + sms-password: SMS account password + sms-provider: SMS provider (aspsms,clickatell,intellisms,exec) + sms-userkey: SMS account username or userkey + sql-server: SQL server (FQDN or IP) + sql-username: SQL username + sql-password: SQL password + sql-database: SQL database + sql-config-table: SQL config table, default is multiotp_config + sql-devices-table: SQL devices table, default is multiotp_devices + sql-log-table: SQL log table, default is multiotp_log + sql-tokens-table: SQL tokens table, default is multiotp_tokens + sql-users-table: SQL users table, default is multiotp_users + tel-default-country-code: Default country code for phone number + token-serial-number-length: Length of the serial number of the tokens + (used for self-registration) + + multiotp -initialize-backend (when all options are set, it will initialize + the backend, including creating the tables) + + multiotp -set user option1=value1 option2=value2 ... optionN=valueN + options are email: update the email of the user + description: set a description to the user, used for example during + the QRcode generation as the description of the account + group: set/update the group of the user + ldap-pwd: [0|1] the LDAP/AD password is used instead of the pin + pin: set/update the private pin code of the user + prefix-pin: [0|1] the pin and the token must by merged by the user + (if your pin is 1234 and your token displays 5556677, + you will have to type 1234556677) + sms: set/update the sms phone number of the user + + +LDAP/AD integration: + + multiotp -ldap-check + multiotp -ldap-user-info user + multiotp -ldap-users-list + multiotp -ldap-users-sync + + +Backup/restore commands: + + multiotp -backup-config password [file-name] + multiotp -restore-config password file-name + By default, the file name is multiotp.cfg in the current folder. + The file name *MUST BE* multiotp.cfg to be restored in a commercial edition. + + +Other commands: + + multiotp -phpinfo + multiotp -showlog + multiotp -tokenslist + multiotp -userslist + multiotp -lockeduserslist + + +Other parameters: + + -base-dir=/full/path/to/the/main/folder/of/multiotp/ + (if the script folder is wrongly detected, this will fix the issue) + + +Switches: + + -debug Enhanced log information activated and code result on console + (the permanent state of debug can be set with -config debug=1) + -display-log Log information will also be displayed on the console + (the permanent state can be set with -config display-log=1) + -network-info Display network info (mode, ip, mask, gateway, dns1, dns2) + -help Display this help page + -keep-local Keep local user even if the server doesn't have it + (if the server doesn't have it, the local one will be checked) + -log Log operation in the log subdirectory or in the database + (the permanent state of log can be set with -config log=1) + -mysql MySQL connection information, comma separated (server,user, + password,database[,log_table[,users_table[,tokens_table]]]) + (this switch is DEPRECATED, use the -config switch instead) + -no-prefix-pin No prefix pin must be merged with the token by the user + (this switch is DEPRECATED, use the -set switch instead) + -param All parameters are logged for debugging purposes + -prefix-pin The pin and the token must be typed merged by the user + (if you pin is 1234 and your token displays 5556677, + you will have to type 1234556677) + (this switch is DEPRECATED, use the -set switch instead) + -request-nt-key This will return the NT_KEY to the radius server + -status Display a status bar during resynchronization + -version Display the current version of the library + -php-version Display the current version of the running PHP interpreter + + +Examples: + + multiotp -display-log -log -debug jimmy ea2315 + multiotp -display-log -log anna 546078 + multiotp -display-log -log -checkpam + multiotp john 5678124578 + + multiotp jimmy sms + + multiotp -fastcreate gademo + multiotp -debug -createga gauser 2233445566777733 + multiotp -debug -create -prefix-pin alan TOTP 3683453456769abc3452 2233 6 60 + multiotp -debug -create -prefix-pin anna TOTP 56821bac24fbd2343393 4455 6 30 + multiotp -debug -create -prefix-pin john HOTP 31323334353637383930 5678 6 137 + multiotp -debug -create -token-id -prefix-pin rick 2010090201901 2345 + multiotp -log -create jimmy mOTP 004f5a158bca13984d349a7f23 1234 6 10 + + multiotp -scratchlist gademo + + multiotp -set gademo description="VPN code for gademo" + multiotp -set gademo sms=41791234567 + + multiotp -debug -import tokens.pskc "1234 5678 9012 3456 7890 1234 5678 9012" + multiotp -debug -import-pskc tokens.pskc "qwerty" + multiotp -debug -import 10OTP_data01_upgrade.sql + multiotp -debug -import-dat importAlpine.dat + + multiotp -debug -qrcode gademo gademo.png + multiotp -debug -urllink john + + multiotp -resync john 5678456789 5678345231 + multiotp -resync -status anna 4455487352 4455983513 + multiotp -update-pin alan 4417 + + multiotp -config debug-prefix="Reply-Message := " + + multiotp -config server-cache-level=1 server-cache-lifetime=15552000 + multiotp -config server-secret=MySharedSecret server-type=xml + multiotp -config server-timeout=3 + multiotp -config server-url=http://my.server/multiotp/;my.server2:8112/secure/ + + multiotp -config sms-provider=clickatell sms-userkey=CL1 sms-password=PASS + multiotp -config sms-api-id=1234567 + multiotp -config sms-message="Your SMS-code is:" sms-originator=Company + multiotp -config sms-message="Type %s as code" sms-originator=0041797654321 + + multiotp -config sms-provider=exec sms-api-id="/path/to/app %from %to "%msg"" + + multiotp -config token-serial-number-length=10,12 + + multiotp -config backend-type=mysql sql-server=fqdn.or.ip sql-database=dbname + multiotp -config sql-username=user sql-password=pass + multiotp -initialize-backend + + +multiOTP web service is working fine with any web server supporting PHP. + - nginx is a light one under Linux (http://nginx.org/) + - Mongoose is a light one under Windows (http://code.google.com/p/mongoose/) + - and many others like Apache HTTP Server (http://httpd.apache.org/) + +multiOTP is working fine with FreeRADIUS under Linux (http://freeradius.org/) + +multiOTP is working fine under Windows with WinRADIUS, a port of FreeRADIUS +(http://winradius.eu/) + +multiOTP is also working fine with another port of FreeRADIUS +for Windows (http://sourceforge.net/projects/freeradius/) + +multiOTP can be combined with a Raspberry Pi (http://www.raspberrypi.org/) in +order to have a very low budget strong authentication device. Please look at +the readme file in order to learn how to set it up in a few steps. + +When used with TekRADIUS (http://www.tekradius.com) the External-Executable +must be called like this: C:\multiotp\multiotp.exe %ietf|1% %ietf|2% + +Some of other products and services based on multiOTP + - multiOTP Pro 501V Pro version with full web GUI in a tiny virtual appliance + (http://www.multiOTP.com) + - multiOTP Pro 520B Pro version with full web GUI in a tiny hardware device + (http://www.multiOTP.com) + - secuPASS.net simple SMS trusting service for free WLAN Hotspot + (http://www.secuPASS.net) + - mOTP-CP an Open-Source Credential Provider for the Windows Logon + (https://goo.gl/Y8g4ON) + - ownCloud OTP One Time Password app for ownCloud (http://owncloud.org) + (http://goo.gl/mKjt43) + +Visit http://forum.multiotp.net/ for additional support + +