...
If your system is configured for secure HTTP then it's fine to use https://. Ttoken Token authentication works for all commercial Opmantek applications (e.g. application keys opEvents, opConfig and so on).
...
- The token authentication system does not support locking out users after N unsuccessful login attempts.
- As the token contains the current time at the creating system and is valid for a limited time only, reasonably precise time synchronisation is critical for this method to work.
If a token could be decrypted but was rejected because it was deemed too old, then a suitable log entry is written to theauth.log. - Tokens are not single-use: a token works any number of times as long as it is presented within the configured validity period.
Code Examples for Token Generation
Perl
The following block contains essentially the same code as the token generator shipped as bin/generate_auth_token.pl:
| Code Block |
|---|
#!/usr/bin/perl
use strict;
use Crypt::CBC;
my ($key, $username, $tokentime) = @ARGV;
die "Usage: $0 <key> <username> [timestamp]
key: passphrase of arbitrary length.
timestamp: optional, default: now\n"
if (!$key or !$username or (defined $tokentime && !int($tokentime)));
$tokentime ||= time;
# what goes into the token? the token time stamp (in unix-seconds, UTC),
# as a plain string, followed by exactly one space and the username.
my $plain = $tokentime." ".$username;
# defaults: RFC2898/pkcs#5 padding, openssl-compatible salted header mode,
# and openssl-compatible key derivation function (PBKDF) -
# see https://www.openssl.org/docs/man1.1.0/crypto/EVP_BytesToKey.html
# but crypt::cbc's default keysize is an incompatiblyincompatible 64 bits
my $engine = Crypt::CBC->new(-key => $key,
-cipher => "Rijndael",
-keysize => 128/8);
my $crypted = $engine->encrypt_hex($plain);
print $crypted,"\n";
exit 0;
|
...