Configuring One-Time Password Authentication with OTPW

If you prefer to reverse the order, prompting for a system password before falling back to one-time passwords, just ensure that pam_deny comes last:

# /etc/pam.d/common-auth
auth       sufficient nullok_secure

auth       sufficient
session    optional

auth       required

If you're tempted to remove standard system passwords altogether, especially from console logins, please don't. On some systems, most notably Ubuntu systems with ecryptfs-encrypted home directories, recovering from OTPW mishaps is extremely difficult without standard system passwords.

Modifying common-auth is usually the right thing to do on a headless server or console-only system. However, workstations or servers that provide the X Window System present special problems for one-time password systems.

Some tools or applications won't work properly with OTPW because they can't display the challenge to the user. The typical symptom is usually a password dialog that never completes or seems to ignore user input. In times past, gksu and GNOME Display Manager (GDM) had this issue with OPIE. In such cases, the solution is to move OTPW out of common-auth and include it only in specific services.

For example, you can add OTPW authentication to SSH connections while using just the standard password prompt for console or GUI logins. You can do this in three easy steps:

1. Delete any lines from common-auth that reference

# /etc/pam.d/common-auth on Debian Squeeze
auth       sufficient nullok_secure
auth       required

2. Create a new OTPW include file for PAM:

# /etc/pam.d/otpw
auth           sufficient
session        optional

3. Include OTPW immediately before common-auth in /etc/pam.d/sshd:

# Other stuff ...

# Enable OTPW authentication.
@include otpw

# Standard Un*x authentication.
@include common-auth

# More stuff ...

SSH Configuration

In addition to configuring the PAM libraries, OTPW needs the following three settings in the SSH dæmon's configuration file:

# /etc/ssh/sshd_config
UsePrivilegeSeparation yes
UsePAM yes
ChallengeResponseAuthentication yes

These are usually there, but possibly commented out or set to "no", so modify them accordingly. Next, reload the SSH dæmon after modifying its configuration file:

# Generic Linux
sudo /etc/init.d/ssh reload

# Debian 6.0.4+
sudo service ssh reload

# Ubuntu 11.04+
sudo reload ssh

Generating OTPW Passwords

Once the OTPW PAM module has been configured properly, only users with an ~/.otpw file will be challenged with a one-time password dialog during login. This file contains some metadata about its contents, as well as a list of one-way hashes that will match only a valid response to a challenge.

To create this file, or to re-populate it with new passwords, use the otpw-gen utility. By default, it will create 280 password suffixes, formatted to fit on a single side of US letter-sized (8.5" x 11") paper. Because only the one-way hashes are stored in ~/.otpw, not the passwords themselves, you must capture or print the standard output of this command when the passwords are generated. You will not be able to retrieve the password list after the fact; you'll need to generate new passwords instead.

Here is what it looks like when you run the command for the first time, piping the output to your default printer:

$ otpw-gen | lpr
Generating random seed ...

If your paper password list is stolen, the thief
should not gain access to your account with this
information alone. Therefore, you need to memorize
and enter below a prefix password. You will have to
enter that each time directly before entering the
one-time password (on the same line).

When you log in, a 3-digit password number will be
displayed. It identifies the one-time password on
your list that you have to append to the prefix
password. If another login to your account is in
progress at the same time, several password numbers
may be shown and all corresponding passwords have to
be appended after the prefix password. Best generate
a new password list when you have used up half of
the old one.

Enter new prefix password:
Reenter prefix password:

Creating '~/.otpw'.
Generating new one-time passwords ...

When generating a new password list, the prompts that appear on standard error are slightly different:

Overwrite existing password list '~/.otpw' (Y/n)?

Enter new prefix password:
Reenter prefix password:

Creating '~/.otpw'.
Generating new one-time passwords ...

The first prompt ensures that you don't accidentally over-write your existing password list; the second prompt asks you for a new password. There's nothing stopping you from reusing the same prefix password on each invocation—the random seed makes duplicate hashes unlikely—but best practice is to use a new prefix each time you regenerate the password list.

If you want to generate a password list on a remote host but print to a local printer, you can do this over your SSH connection as long as you trust your localhost:

read -p 'Hostname: ' &

Note the use of stty to ensure that your prefix password isn't echoed to the screen. As long as your prefix password remains secure, you are no worse off using an untrusted printer than you are if your password list falls into the wrong hands. This is often a valuable security trade-off for frequent travelers.


Todd A. Jacobs is a veteran IT consultant with a passion for all things Linux. He spends entirely too much time making systems do things they were never designed to do.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site. ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site. ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site. ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site. ra23z27

hello !!!

linda99's picture

Congratulations very nice new site that allows you to see the details. I'm a fan, good luck on my part !! good luck for you
voyance gratuit

The OBD II the Actron

billwu's picture

The OBD II the Actron autoscanner is compatible with OBD II standard vehicles, light trucks, SUV and minivan. It is designed with extensive OBD II code library built-in units. Another notable feature is its sheer size, which makes it simple for owners backlit screen reading.

Configuring One-Time Password Authentication with OTPW | Linux

Bridal Boudoir Photography's picture

I ԁon't even know how I ended up here, but I thought this post was great. I don't κnow who you
are but dеfinitely уοu агe going tо a famous bloggеr if you are nοt already ;) Cheers!

Also viѕit my blоg: Bridal Boudoir Photography

Reply to comment | Linux Journal

Mark Lewis's picture

We love each other very much and it is out love that
at times I get mad when he does something dangerous like lifting something heavy, speeding on the freeway.
He gets pissed off and tells me that I over-react. I don't want to tolerate dangerous behavior and make sure that there is some consequence so that he does not repeat. (He was the only child with never any consequences to bad behavior) Unfortunately being upset/mad does not do the job. What should I do so that I can get the message across effectively?.

One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix