| Table of Contents |
|---|
Overview
...
To enable token authentication, a few configuration settings must be added to to usr/local/omk/conf/opCommon.nmis for legacy modules or usr/local/omk/conf/opCommon.json for current:
- One or more shared keys must be set up,
- optionally, the maximum validity for tokens may be specified,
- and finally, the authentication method
tokenmust be added as one of the three supported authentication methods.
...
| Code Block |
|---|
#!/usr/bin/perl
use strict;
use Crypt::CBC;
my ($key, $username, $tokentime) = @ARGV;
die "Usage: $0 <key> <username> [timestamp]
key: passphrase of arbitrary length.
timestamp: optional, default: now\n"
if (!$key or !$username or (defined $tokentime && !int($tokentime)));
$tokentime ||= time;
# what goes into the token? the token time stamp (in unix-seconds, UTC),
# as a plain string, followed by exactly one space and the username.
my $plain = $tokentime." ".$username;
# defaults: RFC2898/pkcs#5 padding, openssl-compatible salted header mode,
# and openssl-compatible key derivation function (PBKDF) -
# see https://www.openssl.org/docs/man1.1.0/crypto/EVP_BytesToKey.html
# but crypt::cbc's default keysize is an incompatible 64 bits
my $engine = Crypt::CBC->new(-key => $key,
-cipher => "Rijndael",
-keysize => 128/8);
my $crypted = $engine->encrypt_hex($plain);
print $crypted,"\n";
exit 0;
|
Shell using the OpenSSL CLI
...
| Code Block |
|---|
#!/bin/sh
KEY=$1
USER=$2
TEMPFILE=`mktemp /tmp/gentoken.XXXXXX`
NOW=`date +%s`
echo -n "$NOW $USER" > $TEMPFILE
# see man enc: -salt -e are default, could be omitted;
# openssl requires a real file as input, so we need a temp file
# hexdump converts the binary bytes into their hex representation
openssl aes-128-cbc -in $TEMPFILE -salt -e -pass "pass:$KEY" | \
hexdump -v -e '/1 "%02x"'
echo
rm -f $TEMPFILE
exit 0 |
...
Python
Python's pycrypto module should contain everything required, except the OpenSSL-specific PBKDF which can be found here.