OTPW-GEN(1) | General Commands Manual | OTPW-GEN(1) |
otpw-gen - one-time password generator
otpw-gen [ options ]
OTPW is a one-time password authentication system. It can be plugged into any application that needs to authenticate users interactively. One-time password authentication is a valuable protection against password eavesdropping, especially for logins from untrusted terminals.
Before you can use OTPW to log into your system, two preparation steps are necessary. Firstly, your system administrator has to enable it. (This is usually done by configuring your login software (e.g., sshd) to use OTPW via the Pluggable Authentication Module (PAM) configuration files in /etc/pam.d/.)
Secondly, you need to generate a list of one-time passwords and print it out. This can be done by calling
or something like
if more control over the layout is desired.
You will be asked for a prefix password, which you need to memorize. It has to be entered immediately before the one-time password. The prefix password reduces the risk that anyone who finds or steals your password printout can use that alone to impersonate you.
Each one-time password will be printed behind a three digit password number. Such a number will appear in the password prompt when OTPW has been activated:
When you see this prompt, enter the memorized prefix password, followed immediately by the one-time password identified by the number. Any spaces within a password have only been inserted to improve legibility and do not have to be copied. OTPW will ignore the difference between the easily confused characters 0O and Il1 in passwords.
In some situations, for example if multiple logins occur simultaneously for the same user, OTPW defends itself against the possibility of various attacks by asking for three random passwords simultaneously.
You then have to enter the prefix password, followed immediately by the three requested one-time passwords. This fall-back mode is activated by the existence of the lock file ~/.otpw.lock. If it was left over by some malfunction, it can safely be deleted manually using option -l.
Call otpw-gen again when you have used up about half of the printed one-time passwords or when you have lost your password sheet. This will disable all remaining passwords on the previous sheet.
If the otpw-gen binary, owned by some system pseudo user (e.g., “otpw”), has the SETUID bit set, then the password hash file will be owned by and stored in the home directory of that pseudo user (e.g., “/var/lib/otpw”), using the user's name instead of “.otpw”. This way, the hash files are out of reach from the users, and cannot be manipulated by tools other than otpw-gen, which can help to enforce policies about how passwords are generated. Storing the password hash files outside the user's home directory can also be useful where the home directory may not yet be accessible during login.
The OTPW package, which includes the otpw-gen program, has been developed by Markus Kuhn. The most recent version is available from <http://www.cl.cam.ac.uk/~mgk25/otpw.html>.
2014-08-07 |