Table of Contents |
---|
Overview
...
To enable token authentication, a few configuration settings must be added to to usr/local/omk/conf/opCommon.nmis for legacy modules or usr/local/omk/conf/opCommon.json for current
:
- One or more shared keys must be set up,
- optionally, the maximum validity for tokens may be specified,
- and finally, the authentication method
token
must be added as one of the three supported authentication methods.
...
Code Block |
---|
#!/usr/bin/perl use strict; use Crypt::CBC; my ($key, $username, $tokentime) = @ARGV; die "Usage: $0 <key> <username> [timestamp] key: passphrase of arbitrary length. timestamp: optional, default: now\n" if (!$key or !$username or (defined $tokentime && !int($tokentime))); $tokentime ||= time; # what goes into the token? the token time stamp (in unix-seconds, UTC), # as a plain string, followed by exactly one space and the username. my $plain = $tokentime." ".$username; # defaults: RFC2898/pkcs#5 padding, openssl-compatible salted header mode, # and openssl-compatible key derivation function (PBKDF) - # see https://www.openssl.org/docs/man1.1.0/crypto/EVP_BytesToKey.html # but crypt::cbc's default keysize is an incompatible 64 bits my $engine = Crypt::CBC->new(-key => $key, -cipher => "Rijndael", -keysize => 128/8); my $crypted = $engine->encrypt_hex($plain); print $crypted,"\n"; exit 0; |
Shell using the OpenSSL CLI
...
Code Block |
---|
#!/bin/sh KEY=$1 USER=$2 TEMPFILE=`mktemp /tmp/gentoken.XXXXXX` NOW=`date +%s` echo -n "$NOW $USER" > $TEMPFILE # see man enc: -salt -e are default, could be omitted; # openssl requires a real file as input, so we need a temp file # hexdump converts the binary bytes into their hex representation openssl aes-128-cbc -in $TEMPFILE -salt -e -pass "pass:$KEY" | \ hexdump -v -e '/1 "%02x"' echo rm -f $TEMPFILE exit 0 |
...
Python
Python's pycrypto module should contain everything required, except the OpenSSL-specific PBKDF which can be found here.