Configuring One-Time Password Authentication with OTPW

In particular, OTPW provides:

  • Two-factor authentication, consisting of a "prefix password" and a set of autogenerated, disposable suffixes. Even if the list of suffixes falls into the wrong hands, brute force is necessary without the prefix password.

  • Protection against certain race conditions and man-in-the-middle attacks through the use of password locks and triplet challenges.

  • Shared-filesystem support. Because OTPW checks passwords against a list of hashed values stored in a user's home directory, one password list will work for all systems mounting the same $HOME directory.

Next, I cover installing and using OTPW, with a special focus on integration with OpenSSH.

Package Installation

To make use of OTPW, you need two binaries: otpw-bin and libpam-otpw. With Debian and Ubuntu, installation is as easy as:

sudo apt-get install otpw-bin libpam-otpw

If your distribution does not provide OTPW, you can download the source directly from the author's home page. The source tarball does not use GNU autoconf, so you will need to compile and install the binaries manually in accordance with the author's instructions.

Configure PAM

The next step in preparing the system for OTPW is configuration of libpam-otpw. A full treatment of PAM is outside the scope of this article, but I cover the most common use cases here.

Changing your PAM configuration can lock you out of your workstation or server, so it's a good idea to keep your existing terminal open until you're sure that things are working correctly. If you have console access, keep a bootable distribution or rescue disk handy. See the Testing One-Time Password Authentication with SSH sidebar for more information about testing PAM over SSH.

Testing One-Time Password Authentication with SSH

If you are configuring a remote system for OTPW, you should test your PAM stack without closing your current SSH connection. Remember, if you make a mistake with your PAM configuration, you may be unable to authenticate—even with console access—so keep a bootable distribution, such as Knoppix, SystemRescueCD or Finnix handy just in case. Meanwhile, existing logins remain unaffected because they already are authenticated.

In order to test the PAM stack properly, you can't re-use your existing SSH connection. Most recent distributions support SSH multiplexing and persistent connections out of the box, so explicitly disable these options for testing.

In addition, SSH prefers public key authentication by default. So, in order to test OTPW authentication, public key authentication needs to be temporarily disabled too.

The following invocation enables accurate testing of the SSH PAM stack, without making any system changes:

read -p 'Hostname: ' REMOTE_HOST &&
  ssh \
  -o PreferredAuthentications=keyboard-interactive \
  -o ControlPersist=no \
  -o ControlPath=none \

Once you have confidence that OTPW is working correctly, you also should verify that your other authentication mechanisms (namely SSH public keys and normal system passwords) continue to work as expected.

The easiest way to enable OTPW is to put it immediately above pam_unix in your common-auth configuration file:

# /etc/pam.d/common-auth
auth       sufficient
session    optional

auth       sufficient nullok_secure
auth       required

The order of the PAM libraries is very important. When placing OTPW first, users with an ~/.otpw file are prompted for a one-time password first, allowing fallback to standard system passwords if the OTPW login fails. Users without a ~/.otpw file simply will see the standard password prompt.


Todd A. Jacobs is a veteran IT consultant with a passion for all things Linux. He spends entirely too much time making systems do things they were never designed to do.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site. ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site. ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site. ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site. ra23z27

hello !!!

linda99's picture

Congratulations very nice new site that allows you to see the details. I'm a fan, good luck on my part !! good luck for you
voyance gratuit

The OBD II the Actron

billwu's picture

The OBD II the Actron autoscanner is compatible with OBD II standard vehicles, light trucks, SUV and minivan. It is designed with extensive OBD II code library built-in units. Another notable feature is its sheer size, which makes it simple for owners backlit screen reading.

Configuring One-Time Password Authentication with OTPW | Linux

Bridal Boudoir Photography's picture

I ԁon't even know how I ended up here, but I thought this post was great. I don't κnow who you
are but dеfinitely уοu агe going tо a famous bloggеr if you are nοt already ;) Cheers!

Also viѕit my blоg: Bridal Boudoir Photography

Reply to comment | Linux Journal

Mark Lewis's picture

We love each other very much and it is out love that
at times I get mad when he does something dangerous like lifting something heavy, speeding on the freeway.
He gets pissed off and tells me that I over-react. I don't want to tolerate dangerous behavior and make sure that there is some consequence so that he does not repeat. (He was the only child with never any consequences to bad behavior) Unfortunately being upset/mad does not do the job. What should I do so that I can get the message across effectively?.

Geek Guide
The DevOps Toolbox

Tools and Technologies for Scale and Reliability
by Linux Journal Editor Bill Childers

Get your free copy today

Sponsored by IBM

8 Signs You're Beyond Cron

Scheduling Crontabs With an Enterprise Scheduler
On Demand
Moderated by Linux Journal Contributor Mike Diehl

Sign up and watch now

Sponsored by Skybot