OTP Tokens

Manage OTP tokens.

IPA supports the use of OTP tokens for multi-factor authentication. This code enables the management of OTP tokens.

EXAMPLES

Add a new token:

ipa otptoken-add --type=totp --owner=jdoe --desc="My soft token"

Examine the token:

ipa otptoken-show a93db710-a31a-4639-8647-f15b2c70b78a

Change the vendor:

ipa otptoken-mod a93db710-a31a-4639-8647-f15b2c70b78a --vendor="Red Hat"

Delete a token:

ipa otptoken-del a93db710-a31a-4639-8647-f15b2c70b78a

Commands

Command Description

otptoken-add Add a new OTP token.

otptoken-add-managedby Add users that can manage this token.

otptoken-del Delete an OTP token.

otptoken-find Search for OTP token.

otptoken-mod Modify a OTP token.

otptoken-remove-managedby Remove users that can manage this token.

otptoken-show Display information about an OTP token.

otptoken-add

Usage: ipa [global-options] otptoken-add [ID] [options]

Add a new OTP token.

Arguments

Argument Required Description

ID no Unique ID

Options

Option Description

--type TYPE Type of the token

--desc DESC Token description (informational only)

--owner OWNER Assigned user of the token (default: self)

--disabled DISABLED Mark the token as disabled (default: false)

--not-before NOT-BEFORE First date/time the token can be used

--not-after NOT-AFTER Last date/time the token can be used

--vendor VENDOR Token vendor name (informational only)

--model MODEL Token model (informational only)

--serial SERIAL Token serial (informational only)

--key KEY Token secret (Base32; default: random)

--algo ALGO Token hash algorithm

--digits DIGITS Number of digits each token code will have

--offset OFFSET TOTP token / IPA server time difference

--interval INTERVAL Length of TOTP token code validity

--counter COUNTER Initial counter for the HOTP token

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--no-qrcode Do not display QR code

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

`--no-members` Suppress processing of membership attributes.

otptoken-add-managedby

Usage: ipa [global-options] otptoken-add-managedby ID [options]

Add users that can manage this token.

Arguments

Argument Required Description

ID yes Unique ID

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

`--users USERS` users to add

otptoken-del

Usage: ipa [global-options] otptoken-del ID [options]

Delete an OTP token.

Arguments

Argument Required Description

ID yes Unique ID

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

otptoken-find

Usage: ipa [global-options] otptoken-find [CRITERIA] [options]

Search for OTP token.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--id ID Unique ID

--type TYPE Type of the token

--desc DESC Token description (informational only)

--owner OWNER Assigned user of the token (default: self)

--disabled DISABLED Mark the token as disabled (default: false)

--not-before NOT-BEFORE First date/time the token can be used

--not-after NOT-AFTER Last date/time the token can be used

--vendor VENDOR Token vendor name (informational only)

--model MODEL Token model (informational only)

--serial SERIAL Token serial (informational only)

--algo ALGO Token hash algorithm

--digits DIGITS Number of digits each token code will have

--offset OFFSET TOTP token / IPA server time difference

--interval INTERVAL Length of TOTP token code validity

--counter COUNTER Initial counter for the HOTP token

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

`--pkey-only` Results should contain primary key attribute only (“id”)

otptoken-mod

Usage: ipa [global-options] otptoken-mod ID [options]

Modify a OTP token.

Arguments

Argument Required Description

ID yes Unique ID

Options

Option Description

--desc DESC Token description (informational only)

--owner OWNER Assigned user of the token (default: self)

--disabled DISABLED Mark the token as disabled (default: false)

--not-before NOT-BEFORE First date/time the token can be used

--not-after NOT-AFTER Last date/time the token can be used

--vendor VENDOR Token vendor name (informational only)

--model MODEL Token model (informational only)

--serial SERIAL Token serial (informational only)

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

`--rename RENAME` Rename the OTP token object

otptoken-remove-managedby

Usage: ipa [global-options] otptoken-remove-managedby ID [options]

Remove users that can manage this token.

Arguments

Argument Required Description

ID yes Unique ID

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

`--users USERS` users to remove

otptoken-show

Usage: ipa [global-options] otptoken-show ID [options]

Display information about an OTP token.

Arguments

Argument Required Description

ID yes Unique ID

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

Commands

otptoken-show Display information about an OTP token.

otptoken-add

Arguments

Options

--no-members Suppress processing of membership attributes.

otptoken-add-managedby

Arguments

Options

--users USERS users to add

otptoken-del

Arguments

Options

otptoken-find

Arguments

Options

--pkey-only Results should contain primary key attribute only (“id”)

otptoken-mod

Arguments

Options

--rename RENAME Rename the OTP token object

otptoken-remove-managedby

Arguments

Options

--users USERS users to remove

otptoken-show

Arguments

Options

--no-members Suppress processing of membership attributes.

Related Topics

`--no-members` Suppress processing of membership attributes.

`--users USERS` users to add

`--pkey-only` Results should contain primary key attribute only (“id”)

`--rename RENAME` Rename the OTP token object

`--users USERS` users to remove

`--no-members` Suppress processing of membership attributes.