Configuring One-Time Password Authentication with OTPW

Password authentication contains a lot of assumptions about security and trust. Encrypted SSH tunnels and public key verification are two common ways to ensure that your password is not compromised in transit. But, what if it's the computer you're currently typing on that can't be trusted?

This isn't just a tinfoil-hat scenario for paranoid penguinistas. There are many everyday situations and common locations where you probably should not use your system password, even over a secure tunnel. Examples include:

  • A public computer in a hotel, library or Internet café.

  • A coworker's virus-infested computer.

  • A shared workstation while pair-programming.

  • Any place someone could watch you type in your password.

What do all these examples have in common? Essentially, that you're trying to connect to a trusted destination from an untrusted source. This is a complete reversal of what most authentication systems were designed to address.

Take public key authentication. SSH public key authentication certainly bypasses the password prompt on the remote host, but it still requires you to trust the local machine with your private key password. In addition, once the key is decrypted with your password, the local system has full access to the sensitive key material inside.

Uh-oh—luckily, there's already a solution for this frequently overlooked problem: one-time passwords.

The combination of SSH and one-time passwords is powerful:

  • The SSH protocol provides encryption of the login sequence across the network.

  • A good SSH client allows you to inspect the remote host's public key fingerprint before entering your credentials. This prevents a rogue host from collecting your one-time passwords.

  • The one-time password system ensures that a password can't be reused. So, even if the password is captured in transit, it's worthless to an attacker once you've logged in with it.

A number of one-time password solutions are available for UNIX-like systems. The two most well-known are S/KEY and OPIE (One-Time Passwords in Everything).

With the recent removal of OPIE from the Debian and Ubuntu repositories, the OTPW one-time password system created by Markus Kuhn provides a viable alternative. Although not a drop-in replacement for OPIE, OTPW offers comparable functionality while providing some interesting features not found in either S/KEY or OPIE.

OPIE Removal from Debian and Ubuntu Repositories

Debian began removing OPIE-related packages in early 2011, following some discussions about the security of the binaries, licensing issues and lack of upstream activity.

If you're interested in the details, the following Debian bug reports are relevant:

While the OPIE packages remain in the current Debian stable release at the time of this writing (code-named "Squeeze"), and some unofficial platform ports can be found in the debports repository, OPIE is not available in testing or unstable, and it appears unlikely to be included in the next stable release.


Todd A. Jacobs is a veteran IT consultant with a passion for all things Linux. He spends entirely too much time making systems do things they were never designed to do.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site. ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site. ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site. ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site. ra23z27

hello !!!

linda99's picture

Congratulations very nice new site that allows you to see the details. I'm a fan, good luck on my part !! good luck for you
voyance gratuit

The OBD II the Actron

billwu's picture

The OBD II the Actron autoscanner is compatible with OBD II standard vehicles, light trucks, SUV and minivan. It is designed with extensive OBD II code library built-in units. Another notable feature is its sheer size, which makes it simple for owners backlit screen reading.

Configuring One-Time Password Authentication with OTPW | Linux

Bridal Boudoir Photography's picture

I ԁon't even know how I ended up here, but I thought this post was great. I don't κnow who you
are but dеfinitely уοu агe going tо a famous bloggеr if you are nοt already ;) Cheers!

Also viѕit my blоg: Bridal Boudoir Photography

Reply to comment | Linux Journal

Mark Lewis's picture

We love each other very much and it is out love that
at times I get mad when he does something dangerous like lifting something heavy, speeding on the freeway.
He gets pissed off and tells me that I over-react. I don't want to tolerate dangerous behavior and make sure that there is some consequence so that he does not repeat. (He was the only child with never any consequences to bad behavior) Unfortunately being upset/mad does not do the job. What should I do so that I can get the message across effectively?.

One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix