Configuring One-Time Password Authentication with OTPW

Finally, to disable OTPW challenges for a given user, just delete the .otpw file in that user's home directory.

Using OTPW to Log In

Once you have your password list in hand, you're ready to use one-time password authentication for your SSH connection. Assuming that you don't have any identities loaded into your SSH agent, your dialog should look similar to this:


$ ssh localhost
Password 015:

The prompt with the digits is the OTPW challenge. To respond, find the matching challenge ID on the password sheet you printed earlier. Next, enter your prefix password followed by the string that follows the challenge ID.

Using "foo" as a prefix password, the following suffix list was generated. Your list and suffixes will be different, even if you use the same prefix password.


OTPW list generated 2012-05-06 13:40 on localhost

000 SWvv JGk5 004 =qfF q2Mv 008 sb5P h94r 012 o5aH +/GD 016 8eLV VxuA
001 xPZR :ceV 005 B=bq =mHN 009 WBSR smty 013 QMZ% +bm8 017 vjFL K4VU
002 Sj%n 9xD3 006 RrNx sJXC 010 Xr6J F+Wv 014 j=LO CMmx 018 Km8c 8Q3K
003 s7g8 NE%v 007 sd=E MTqW 011 fNKT vo84 015 fWI% MB9e 019 z8ui %eQ3

            !!! REMEMBER: Enter the PREFIX PASSWORD first !!!

To respond to this challenge successfully, type:


foo fWI% MB9e

at the prompt. The spaces are optional; OTPW ignores them if present.

If you answered the challenge correctly, login will proceed. Otherwise, you will be prompted with the standard system login. At this point, you can enter your standard system password, or press Return to give OTPW another try. After the system-defined number of password attempts (usually three), the login will fail and return you to the command prompt:


$ ssh localhost
Password 013:
Password:
Password 013:
Password:
Password 013:
Password:
Permission denied (publickey,password,keyboard-interactive).

To prevent simultaneous logins, or when SSH is interrupted during OTPW authentication, OTPW may lock a password. When a password is locked, your next login attempt will present a triplet challenge that requires one prefix and three suffixes to respond:


$ ssh localhost
Password 004/011/005:

Given the same password list as before, enter your triplet response as a single line, with or without spaces. The following shows how the response is composed (note that the first line below is just an informational aid; you would type only the second line below, without the pipe characters):


prefix | suffix 004 | suffix 011 | suffix 005
foo    | =qfF q2Mv  | fNKT vo84  | B=bq =mHN

Once you have successfully responded to a triplet challenge, login will proceed and the ~/.otpw.lock symlink should be removed, and your next challenge will again be a single challenge ID number.

In some cases, the lock is not removed properly. If you continue to be prompted for a triplet, you can remove the lockfile manually:


rm ~/.otpw.lock

Users with encrypted home directories that are not already mounted before login will need to take a few additional steps. See the OTPW and Encrypted Home Directories sidebar for an example.

______________________

Todd A. Jacobs is a veteran IT consultant with a passion for all things Linux. He spends entirely too much time making systems do things they were never designed to do.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site.

www.webhostingiq.net ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site.

www.webhostingiq.net ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site.

www.webhostingiq.net ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site.

www.webhostingiq.net ra23z27

hello !!!

linda99's picture

Congratulations very nice new site that allows you to see the details. I'm a fan, good luck on my part !! good luck for you
voyance gratuit

The OBD II the Actron

billwu's picture

The OBD II the Actron autoscanner is compatible with OBD II standard vehicles, light trucks, SUV and minivan. It is designed with extensive OBD II code library built-in units. Another notable feature is its sheer size, which makes it simple for owners backlit screen reading. http://www.obdiag4u.com/

Configuring One-Time Password Authentication with OTPW | Linux

Bridal Boudoir Photography's picture

I ԁon't even know how I ended up here, but I thought this post was great. I don't κnow who you
are but dеfinitely уοu агe going tо a famous bloggеr if you are nοt already ;) Cheers!

Also viѕit my blоg: Bridal Boudoir Photography

Reply to comment | Linux Journal

Mark Lewis's picture

We love each other very much and it is out love that
at times I get mad when he does something dangerous like lifting something heavy, speeding on the freeway.
He gets pissed off and tells me that I over-react. I don't want to tolerate dangerous behavior and make sure that there is some consequence so that he does not repeat. (He was the only child with never any consequences to bad behavior) Unfortunately being upset/mad does not do the job. What should I do so that I can get the message across effectively?.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix