-
Notifications
You must be signed in to change notification settings - Fork 17
OTPTool
Archie L. Cobbs edited this page Jan 7, 2023
·
4 revisions
The mod-authn-otp distribution includes a command line utility called otptool which performs various operations using one-time passwords. The man page is reproduced here:
OTPTOOL(1) BSD General Commands Manual OTPTOOL(1)
NAME
otptool -- HOTP/OATH one-time password utility
SYNOPSIS
otptool [-Ffht] [-c counter] [-d #digits] [-i secs] [-m PIN] [-w num] key
[password]
DESCRIPTION
otptool is a utility for generating, verifying, and synchronizing one-time
passwords created using the HOTP/OATH algorithm defined by RFC 4226.
The key is the token's binary secret key and may be specified on the command
line as a hexadecimal string, or read from a file using the -F or -f flag.
If no password is given, otptool generates the one-time password corresponding
to the given key and target counter value and prints to standard output the
counter followed by the decimal and hexadecimal one-time passwords. If
password is given, then otptool verifies that password is the correct one-time
password for the given key and counter value. If so, it outputs the counter
value. password may be either the decimal or hexadecimal one-time password.
The target counter value is determined as follows: if the -t flag is given,
use the current time in seconds since the UNIX epoch divided by the configured
time interval (default 30 seconds); otherwise, if the -c flag is given, use
the given counter; otherwise, use the value zero.
In both cases, a range of target counter values may be specified using the -w
flag. When both -w and password are given, otptool will search the entire
range for a matching counter value, starting with the target counter value and
working away from it. This mode can be used to resynchronize an unsychronized
counter.
OPTIONS
-c Specify the starting target counter value for the one-time password
generation or search. This flag is incompatible with the -t flag; if
neither flag is given, the default value is zero.
-d Specify the required number of digits in the one-time password. Giv-
ing a password argument and specifying a different length here will
result in no match being found (no search is performed). Otherwise,
the default value is the length of password, if given, or else six if
not.
-F Read the key as a hexadecimal string from the file named key.
-f Read the key in raw, binary format from the file named key.
-h Print the usage message and exit successfully.
-i Specify the length of a single time interval in seconds. The default
value is 30 seconds. This flag is ignored unless the -t flag is also
given.
-m Use the Mobile-OTP algorithm with the given PIN instead of the
HOTP/OATH algorithm. This flag imples -i 10 and -d 6. Normally you
also want to specify -t.
-t Use the current time as the basis for the target counter value. This
flag is incompatible with the -c flag.
-w Specify the width of a window of counter values within which to iter-
ate when generating or searching for one-time passwords. When -t is
used, the window extends the given distance both before and after the
target counter value; otherwise, the window extends forward of the
target counter value. When both password and -t are given, the search
starts with the initial target counter and works away from it in both
directions.
RETURN VALUE
otptool exits with one of the following return values:
0 The one-time password(s) was/were successfully generated, or password
correctly matched the password generated using (one of) the target
counter value(s).
1 otptool was invoked with invalid command line flags or parameters.
2 The given password did not match any counter value(s) in the search win-
dow.
3 A system error occurred.
SEE ALSO
HOTP: An HMAC-Based One-Time Password Algorithm,
http://www.ietf.org/rfc/rfc4226.txt.
mod_authn_otp: Apache module for one-time password authentication,
https://github.com/archiecobbs/mod-authn-otp.
Mobile-OTP: Mobile One Time Passwords, http://motp.sourceforge.net/.
AUTHOR
Archie L. Cobbs <[email protected]>
BSD June 21, 2008 BSD