12.4. Tools

eduMFA comes with a list of command line tools, which also help to automate tasks. The tools can be found in the directory edumfa/bin.

12.4.1. edumfa-token-janitor

eduMFA comes with a token janitor script. This script can find orphaned tokens, unused tokens or tokens of specific type, description or token info.

It can unassign, delete or disable those tokens, it can set additional tokeninfo or descriptions and perform other tasks on the found tokens.

It can also set the tokenrealms of the found tokens.

If you are unsure to directly delete orphaned tokens, because there might be a glimpse in the connection to your user store, you could as well in a first step mark the orphaned tokens. A day later you could run the script again and delete those tokens, which are (still) orphaned and marked.

The token janitor script can also filter for token attributes and attribute values. It is also possible to check just for the existence or not-existence of a certain tokeninfo-value.

12.4.1.1. Find

With the token-janitor you have the possibility to search for tokens in different ways. You can find tokens by providing filter parameters. Note, that you can combine as many filter parameters as you want to. This way you can reduce the set of found tokens. Several filter parameters allow to search with regular expressions.

The parameters tokentype and username are exact matches and will be applied before any other filters. This means that only tokens of given tokentype and username will be processed. If neither of those two parameters is given all tokens will be processed and checked against other filters.

Actions will then be performed only on this reduced set.

These are important filter parameters:

12.4.1.1.1. Orphaned

Searches for tokens, that are orphaned. Orphaned tokens are assigned to a user. But the user does not exist in the user store anymore. This can happen e.g. if an LDAP user gets deleted in the LDAP directory.

Example:

edumfa-token-janitor find --orphaned 1

This returns all orphaned tokens for later processing.

12.4.1.1.2. Active

Searches for tokens that are either active or inactive, this means enabled or disabled.

Example:

edumfa-token-janitor find --active False

This returns all disabled tokens. May you later want to delete these disabled tokens.

12.4.1.1.3. Assigned

Searches for tokens that are either assigned to a user or unassigned.

Example:

edumfa-token-janitor find --assigned False

This returns all tokens, that are not assigned to a user. You could combine this with other filters like the tokenkind to find out how many hardware tokens are not assigned and still available for assignment.

12.4.1.1.4. Last_auth

Searches for all tokens, where the last authentication happens longer ago than the given value:

Example:

edumfa-token-janitor find --last_auth 10d

This will find all tokens, that did not authenticate within the last 10 days. You can also use “h” and “y” to specify hours and years.

Since the last_auth is an entry in the tokeninfo table you could also search like this:

edumfa-token-janitor find --tokeninfo-key last_auth --tokeninfo-value-after '2021-06-01 18:00:00+0200'

12.4.1.1.5. Description

Searches through all tokens and returns the ones with the selected description.

Example:

edumfa-token-janitor find --description '^fo.*'

Return all tokens where the description begins with “fo”.

12.4.1.1.6. Serial

Searches through all tokens and returns the ones with the selected serial.

Example:

edumfa-token-janitor find --serial OATH0013B2B4

Return all tokens with the serial OATH0013B2B4.

By searching for regular expressions, it is e.g. possible to find Yubikeys, which might be a tokentype “HOTP”, but where the serial starts with UBOM.

Example:

edumfa-token-janitor find --serial '^UBOM.*'

12.4.1.1.7. Username

Searches through all tokens and returns the ones belonging to the given username. The username should contain the realm in the format user@realm. If no realm is given the default realm is used.

Example:

eduMFA-token-janitor find --username testuser@testrealm

Return all tokens belonging to the user testuser in the realm testrealm.

Example:

eduMFA-token-janitor find --username testuser

Return all tokens belonging to the user testuser in the default realm.

12.4.1.1.8. Tokentype

Searches through all tokens and returns the ones with the selected tokentype.

Example:

edumfa-token-janitor find --tokentype hotp

Return all tokens with the tokentype hotp.

12.4.1.1.9. Tokenattribute

Match for a certain token attribute from the database table token.

There are different ways of filtering here.

12.4.1.1.9.1. tokenattribute-value REGEX|INTEGER

The value of the token-attribute which should match.

Example:

edumfa-token-janitor find --tokenattribute rollout_state --tokenattribute-value clientwait

Search for all tokens with the tokenattribute-key rollout_state and the associated tokenattribute-value clientwait.

Note that it is also possible to work with regular expressions here.

12.4.1.1.9.2. tokenattribute-value-less-than INTEGER

Match if the value of the token attribute is less than the given value.

Example:

edumfa-token-janitor find --tokenattribute failcount --tokenattribute-value-less-than 10

Search for all tokens with the tokenattribute-key failcount and the associated tokenattribute-value below 10. This way you can find tokens, where the fail counter is less than 10 and thus the tokens are not blocked.

12.4.1.1.9.3. tokenattribute-value-greater-than INTEGER

Match if the value of the token attribute is greater than the given value.

Example:

edumfa-token-janitor find --tokenattribute failcount --tokenattribute-value-greater-than 10

Search for all tokens with the tokenattribute-key failcount and the associated tokenattribute-value greater than 10. This way you can find tokens, where the fail counter is greater than 10 and thus the tokens are blocked.

12.4.1.1.10. Tokeninfo-key

This matches on values for tokeninfo, which is actually the database table tokeninfo.

There are different ways of filtering here.

12.4.1.1.10.1. has-tokeninfo-key

Filters for tokens that have given the specified tokeninfo-key no matter which value the key has.

Example:

edumfa-token-janitor find --has-tokeninfo-key import_time

Searches for all tokens that have a tokeninfo-key import_time set.

Note, that it is not important, what value the “import_time” actually has!

12.4.1.1.10.2. has-not-tokeninfo-key

Filters for tokens that have not set the specified tokeninfo-key.

Example:

edumfa-token-janitor find --has-not-tokeninfo-key import_time

Searches for all tokens that didn’t store the tokeninfo-key import_time.

12.4.1.1.10.3. tokeninfo-value REGEX|INTEGER

The tokeninfo-value to match.

Example:

edumfa-token-janitor find --tokeninfo-key tokenkind --tokeninfo-value software

Search for all tokens with the tokeninfo-key tokenkind and the associated tokeninfo-value software.

12.4.1.1.10.4. tokeninfo-value-less-than INTEGER

Interpret tokeninfo-values as integers and match only if they are smaller than the given integer.

Example:

edumfa-token-janitor find --tokeninfo-key timeWindow --tokeninfo-value-less-than 200

Search for all tokens with the tokeninfo-key timeWindow and the associated tokeninfo-value below 200.

12.4.1.1.10.5. tokeninfo-value-greater-than INTEGER

Interpret tokeninfo-values as integers and match only if they are greater than the given integer.

Example:

edumfa-token-janitor find --tokeninfo-key timeWindow --tokeninfo-value-greater-than 100

Search for all tokens with the tokeninfo-key timeWindow and the associated tokeninfo-value greater than 100.

12.4.1.1.11. Actions

Actions are performed by the token janitor on all found tokens.

mark - disable - delete - unassign - export - listuser - tokenrealms

12.4.1.1.11.1. mark

Mark makes it possible to mark the found tokens in order to carry out further actions with them later.

The tokens are marked by setting a tokeninfo-key and an associated tokininfo-value.

Example:

edumfa-token-janitor find --serial OATH0004C934 --action mark --set-tokeninfo-key unused --set-tokeninfo-value True

A new tokeninfo-key and the associated tokeninfo-value would be added for the token OAUTH0004C934 and are now marked for later processing. If the token already containd this tokeninf-key, the value would be changed.

12.4.1.1.11.2. disable

With disable the found tokens can be disabled.

Example:

edumfa-token-janitor find --serial OATH0004C934 --action disable

The token with the serial OAUTH0004C934 will be disabled.

12.4.1.1.11.3. delete

With delete the found tokens can be deleted.

Example:

edumfa-token-janitor find --serial OATH0004C934 --action delete

The token with the serial OAUTH0004C934 will be deleted.

12.4.1.1.11.4. export

With export the found tokens can be exported as csv, yaml or pskc.

CSV will only export HOTP and TOTP tokens. The PSKC file exports HOTP, TOTP and password tokens (PW). YAML in theory can export all token types and all tokeninfo.

Example:

edumfa-token-janitor find --serial OATH0004C934 --action export > OAUTH0004C934.xml

The token with the serial OAUTH0004C934 will be exported and saved in an xml file.

Note

With PSCK you need your encryption key for re-import.

Note

You can also use YAML export or re-encrypting data. See Re-Encrypting data.

12.4.1.1.11.5. listuser

With listuser the found tokens are listed in a summarized view.

Example:

edumfa-token-janitor find --action listuser

lists all tokens in a summarized view.

12.4.1.1.11.5.1. sum

Sum and listuser together

For all found tokens the token janitor aggregate’s the users and lists how many tokens this user has.

A user without any assigned token is not listed here!

Example:

edumfa-token-janitor find --sum --action listuser
12.4.1.1.11.6. tokenrealms

Tokenrealms can be used to assign tokens to different realms.

To do this, the tokenrealms function is also required.

Please note that without a previous selection of a certain token, all found tokens will be assigned to the realm.

Example:

edumfa-token-janitor find --serial OATH0005B88E --action tokenrealms --tokenrealms defrealm

Setting realms of token OATH0005B88E to defrealm.

You can also assign a list of realms by comma separating.

Example:

edumfa-token-janitor find --serial OATH0005B88E --action tokenrealms --tokenrealms defrealm,realmA,realmB

12.4.1.1.12. Set

With the tokenjanitor it is possible to set new tokeninfo-values, tokeninfo-keys and descriptions.

It is important to note that this is only possible with a previously marked token.

12.4.1.1.12.1. set-tokeninfo-key and set-tokeninfo-value

Set a new tokeninfo-key and a new tokeninfo-value or update the tokeninfo-value of an existing key.

This will only work together it is not possible to set a tokeninfo-key or a tokeninfo-value individually.

Example:

edumfa-token-janitor find --serial OATH0004C934 --action mark --set-tokeninfo-key import_time --set-tokeninfo-value $(date --iso-8601=minutes)

Mark the token with the serial OATH0004C934 and set a new tokeninfo-key import_time and a new tokeninfo-value $(date --iso-8601=minutes).

12.4.1.1.12.2. set description

Set a new description.

It is important to note that this is only possible with a previously marked token.

Example:

edumfa-token-janitor find --serial OATH0004C934 --action mark --set-description L4

Mark the token with the serial OATH0004C934 and set the description example.

12.4.2. edumfa-get-unused-tokens

The script edumfa-get-unused-tokens allows you to search for tokens, which were not used for authentication for a while. These tokens can be listed, disabled, marked or deleted.

You can specify how old the last authentication of such a token has to be. You can use the tags h (hours), d (day) and y (year). Specifying 180d will find tokens, that were not used for authentication for the last 180 days.

The command:

edumfa-get-unused-tokens disable 180d

will disable those tokens.

This script can be well used with the Script Handler Module.