One Time PassWord
One Time PassWord (OTPW) is a PAM module allowing single-use passwords to login to a system. This is especially useful in the context of Secure Shell, allowing a user to login from a public or shared computer using a single-use password which will never work again.
Instructions for installing OTPW and configuring SSH to allow OTPW logins are below.
Install theAUR package from the AUR.
Configuration for SSH Logins
Create a PAM configuration file for otpw:
auth sufficient pam_otpw.so session optional pam_otpw.so
Next, modify sshd's PAM configuration to include otpw. If you are disabling static password auth, comment out the 2nd bold line. Here is the modified
/etc/pam.d/sshd for reference:
#%PAM-1.0 #auth required pam_securetty.so #disable remote root auth include ssh-otpw #auth include system-remote-login #NOTE: This must be disabled to completely disable password logins. account include system-remote-login password include system-remote-login session include system-remote-login
OTPW uses Keyboard-Interactive logins for SSH sessions, which are enabled by adding these lines to
UsePAM yes UsePrivilegeSeparation yes ChallengeResponseAuthentication yes
/etc/ssh/sshd_config! For instance, make sure there are not two UsePAM lines, etc.
If you wish to allow static password logins as well, ensure
/etc/ssh/sshd_config contains a line like this:
Otherwise, set it to no. See the above info on editing
/etc/pam.d/sshd to fully disable static password auth, as PAM will otherwise allow a static password if OTPW fails (e.g. when a user runs out of passwords).
If you allow password authentication, then after failing one authentication method, ssh clients will fall back to the other. Note that by default, ssh allows you three attempts at a password per login method.
OTPW is configured independently for each user account. If a given account does not have OTPW configured, that account will simply use a static password as usual. To configure OTPW for an account, run as that user:
$ otpw-gen > ~/otpw_passwords
otpw-gen will ask for a password prefix, which must be typed at the beginning of all otpw passwords. This is to ensure that if someone else gets your OTPW list, they can't use it to login to your account without knowing your prefix.
After running the above command, there should be a file in the user's home directory called
otpw_passwords which contains all of the user's OTPW passwords. There will also be a file
~/.otpw which contains the password hashes.
otpw_passwords can be printed and referenced when logging in.
After completing the configuration above, ssh should use OTPW automatically for users who have it configured. An OTPW login prompt looks like so:
To log in, simply look up password 41 in your
otpw_passwords list, for example:
041 lYr0 g7QR
And type in your prefix followed by both halves of the password. The space is provided for readability and may or may not be included in the typed password. Do not enter a space between the prefix and the single-use password.
To specify to the ssh client which login method you would like to use, add
-o PreferredAuthentication=keyboard-interactive to use OTPW, or
-o PreferredAuthentication=password for static passwords. These options can also be specified in
To prevent someone from shoulder-surfing your OTPW and quickly using it to login to your account before you login, OTPW requires a concurrent login to enter three passwords instead of just one. This will usually not be an issue, but if OTPW should give a prompt like this:
Then simply enter your prefix, and the three requested passwords in the order they are requested in. When a login is initiated, OTPW creates a file
~/.otpw.lock to detect concurrent logins. If a second login is initiated when this file exists, OTPW will request the three passwords.
~/.otpw.lockfile will not be deleted if the user cancels an SSH login using Ctrl-C or the like, and OTPW will always ask for triple passwords after this. The bug is marked as fixed, but it still affects me. As a workaround, one may simply delete the lock file manually, and OTPW will resume normal single-password requests.