https://wiki.archlinux.org/api.php?action=feedcontributions&user=Zutro007&feedformat=atomArchWiki - User contributions [en]2024-03-29T06:40:42ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=GDM&diff=438760GDM2016-06-22T20:22:03Z<p>Zutro007: /* Log-in screen background image */ bug correction in the script</p>
<hr />
<div>[[Category:Display managers]]<br />
[[Category:GNOME]]<br />
[[es:GDM]]<br />
[[ja:GDM]]<br />
[[pt:GDM]]<br />
[[zh-CN:GDM]]<br />
{{Related articles start}}<br />
{{Related|GNOME}}<br />
{{Related|GNOME Flashback}}<br />
{{Related|Display manager}}<br />
{{Related|LightDM}}<br />
{{Related|LXDM}}<br />
{{Related articles end}}<br />
From [https://wiki.gnome.org/Projects/GDM GDM - GNOME Display Manager]: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."<br />
<br />
[[Display manager]]s provide [[X Window System]] and [[Wayland]] users with a graphical login prompt.<br />
<br />
== Installation ==<br />
<br />
GDM can be [[installed]] with the {{Pkg|gdm}} package, and it is installed as part of the {{grp|gnome}} group. To start GDM at boot time [[enable]] {{ic|gdm.service}}.<br />
<br />
If you would prefer to use legacy GDM which was used in GNOME 2 and has its own configuration utility, install the {{AUR|gdm-old}} package. Note that the rest of this article discusses current GDM, not legacy GDM, unless indicated otherwise.<br />
<br />
You might also wish to install the following:<br />
* {{App|gdm3setup|An interface to configure GDM3, autologin options and change Shell theme|https://github.com/Nano77/gdm3setup|{{AUR|gdm3setup}}}}<br />
<br />
== Configuration ==<br />
<br />
=== Autostarting applications with GDM ===<br />
<br />
See [[Display manager#Autostarting]]. Note that adding scripts to {{ic|/etc/gdm/Init}} no longer works, see the [https://bugzilla.gnome.org/show_bug.cgi?id=751602 upstream bug report].<br />
<br />
=== Log-in screen background image ===<br />
<br />
{{Note|Since GNOME 3.16, GNOME Shell themes are now stored binary files (gresource).}}<br />
<br />
Firstly, you need to extract the existing GNOME Shell theme to a folder in your home directory. You can do this using the following script:<br />
<br />
{{hc|extractgst.sh|2=<br />
#!/bin/sh<br />
<br />
workdir=${HOME}/shell-theme<br />
if [ ! -d ${workdir}/theme ]; then<br />
mkdir -p ${workdir}/theme<br />
fi<br />
gst=/usr/share/gnome-shell/gnome-shell-theme.gresource<br />
<br />
for r in `gresource list $gst`; do<br />
gresource extract $gst $r >$workdir/${r#\/org\/gnome\/shell/}<br />
done}}<br />
<br />
Navigate to the created directory. You should find that the theme files have been extracted to it. Now copy your preferred background image to this directory.<br />
<br />
Next, you need to create a file in the directory with the following content:<br />
<br />
{{hc|gnome-shell-theme.gresource.xml|2=<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<gresources><br />
<gresource prefix="/org/gnome/shell/theme"><br />
<file>calendar-arrow-left.svg</file><br />
<file>calendar-arrow-right.svg</file><br />
<file>calendar-today.svg</file><br />
<file>checkbox-focused.svg</file><br />
<file>checkbox-off-focused.svg</file><br />
<file>checkbox-off.svg</file><br />
<file>checkbox.svg</file><br />
<file>close-window.svg</file><br />
<file>close.svg</file><br />
<file>corner-ripple-ltr.png</file><br />
<file>corner-ripple-rtl.png</file><br />
<file>dash-placeholder.svg</file><br />
<file>filter-selected-ltr.svg</file><br />
<file>filter-selected-rtl.svg</file><br />
<file>gnome-shell.css</file><br />
<file>gnome-shell-high-contrast.css</file><br />
<file>logged-in-indicator.svg</file><br />
<file>'''filename'''</file><br />
<file>more-results.svg</file><br />
<file>no-events.svg</file><br />
<file>no-notifications.svg</file><br />
<file>noise-texture.png</file><br />
<file>page-indicator-active.svg</file><br />
<file>page-indicator-inactive.svg</file><br />
<file>page-indicator-checked.svg</file><br />
<file>page-indicator-hover.svg</file><br />
<file>process-working.svg</file><br />
<file>running-indicator.svg</file><br />
<file>source-button-border.svg</file><br />
<file>summary-counter.svg</file><br />
<file>toggle-off-us.svg</file><br />
<file>toggle-off-intl.svg</file><br />
<file>toggle-on-hc.svg</file><br />
<file>toggle-on-us.svg</file><br />
<file>toggle-on-intl.svg</file><br />
<file>ws-switch-arrow-up.png</file><br />
<file>ws-switch-arrow-down.png</file><br />
</gresource><br />
</gresources>}}<br />
<br />
Replace '''filename''' with the filename of your background image.<br />
<br />
Now, open the {{ic|gnome-shell.css}} file in the directory and change the {{ic|#lockDialogGroup}} definition as follows:<br />
<br />
#lockDialogGroup {<br />
background: #2e3436 url('''filename''');<br />
background-size: '''[WIDTH]'''px '''[HEIGHT]'''px;<br />
background-repeat: no-repeat;<br />
}<br />
<br />
Set {{ic|background-size}} to the resolution that GDM uses, this might not necessarily be the resolution of the image. For a list of display resolutions see [[wikipedia:Display_resolution#Computer_monitors|Display resolution]]. Again, set '''filename''' to be the name of the background image.<br />
<br />
Finally, compile the theme using the following command:<br />
$ glib-compile-resources gnome-shell-theme.gresource.xml<br />
Then copy the resulting {{ic|gnome-shell-theme.gresource}} file to the {{ic|/usr/share/gnome-shell}} directory.<br />
<br />
Restart GDM - you should find that it is using your preferred background image.<br />
<br />
For more information, please see the following [https://bbs.archlinux.org/viewtopic.php?id&#61;197036 forum thread].<br />
<br />
=== DConf configuration ===<br />
<br />
Some GDM settings are stored in a DConf database. They can be configured either by adding ''keyfiles'' to the {{ic|/etc/dconf/db/gdm.d}} directory and then recompiling the GDM database by running {{ic|dconf update}} as root or by logging into the GDM user on the system and changing the setting directly using the ''gsettings'' command line tool. Note that for the former approach, a GDM profile file is required - this must be created manually as it is no longer shipped upstream, see below:<br />
{{hc|/etc/dconf/profile/gdm|<br />
user-db:user<br />
system-db:gdm<br />
file-db:/usr/share/gdm/greeter-dconf-defaults}}<br />
For the latter approach, you can log into the GDM user with the command below:<br />
# machinectl shell gdm@<br />
<br />
==== Log-in screen logo ====<br />
<br />
Either create the following keyfile<br />
{{hc|/etc/dconf/db/gdm.d/02-logo|2=<br />
[org/gnome/login-screen]<br />
logo=<nowiki>'</nowiki>''/path/to/logo.png''<nowiki>'</nowiki>}}<br />
and then recompile the GDM database or alternatively log in to the GDM user and execute the following:<br />
$ gsettings set org.gnome.login-screen logo <nowiki>'</nowiki>''/path/to/logo.png''<nowiki>'</nowiki><br />
<br />
==== Changing the cursor theme ====<br />
<br />
GDM disregards [[GNOME]] cursor theme settings and it also ignores the cursor theme set according to the [[Cursor themes#XDG specification|XDG specification]]. To change the cursor theme used in GDM, either create the following keyfile<br />
<br />
{{hc|/etc/dconf/db/gdm.d/10-cursor-settings|<br />
<nowiki>[org/gnome/desktop/interface]<br />
cursor-theme='</nowiki>''theme-name'''<br />
}}<br />
and then recompile the GDM database or alternatively log in to the GDM user and execute the following:<br />
$ gsettings set org.gnome.desktop.interface cursor-theme <nowiki>'</nowiki>''theme-name''<nowiki>'</nowiki><br />
<br />
==== Larger font for log-in screen ====<br />
<br />
Click on the accessibility icon at the top right of the screen (a white circle with the silhouette of a person in the centre) and check the ''Large Text'' option.<br />
<br />
To set a specific scaling factor, you can create the following keyfile:<br />
{{hc|/etc/dconf/db/gdm.d/03-scaling|2=<br />
[org/gnome/desktop/interface]<br />
text-scaling-factor=<nowiki>'</nowiki>''1.25''<nowiki>'</nowiki>}}<br />
and then recompile the GDM database or alternatively log in to the GDM user and execute the following:<br />
$ gsettings set org.gnome.desktop.interface text-scaling-factor <nowiki>'</nowiki>''1.25''<nowiki>'</nowiki><br />
<br />
==== Turning off the sound ====<br />
<br />
This tweak disables the audible feedback heard when the system volume is adjusted (via keyboard) on the login screen.<br />
<br />
Either create the following keyfile:<br />
{{hc|/etc/dconf/db/gdm.d/04-sound|2=<br />
[org/gnome/desktop/sound]<br />
event-sounds='false'}}<br />
and then recompile the GDM database or alternatively log in to the GDM user and execute the following:<br />
$ gsettings set org.gnome.desktop.sound event-sounds 'false'<br />
<br />
==== Make the power button interactive ====<br />
{{Out of date|Some button-* configuration options are no longer available from GDM 3.18.|section="Make the power button interactive" no longer possible with GDM 3.18}}<br />
The behaviour of the power buttons can be configured in GDM. The example below will configure the power and hibernate buttons to ''Show dialog'':<br />
<br />
Create the following keyfile:<br />
{{hc|/etc/dconf/db/gdm.d/05-power|2=<br />
[org/gnome/settings-daemon/plugins/power button]<br />
power='interactive'<br />
hibernate='interactive'}}<br />
and then recompile the GDM database.<br />
<br />
{{Warning|Please note that the [[acpid]] daemon also handles the "power button" and "hibernate button" events. Running both systems at the same time may lead to unexpected behaviour.}}<br />
<br />
==== Enabling tap-to-click ====<br />
<br />
Tap-to-click is disabled in GDM (and GNOME) by default, but you can easily enable it with a dconf setting.<br />
<br />
{{Note|If you want to do this under X, you have to first set up correct X server access permissions - see [[#Configure X server access permission]].}}<br />
<br />
To directly enable tap-to-click, use:<br />
<br />
{{bc|# sudo -u gdm gsettings set org.gnome.desktop.peripherals.touchpad tap-to-click true}}<br />
<br />
If you prefer to do this with a GUI, use:<br />
<br />
{{bc|# sudo -u gdm dconf-editor}}<br />
<br />
To check the if it was set correctly, use:<br />
<br />
{{bc|$ sudo -u gdm gsettings get org.gnome.desktop.peripherals.touchpad tap-to-click}}<br />
<br />
=== GDM keyboard layout ===<br />
<br />
See [[Keyboard configuration in Xorg#Using X configuration files]].<br />
<br />
{{Tip|See [[Wikipedia:ISO 3166-1]] for a list of keymaps.}}<br />
<br />
==== GNOME Control Center ====<br />
<br />
{{Out of date|This is no longer applicable at least on Gnome Shell 3.20.2.}}<br />
<br />
If the package {{Pkg|gnome-control-center}} is installed, the keyboard layout(s) can be configured using a graphical frontend. Start ''gnome-control-center'' and navigate to ''Keyboard -> Input Sources''. Then, in the header bar, hit the ''Login Screen'' toggle button to configure the keyboard layout for GDM specifically.<br />
<br />
==== GDM 2.x layout ====<br />
<br />
Users of legacy GDM may need to follow the instructions below:<br />
<br />
Edit {{ic|~/.dmrc}}:<br />
<br />
{{hc|~/.dmrc|2=<br />
[Desktop]<br />
Language=de_DE.UTF-8 # change to your default lang<br />
Layout=de nodeadkeys # change to your keyboard layout<br />
}}<br />
<br />
=== Change the language ===<br />
<br />
To change the GDM language, ensure that {{Pkg|gnome-control-center}} is installed. Then, start ''gnome-control-center'' and choose ''Region & Language''. In the header bar, check the ''Login Screen'' toggle button. Finally, click on ''Language'' and choose your language from the list. You will be prompted for your root password.<br />
<br />
{{Out of date|I could not get the method below to work with GDM 3.18.0 - tested on 2015-10-13.}}<br />
<br />
Alternatively, edit the file {{ic|/var/lib/AccountsService/users/gdm}} and change the language line using the correct UTF-8 value for your language. You should see something similar to the text below:<br />
<br />
{{hc|1=/var/lib/AccountsService/users/gdm|<br />
2=[User]<br />
Language=fr_FR.UTF-8<br />
XSession=<br />
SystemAccount=true}}<br />
<br />
Now just reboot your computer.<br />
<br />
Once you have rebooted, if you look at the {{ic|/var/lib/AccountsService/users/gdm}} file again, you will see that the language line is cleared — do not worry, the language change has been preserved.<br />
<br />
=== Automatic login ===<br />
<br />
To enable automatic login with GDM, add the following to {{ic|/etc/gdm/custom.conf}} (replace ''username'' with your own):<br />
<br />
{{hc|1=/etc/gdm/custom.conf|<br />
2=# Enable automatic login for user<br />
[daemon]<br />
AutomaticLogin=''username''<br />
AutomaticLoginEnable=True<br />
}}<br />
<br />
{{Tip|If GDM fails after adding these lines, comment them out from a TTY.}}<br />
<br />
or for an automatic login with a delay:<br />
<br />
{{hc|1=/etc/gdm/custom.conf|<br />
2=[daemon]<br />
<br />
TimedLoginEnable=true<br />
TimedLogin=''username''<br />
TimedLoginDelay=1<br />
}}<br />
<br />
=== Passwordless login ===<br />
<br />
If you want to bypass the password prompt in GDM then simply add the following line on the first line of {{ic|/etc/pam.d/gdm-password}}:<br />
<br />
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin<br />
<br />
Then, add the group {{ic|nopasswdlogin}} to your system. See [[Groups]] for group descriptions and group management commands.<br />
<br />
Now, add your user to the {{ic|nopasswdlogin}} group and you will only have to click on your username to login.<br />
<br />
{{Warning|<br />
<br />
* Do '''not''' do this for a '''root''' account.<br />
* You won't be able to change your session type at login with GDM anymore. If you want to change your default session type, you will first need to remove your user from the {{ic|nopasswdlogin}} group.}}<br />
<br />
=== Passwordless shutdown for multiple sessions ===<br />
<br />
GDM uses polkit and logind to gain permissions for shutdown. You can shutdown the system when multiple users are logged in by setting:<br />
<br />
{{hc|1=/etc/polkit-1/localauthority.conf.d/org.freedesktop.logind.policy|<br />
2=<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE policyconfig PUBLIC<br />
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"<br />
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"><br />
<br />
<!-- <br />
Policy definitions for logind<br />
--><br />
<br />
<policyconfig><br />
<br />
<action id="org.freedesktop.login1.power-off-multiple-sessions"><br />
<description>Shutdown the system when multiple users are logged in</description><br />
<message>System policy prevents shutting down the system when other users are logged in</message><br />
<defaults><br />
<allow_inactive>yes</allow_inactive><br />
<allow_active>yes</allow_active><br />
</defaults><br />
</action><br />
<br />
</policyconfig><br />
}}<br />
You can find all available logind options (e.g. reboot-multiple-sessions) [http://www.freedesktop.org/wiki/Software/systemd/logind#Security here].<br />
<br />
=== Add or edit GDM sessions ===<br />
<br />
Each session is a {{ic|.desktop}} file located at {{ic|/usr/share/xsessions/}}.<br />
<br />
'''To add a new session:'''<br />
<br />
1. Copy an existing {{ic|.desktop}} file to use as a template for a new session:<br />
$ cd /usr/share/xsessions<br />
# cp gnome.desktop other.desktop<br />
2. Modify the template {{ic|.desktop}} file to open the required window manager:<br />
# nano other.desktop<br />
<br />
If you happen to have KDM installed in parallel, you can alternatively open the new session in KDM which will create the new {{ic|.desktop}} file. Then return to using GDM and the new session will be available.<br />
<br />
See also [[Display manager#Session list]].<br />
<br />
=== Enable root login in GDM ===<br />
<br />
It is not advised to login as root, but if necessary you can edit {{ic|/etc/pam.d/gdm-password}} and add the following line before the line {{ic|auth required pam_deny.so}}:<br />
<br />
{{ic|/etc/pam.d/gdm-password}}<br />
<br />
auth sufficient pam_succeed_if.so uid eq 0 quiet<br />
<br />
The file should look something like this:<br />
<br />
{{ic|/etc/pam.d/gdm-password}}<br />
<br />
...<br />
auth sufficient pam_succeed_if.so uid eq 0 quiet<br />
auth sufficient pam_succeed_if.so uid >= 1000 quiet<br />
auth required pam_deny.so<br />
...<br />
<br />
You should be able to login as root after restarting GDM.<br />
<br />
=== Hide user from login list ===<br />
<br />
The users for the gdm user list are gathered by accountsservice. It will automatically hide system users (UID < 1000).<br />
To hide ordinary users from the login list create or edit a file named after the user to hide in {{ic|/var/lib/AccountsService/users/}} to contain at least:<br />
{{hc|/var/lib/AccountsService/users/<nowiki><username></nowiki>|<br />
[User]<br />
<nowiki>SystemAccount=true</nowiki>}}<br />
<br />
=== Rotate login screen ===<br />
<br />
If you have your monitors setup as you like (orientation, primary and so on) in {{ic|~/.config/monitors.xml}} and want GDM to honor those settings:<br />
<br />
# cp ~/.config/monitors.xml /var/lib/gdm/.config/monitors.xml<br />
<br />
Changes will take effect on logout. This is necessary because GDM does not respect {{ic|xorg.conf}}.<br />
<br />
{{Note|Wayland backend may be [https://bbs.archlinux.org/viewtopic.php?id&#61;196219 ignoring] {{ic|/var/lib/gdm/.config/monitors.xml}} file. See [[#Use Xorg backend]] to learn how to disable Wayland backend.}}<br />
<br />
=== xrandr at login ===<br />
<br />
If you want to run a script using xrandr that affects the login screen you must add a script in {{ic|/etc/X11/xinit/xinitrc.d}}.<br />
<br />
For example, to select automatically a external screen connected through HDMI:<br />
<br />
{{bc|<nowiki><br />
#!/bin/sh<br />
EXTERNAL_OUTPUT="HDMI1"<br />
INTERNAL_OUTPUT="eDP1"<br />
if (xrandr | grep $EXTERNAL_OUTPUT | grep " connected "); then<br />
xrandr --output $INTERNAL_OUTPUT --off --output $EXTERNAL_OUTPUT --auto<br />
else<br />
xrandr --output $INTERNAL_OUTPUT --auto<br />
fi<br />
</nowiki>}}<br />
<br />
=== Configure X server access permission ===<br />
<br />
You can use the {{ic|xhost}} command to configure X server access permissions.<br />
<br />
For instance, to grant GDM the right to access the X server, use the following command:<br />
<br />
{{bc|# xhost +SI:localuser:gdm}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Failure to start with AMD Catalyst driver ===<br />
Downgrade the {{pkg|xorg-server}} package or try to use another [[display manager]] like [[LightDM]].<br />
<br />
=== Failure on logout ===<br />
<br />
If GDM starts up properly on boot, but fails after repeated attempts on logout, try adding this line to the daemon section of {{ic|/etc/gdm/custom.conf}}:<br />
<br />
GdmXserverTimeout=60<br />
<br />
=== Xorg 1.16 ===<br />
<br />
See [[Xorg#Rootless Xorg (v1.16)]].<br />
<br />
=== Use Xorg backend ===<br />
<br />
The [[Wayland]] backend is used by default and the [[Xorg]] backend is used only if the Wayland backend cannot be started. As the Wayland backend has been [https://bugzilla.redhat.com/show_bug.cgi?id=1199890 reported] to cause problems for some users, use of the Xorg backend may be necessary. To use the Xorg backend by default, edit the {{ic|/etc/gdm/custom.conf}} file and uncomment the following line:<br />
#WaylandEnable=false<br />
<br />
=== Incomplete removal of gdm ===<br />
<br />
After removing gdm (say it was a build dependancy), systemd may report the following:<br />
<br />
user 'gdm': directory '/var/lib/gdm' does not exist<br />
<br />
To remove this warning, login as root and delete the primary user "gdm" and then delete the group "gdm":<br />
<br />
#userdel gdm<br />
#groupdel gdm<br />
<br />
Verify that gdm is successfully removed via {{ic|pwck}} and {{ic|grpck}}. To round it off, you may want to double-check no [[Pacman/Tips_and_tricks#Identify_files_not_owned_by_any_package|unowned files]] for gdm remain.<br />
<br />
== See also ==<br />
<br />
* [https://help.gnome.org/admin/gdm/stable/index.html.en GDM Reference Manual]</div>Zutro007https://wiki.archlinux.org/index.php?title=One_Time_PassWord_(%C4%8Ce%C5%A1tina)&diff=420013One Time PassWord (Čeština)2016-02-11T10:47:46Z<p>Zutro007: </p>
<hr />
<div>[[Category:Secure Shell (Česky)]]<br />
[[cs:One Time PassWord]]<br />
[[en:One Time PassWord]]<br />
[[ja:One Time PassWord]]<br />
{{Related articles start}}<br />
{{Related|Secure Shell}}<br />
{{Related|S/KEY Authentication}}<br />
{{Related|Pam abl}}<br />
{{Related|Google Authenticator}}<br />
{{Related articles end}}<br />
'''One Time PassWord''' ('''OTPW''') je PAM modul, který zprostředkuje použití hesel "na jedno použití" k přihlášení do systému. Tohle se hodí zejména v kontextu Secure shell, a to umožnění přihlášení z veřejných nebo sdílených počítačů, za pomoci jednorázových hesel, které nebudou nikdy fungovat znova.<br />
<br />
Instrukce pro instalaci OTPW a konfiguraci SSH používat OTPW k přihlášení jsou níže.<br />
== Instalace ==<br />
Instalujte {{AUR|otpw}} balíček z AUR.<br />
<br />
== Konfigurace pro ssh přihlášení ==<br />
=== PAM Konfigurace ===<br />
Vytvořte PAM konfigurační soubor pro otpw:<br />
{{hc|/etc/pam.d/ssh-otpw|<br />
auth sufficient pam_otpw.so<br />
session optional pam_otpw.so<br />
}}<br />
<br />
Dále upravte PAM kofigurační soubor pro ssh aby zahrnul otpw. Pokud chcete zakázat statické heslo zakomentujte druhý tučný řádek.Zde je upravená verze {{ic|/etc/pam.d/sshd}} jako vzor:<br />
{{hc|/etc/pam.d/sshd|<br />
#%PAM-1.0<br />
#auth required pam_securetty.so #zakázat vzdálený root<br />
<br />
'''auth include ssh-otpw'''<br />
'''#auth include system-remote-login #POZNÁMKA:Toto musí být zneplatněno pro zakázání přihlášní heslem.'''<br />
account include system-remote-login<br />
password include system-remote-login<br />
session include system-remote-login<br />
}}<br />
<br />
=== sshd Configuration ===<br />
OTPW používá interaktivní přihlášení pro SHH připojení, které je povoleno přidáním těchto řádek do {{ic|/etc/ssh/sshd_config}}:<br />
UsePAM yes<br />
UsePrivilegeSeparation yes<br />
ChallengeResponseAuthentication yes<br />
<br />
{{Note | Ujistěte se, že nepřidáte nadbytečnou nebo konfliktní řádky konfigurace do {{ic|/etc/ssh/sshd_config}}! Například buďte si jistí že tam nejsou dva řádky s UsePAM directivou,atp. }}<br />
<br />
Pokud si přejete používat také statická hesla, ujistěte se, že obsahuje řádek jako tento:<br />
<!--If you wish to allow static password logins as well, ensure {{ic|/etc/ssh/sshd_config}} contains a line like this:<br />
PasswordAuthentication yes<br />
Otherwise, set it to '''no'''. See the above info on editing {{ic|/etc/pam.d/sshd}} to fully disable static password auth, as PAM will otherwise allow a static password if OTPW fails (e.g. when a user runs out of passwords). <br />
<br />
If you allow password authentication, then after failing one authentication method, ssh clients will fall back to the other. Note that by default, ssh allows you three attempts at a password per login method.<br />
<br />
=== OTPW Configuration ===<br />
OTPW is configured independently for each user account. If a given account does not have OTPW configured, that account will simply use a static password as usual. To configure OTPW for an account, run as that user:<br />
$ otpw-gen > ~/otpw_passwords<br />
<br />
{{Ic|otpw-gen}} will ask for a password prefix, which must be typed at the beginning of all otpw passwords. This is to ensure that if someone else gets your OTPW list, they can't use it to login to your account without knowing your prefix.<br />
<br />
After running the above command, there should be a file in the user's home directory called {{Ic|otpw_passwords}} which contains all of the user's OTPW passwords. There will also be a file {{Ic|~/.otpw}} which contains the password hashes. {{Ic|otpw_passwords}} can be printed and referenced when logging in.<br />
<br />
== Usage ==<br />
After completing the configuration above, ssh should use OTPW automatically for users who have it configured. An OTPW login prompt looks like so:<br />
Password 041: <br />
To log in, simply look up password 41 in your {{Ic|otpw_passwords}} list, for example:<br />
041 lYr0 g7QR<br />
And type in your prefix followed by both halves of the password. The space is provided for readability and may or may not be included in the typed password. Do not enter a space between the prefix and the single-use password.<br />
<br />
To specify to the ssh client which login method you would like to use, add {{Ic|1=-o PreferredAuthentication=keyboard-interactive}} to use OTPW, or {{Ic|1=-o PreferredAuthentication=password}} for static passwords. These options can also be specified in {{ic|~/.ssh/config}} per-server.<br />
<br />
To prevent someone from shoulder-surfing your OTPW and quickly using it to login to your account before you login, OTPW requires a concurrent login to enter three passwords instead of just one. This will usually not be an issue, but if OTPW should give a prompt like this:<br />
Password 072/251/152: <br />
Then simply enter your prefix, and the three requested passwords in the order they are requested in. When a login is initiated, OTPW creates a file {{Ic|~/.otpw.lock}} to detect concurrent logins. If a second login is initiated when this file exists, OTPW will request the three passwords.<br />
<br />
{{Note |1= Due to a [https://bugzilla.mindrot.org/show_bug.cgi?id=632 bug] in the way OpenSSH calls PAM, the {{Ic|~/.otpw.lock}} file will not be deleted if the user cancels an SSH login using Ctrl-C or the like, and OTPW will always ask for triple passwords after this. The bug is marked as fixed, but it still affects me. As a workaround, one may simply delete the lock file manually, and OTPW will resume normal single-password requests.}}--></div>Zutro007https://wiki.archlinux.org/index.php?title=One_Time_PassWord_(%C4%8Ce%C5%A1tina)&diff=420008One Time PassWord (Čeština)2016-02-11T09:49:25Z<p>Zutro007: /* sshd Configuration */</p>
<hr />
<div>[[Category:Secure Shell]]<br />
[[cs:One Time PassWord]]<br />
[[ja:One Time PassWord]]<br />
{{Related articles start}}<br />
{{Related|Secure Shell}}<br />
{{Related|S/KEY Authentication}}<br />
{{Related|Pam abl}}<br />
{{Related|Google Authenticator}}<br />
{{Related articles end}}<br />
<br />
<br />
'''One Time PassWord''' ('''OTPW''') je PAM modul, který zprostředkuje použití hesel "na jedno použití" k přihlášení do systému. Tohle se hodí zejména v kontextu Secure shell, a to umožnění přihlášení z veřejných nebo sdílených počítačů, za pomoci jednorázových hesel, které nebudou nikdy fungovat znova.<br />
<br />
Instrukce pro instalaci OTPW a konfiguraci SSH používat OTPW k přihlášení jsou níže.<br />
== Instalace ==<br />
Instalujte {{AUR|otpw}} balíček z AUR.<br />
<br />
== Konfigurace pro ssh přihlášení ==<br />
=== PAM Konfigurace ===<br />
Vytvořte PAM konfigurační soubor pro otpw:<br />
{{hc|/etc/pam.d/ssh-otpw|<br />
auth sufficient pam_otpw.so<br />
session optional pam_otpw.so<br />
}}<br />
<br />
Dále upravte PAM kofigurační soubor pro ssh aby zahrnul otpw. Pokud chcete zakázat statické heslo zakomentujte druhý tučný řádek.Zde je upravená verze {{ic|/etc/pam.d/sshd}} jako vzor:<br />
{{hc|/etc/pam.d/sshd|<br />
#%PAM-1.0<br />
#auth required pam_securetty.so #zakázat vzdálený root<br />
<br />
'''auth include ssh-otpw'''<br />
'''#auth include system-remote-login #POZNÁMKA:Toto musí být zneplatněno pro zakázání přihlášní heslem.'''<br />
account include system-remote-login<br />
password include system-remote-login<br />
session include system-remote-login<br />
}}<br />
<br />
=== sshd Configuration ===<br />
OTPW používá interaktivní přihlášení pro SHH připojení, které je povoleno přidáním těchto řádek do {{ic|/etc/ssh/sshd_config}}:<br />
UsePAM yes<br />
UsePrivilegeSeparation yes<br />
ChallengeResponseAuthentication yes<br />
<br />
{{Note | Ujistěte se, že nepřidáte nadbytečnou nebo konfliktní řádky konfigurace do {{ic|/etc/ssh/sshd_config}}! Například buďte si jistí že tam nejsou dva řádky s UsePAM directivou,atp. }}<br />
<br />
Pokud si přejete používat také statická hesla, ujistěte se, že obsahuje řádek jako tento:<br />
<!--If you wish to allow static password logins as well, ensure {{ic|/etc/ssh/sshd_config}} contains a line like this:<br />
PasswordAuthentication yes<br />
Otherwise, set it to '''no'''. See the above info on editing {{ic|/etc/pam.d/sshd}} to fully disable static password auth, as PAM will otherwise allow a static password if OTPW fails (e.g. when a user runs out of passwords). <br />
<br />
If you allow password authentication, then after failing one authentication method, ssh clients will fall back to the other. Note that by default, ssh allows you three attempts at a password per login method.<br />
<br />
=== OTPW Configuration ===<br />
OTPW is configured independently for each user account. If a given account does not have OTPW configured, that account will simply use a static password as usual. To configure OTPW for an account, run as that user:<br />
$ otpw-gen > ~/otpw_passwords<br />
<br />
{{Ic|otpw-gen}} will ask for a password prefix, which must be typed at the beginning of all otpw passwords. This is to ensure that if someone else gets your OTPW list, they can't use it to login to your account without knowing your prefix.<br />
<br />
After running the above command, there should be a file in the user's home directory called {{Ic|otpw_passwords}} which contains all of the user's OTPW passwords. There will also be a file {{Ic|~/.otpw}} which contains the password hashes. {{Ic|otpw_passwords}} can be printed and referenced when logging in.<br />
<br />
== Usage ==<br />
After completing the configuration above, ssh should use OTPW automatically for users who have it configured. An OTPW login prompt looks like so:<br />
Password 041: <br />
To log in, simply look up password 41 in your {{Ic|otpw_passwords}} list, for example:<br />
041 lYr0 g7QR<br />
And type in your prefix followed by both halves of the password. The space is provided for readability and may or may not be included in the typed password. Do not enter a space between the prefix and the single-use password.<br />
<br />
To specify to the ssh client which login method you would like to use, add {{Ic|1=-o PreferredAuthentication=keyboard-interactive}} to use OTPW, or {{Ic|1=-o PreferredAuthentication=password}} for static passwords. These options can also be specified in {{ic|~/.ssh/config}} per-server.<br />
<br />
To prevent someone from shoulder-surfing your OTPW and quickly using it to login to your account before you login, OTPW requires a concurrent login to enter three passwords instead of just one. This will usually not be an issue, but if OTPW should give a prompt like this:<br />
Password 072/251/152: <br />
Then simply enter your prefix, and the three requested passwords in the order they are requested in. When a login is initiated, OTPW creates a file {{Ic|~/.otpw.lock}} to detect concurrent logins. If a second login is initiated when this file exists, OTPW will request the three passwords.<br />
<br />
{{Note |1= Due to a [https://bugzilla.mindrot.org/show_bug.cgi?id=632 bug] in the way OpenSSH calls PAM, the {{Ic|~/.otpw.lock}} file will not be deleted if the user cancels an SSH login using Ctrl-C or the like, and OTPW will always ask for triple passwords after this. The bug is marked as fixed, but it still affects me. As a workaround, one may simply delete the lock file manually, and OTPW will resume normal single-password requests.}}--></div>Zutro007https://wiki.archlinux.org/index.php?title=One_Time_PassWord_(%C4%8Ce%C5%A1tina)&diff=420007One Time PassWord (Čeština)2016-02-11T09:47:40Z<p>Zutro007: </p>
<hr />
<div>[[Category:Secure Shell]]<br />
[[cs:One Time PassWord]]<br />
[[ja:One Time PassWord]]<br />
{{Related articles start}}<br />
{{Related|Secure Shell}}<br />
{{Related|S/KEY Authentication}}<br />
{{Related|Pam abl}}<br />
{{Related|Google Authenticator}}<br />
{{Related articles end}}<br />
<br />
<br />
'''One Time PassWord''' ('''OTPW''') je PAM modul, který zprostředkuje použití hesel "na jedno použití" k přihlášení do systému. Tohle se hodí zejména v kontextu Secure shell, a to umožnění přihlášení z veřejných nebo sdílených počítačů, za pomoci jednorázových hesel, které nebudou nikdy fungovat znova.<br />
<br />
Instrukce pro instalaci OTPW a konfiguraci SSH používat OTPW k přihlášení jsou níže.<br />
== Instalace ==<br />
Instalujte {{AUR|otpw}} balíček z AUR.<br />
<br />
== Konfigurace pro ssh přihlášení ==<br />
=== PAM Konfigurace ===<br />
Vytvořte PAM konfigurační soubor pro otpw:<br />
{{hc|/etc/pam.d/ssh-otpw|<br />
auth sufficient pam_otpw.so<br />
session optional pam_otpw.so<br />
}}<br />
<br />
Dále upravte PAM kofigurační soubor pro ssh aby zahrnul otpw. Pokud chcete zakázat statické heslo zakomentujte druhý tučný řádek.Zde je upravená verze {{ic|/etc/pam.d/sshd}} jako vzor:<br />
{{hc|/etc/pam.d/sshd|<br />
#%PAM-1.0<br />
#auth required pam_securetty.so #zakázat vzdálený root<br />
<br />
'''auth include ssh-otpw'''<br />
'''#auth include system-remote-login #POZNÁMKA:Toto musí být zneplatněno pro zakázání přihlášní heslem.'''<br />
account include system-remote-login<br />
password include system-remote-login<br />
session include system-remote-login<br />
}}<br />
<br />
=== sshd Configuration ===<br />
OTPW používá interaktivní přihlášení pro SHH připojení, které jsou povolení přidáním těchto řádek do {{ic|/etc/ssh/sshd_config}}:<br />
UsePAM yes<br />
UsePrivilegeSeparation yes<br />
ChallengeResponseAuthentication yes<br />
<br />
{{Note | Ujistěte se, že nepřidáte nadbytečnou nebo konfliktní řádky konfigurace do {{ic|/etc/ssh/sshd_config}}! Například buďte si jistí že tam nejsou dva řádky s UsePAM directivou,atp. }}<br />
<br />
Pokud si přejete používat také statická hesla, ujistěte se, že obsahuje řádek jako tento:<br />
<!--If you wish to allow static password logins as well, ensure {{ic|/etc/ssh/sshd_config}} contains a line like this:<br />
PasswordAuthentication yes<br />
Otherwise, set it to '''no'''. See the above info on editing {{ic|/etc/pam.d/sshd}} to fully disable static password auth, as PAM will otherwise allow a static password if OTPW fails (e.g. when a user runs out of passwords). <br />
<br />
If you allow password authentication, then after failing one authentication method, ssh clients will fall back to the other. Note that by default, ssh allows you three attempts at a password per login method.<br />
<br />
=== OTPW Configuration ===<br />
OTPW is configured independently for each user account. If a given account does not have OTPW configured, that account will simply use a static password as usual. To configure OTPW for an account, run as that user:<br />
$ otpw-gen > ~/otpw_passwords<br />
<br />
{{Ic|otpw-gen}} will ask for a password prefix, which must be typed at the beginning of all otpw passwords. This is to ensure that if someone else gets your OTPW list, they can't use it to login to your account without knowing your prefix.<br />
<br />
After running the above command, there should be a file in the user's home directory called {{Ic|otpw_passwords}} which contains all of the user's OTPW passwords. There will also be a file {{Ic|~/.otpw}} which contains the password hashes. {{Ic|otpw_passwords}} can be printed and referenced when logging in.<br />
<br />
== Usage ==<br />
After completing the configuration above, ssh should use OTPW automatically for users who have it configured. An OTPW login prompt looks like so:<br />
Password 041: <br />
To log in, simply look up password 41 in your {{Ic|otpw_passwords}} list, for example:<br />
041 lYr0 g7QR<br />
And type in your prefix followed by both halves of the password. The space is provided for readability and may or may not be included in the typed password. Do not enter a space between the prefix and the single-use password.<br />
<br />
To specify to the ssh client which login method you would like to use, add {{Ic|1=-o PreferredAuthentication=keyboard-interactive}} to use OTPW, or {{Ic|1=-o PreferredAuthentication=password}} for static passwords. These options can also be specified in {{ic|~/.ssh/config}} per-server.<br />
<br />
To prevent someone from shoulder-surfing your OTPW and quickly using it to login to your account before you login, OTPW requires a concurrent login to enter three passwords instead of just one. This will usually not be an issue, but if OTPW should give a prompt like this:<br />
Password 072/251/152: <br />
Then simply enter your prefix, and the three requested passwords in the order they are requested in. When a login is initiated, OTPW creates a file {{Ic|~/.otpw.lock}} to detect concurrent logins. If a second login is initiated when this file exists, OTPW will request the three passwords.<br />
<br />
{{Note |1= Due to a [https://bugzilla.mindrot.org/show_bug.cgi?id=632 bug] in the way OpenSSH calls PAM, the {{Ic|~/.otpw.lock}} file will not be deleted if the user cancels an SSH login using Ctrl-C or the like, and OTPW will always ask for triple passwords after this. The bug is marked as fixed, but it still affects me. As a workaround, one may simply delete the lock file manually, and OTPW will resume normal single-password requests.}}--></div>Zutro007https://wiki.archlinux.org/index.php?title=One_Time_PassWord_(%C4%8Ce%C5%A1tina)&diff=420005One Time PassWord (Čeština)2016-02-11T07:35:53Z<p>Zutro007: Czech translation Phase 1</p>
<hr />
<div>[[Category:Secure Shell]]<br />
[[cs:One Time PassWord]]<br />
[[ja:One Time PassWord]]<br />
{{Related articles start}}<br />
{{Related|Secure Shell}}<br />
{{Related|S/KEY Authentication}}<br />
{{Related|Pam abl}}<br />
{{Related|Google Authenticator}}<br />
{{Related articles end}}<br />
<!--<br />
<br />
'''One Time PassWord''' ('''OTPW''') je PAM modul, který zprostředkuje použití hesel "na jedno použití" k přihlášení do systému. Tohle se hodí zejména v kontextu Secure shell, a to umožnění přihlášení z veřejných nebo sdílených počítačů, za pomoci jednorázových hesel, které nebudou nikdy fungovat znova.<br />
<br />
Instrukce pro instalaci OTPW a konfiguraci SSH používat OTPW k přihlášení jsou níže.<br />
== Instalace ==<br />
Instalujte {{AUR|otpw}} balíček z AUR.<br />
<br />
== Konfigurace pro ssh přihlášení ==<br />
=== PAM Konfigurace ===<br />
Vytvořte PAM konfigurační soubor pro otpw:<br />
{{hc|/etc/pam.d/ssh-otpw|<br />
auth sufficient pam_otpw.so<br />
session optional pam_otpw.so<br />
}}<br />
<br />
Dále upravte PAM kofigurační soubor pro ssh aby zahrnul otpw. Pokud chcete zakázat statické heslo zakomentujte druhý tučný řádek.Zde je upravená verze {{ic|/etc/pam.d/sshd}} jako vzor:<br />
{{hc|/etc/pam.d/sshd|<br />
#%PAM-1.0<br />
#auth required pam_securetty.so #zakázat vzdálený root<br />
<br />
'''auth include ssh-otpw'''<br />
'''#auth include system-remote-login #POZNÁMKA:Toto musí být zneplatněno pro zakázání přihlášní heslem.'''<br />
account include system-remote-login<br />
password include system-remote-login<br />
session include system-remote-login<br />
}}<br />
<br />
=== sshd Configuration ===<br />
OTPW používá interaktivní přihlášení pro SHH připojení, které jsou povolení přidáním těchto řádek do {{ic|/etc/ssh/sshd_config}}:<br />
UsePAM yes<br />
UsePrivilegeSeparation yes<br />
ChallengeResponseAuthentication yes<br />
<br />
{{Note | Ujistěte se, že nepřidáte nadbytečnou nebo konfliktní řádky konfigurace do {{ic|/etc/ssh/sshd_config}}! Například buďte si jistí že tam nejsou dva řádky s UsePAM directivou,atp. }}<br />
<br />
Pokud si přejete používat také statická hesla, ujistěte se, že obsahuje řádek jako tento:<br />
If you wish to allow static password logins as well, ensure {{ic|/etc/ssh/sshd_config}} contains a line like this:<br />
PasswordAuthentication yes<br />
Otherwise, set it to '''no'''. See the above info on editing {{ic|/etc/pam.d/sshd}} to fully disable static password auth, as PAM will otherwise allow a static password if OTPW fails (e.g. when a user runs out of passwords). <br />
<br />
If you allow password authentication, then after failing one authentication method, ssh clients will fall back to the other. Note that by default, ssh allows you three attempts at a password per login method.<br />
<br />
=== OTPW Configuration ===<br />
OTPW is configured independently for each user account. If a given account does not have OTPW configured, that account will simply use a static password as usual. To configure OTPW for an account, run as that user:<br />
$ otpw-gen > ~/otpw_passwords<br />
<br />
{{Ic|otpw-gen}} will ask for a password prefix, which must be typed at the beginning of all otpw passwords. This is to ensure that if someone else gets your OTPW list, they can't use it to login to your account without knowing your prefix.<br />
<br />
After running the above command, there should be a file in the user's home directory called {{Ic|otpw_passwords}} which contains all of the user's OTPW passwords. There will also be a file {{Ic|~/.otpw}} which contains the password hashes. {{Ic|otpw_passwords}} can be printed and referenced when logging in.<br />
<br />
== Usage ==<br />
After completing the configuration above, ssh should use OTPW automatically for users who have it configured. An OTPW login prompt looks like so:<br />
Password 041: <br />
To log in, simply look up password 41 in your {{Ic|otpw_passwords}} list, for example:<br />
041 lYr0 g7QR<br />
And type in your prefix followed by both halves of the password. The space is provided for readability and may or may not be included in the typed password. Do not enter a space between the prefix and the single-use password.<br />
<br />
To specify to the ssh client which login method you would like to use, add {{Ic|1=-o PreferredAuthentication=keyboard-interactive}} to use OTPW, or {{Ic|1=-o PreferredAuthentication=password}} for static passwords. These options can also be specified in {{ic|~/.ssh/config}} per-server.<br />
<br />
To prevent someone from shoulder-surfing your OTPW and quickly using it to login to your account before you login, OTPW requires a concurrent login to enter three passwords instead of just one. This will usually not be an issue, but if OTPW should give a prompt like this:<br />
Password 072/251/152: <br />
Then simply enter your prefix, and the three requested passwords in the order they are requested in. When a login is initiated, OTPW creates a file {{Ic|~/.otpw.lock}} to detect concurrent logins. If a second login is initiated when this file exists, OTPW will request the three passwords.<br />
<br />
{{Note |1= Due to a [https://bugzilla.mindrot.org/show_bug.cgi?id=632 bug] in the way OpenSSH calls PAM, the {{Ic|~/.otpw.lock}} file will not be deleted if the user cancels an SSH login using Ctrl-C or the like, and OTPW will always ask for triple passwords after this. The bug is marked as fixed, but it still affects me. As a workaround, one may simply delete the lock file manually, and OTPW will resume normal single-password requests.}}</div>Zutro007https://wiki.archlinux.org/index.php?title=One_Time_PassWord&diff=419997One Time PassWord2016-02-11T06:52:21Z<p>Zutro007: Added a cs version of this page</p>
<hr />
<div>[[Category:Secure Shell]]<br />
[[cs:One Time PassWord]]<br />
[[ja:One Time PassWord]]<br />
{{Related articles start}}<br />
{{Related|Secure Shell}}<br />
{{Related|S/KEY Authentication}}<br />
{{Related|Pam abl}}<br />
{{Related|Google Authenticator}}<br />
{{Related articles end}}<br />
<br />
'''One Time PassWord''' ('''OTPW''') is a PAM module allowing single-use passwords to login to a system. This is especially useful in the context of Secure Shell, allowing a user to login from a public or shared computer using a single-use password which will never work again.<br />
<br />
Instructions for installing OTPW and configuring SSH to allow OTPW logins are below.<br />
<br />
== Installation ==<br />
Install the {{AUR|otpw}} package from the AUR.<br />
<br />
== Configuration for SSH Logins ==<br />
=== PAM Configuration ===<br />
Create a PAM configuration file for otpw:<br />
{{hc|/etc/pam.d/ssh-otpw|<br />
auth sufficient pam_otpw.so<br />
session optional pam_otpw.so<br />
}}<br />
<br />
Next, modify sshd's PAM configuration to include otpw. If you are disabling static password auth, comment out the 2nd bold line. Here is the modified {{ic|/etc/pam.d/sshd}} for reference:<br />
{{hc|/etc/pam.d/sshd|<br />
#%PAM-1.0<br />
#auth required pam_securetty.so #disable remote root<br />
<br />
'''auth include ssh-otpw'''<br />
'''#auth include system-remote-login #NOTE: This must be disabled to completely disable password logins.'''<br />
account include system-remote-login<br />
password include system-remote-login<br />
session include system-remote-login<br />
}}<br />
<br />
=== sshd Configuration ===<br />
OTPW uses Keyboard-Interactive logins for SSH sessions, which are enabled by adding these lines to {{ic|/etc/ssh/sshd_config}}:<br />
UsePAM yes<br />
UsePrivilegeSeparation yes<br />
ChallengeResponseAuthentication yes<br />
<br />
{{Note | Make sure not to add redundant or conflicting configuration lines to {{ic|/etc/ssh/sshd_config}}! For instance, make sure there are not two UsePAM lines, etc.}}<br />
<br />
If you wish to allow static password logins as well, ensure {{ic|/etc/ssh/sshd_config}} contains a line like this:<br />
PasswordAuthentication yes<br />
Otherwise, set it to '''no'''. See the above info on editing {{ic|/etc/pam.d/sshd}} to fully disable static password auth, as PAM will otherwise allow a static password if OTPW fails (e.g. when a user runs out of passwords). <br />
<br />
If you allow password authentication, then after failing one authentication method, ssh clients will fall back to the other. Note that by default, ssh allows you three attempts at a password per login method.<br />
<br />
=== OTPW Configuration ===<br />
OTPW is configured independently for each user account. If a given account does not have OTPW configured, that account will simply use a static password as usual. To configure OTPW for an account, run as that user:<br />
$ otpw-gen > ~/otpw_passwords<br />
<br />
{{Ic|otpw-gen}} will ask for a password prefix, which must be typed at the beginning of all otpw passwords. This is to ensure that if someone else gets your OTPW list, they can't use it to login to your account without knowing your prefix.<br />
<br />
After running the above command, there should be a file in the user's home directory called {{Ic|otpw_passwords}} which contains all of the user's OTPW passwords. There will also be a file {{Ic|~/.otpw}} which contains the password hashes. {{Ic|otpw_passwords}} can be printed and referenced when logging in.<br />
<br />
== Usage ==<br />
After completing the configuration above, ssh should use OTPW automatically for users who have it configured. An OTPW login prompt looks like so:<br />
Password 041: <br />
To log in, simply look up password 41 in your {{Ic|otpw_passwords}} list, for example:<br />
041 lYr0 g7QR<br />
And type in your prefix followed by both halves of the password. The space is provided for readability and may or may not be included in the typed password. Do not enter a space between the prefix and the single-use password.<br />
<br />
To specify to the ssh client which login method you would like to use, add {{Ic|1=-o PreferredAuthentication=keyboard-interactive}} to use OTPW, or {{Ic|1=-o PreferredAuthentication=password}} for static passwords. These options can also be specified in {{ic|~/.ssh/config}} per-server.<br />
<br />
To prevent someone from shoulder-surfing your OTPW and quickly using it to login to your account before you login, OTPW requires a concurrent login to enter three passwords instead of just one. This will usually not be an issue, but if OTPW should give a prompt like this:<br />
Password 072/251/152: <br />
Then simply enter your prefix, and the three requested passwords in the order they are requested in. When a login is initiated, OTPW creates a file {{Ic|~/.otpw.lock}} to detect concurrent logins. If a second login is initiated when this file exists, OTPW will request the three passwords.<br />
<br />
{{Note |1= Due to a [https://bugzilla.mindrot.org/show_bug.cgi?id=632 bug] in the way OpenSSH calls PAM, the {{Ic|~/.otpw.lock}} file will not be deleted if the user cancels an SSH login using Ctrl-C or the like, and OTPW will always ask for triple passwords after this. The bug is marked as fixed, but it still affects me. As a workaround, one may simply delete the lock file manually, and OTPW will resume normal single-password requests.}}</div>Zutro007