One Time PassWord
One Time PassWord (OTPW) is a PAM module allowing single-use passwords to login to a system. This is especially useful in the context of Secure Shell, allowing a user to login from a public or shared computer using a single-use password which will never work again.
Instructions for installing OTPW and configuring SSH to allow OTPW logins are below.
Installation
Install the otpwAUR package.
Configuration for SSH logins
PAM configuration
Create a PAM configuration file for otpw:
/etc/pam.d/ssh-otpw
auth sufficient pam_otpw.so session optional pam_otpw.so
Next, modify sshd's PAM configuration to include otpw. If you are disabling static password auth, comment out the 2nd bold line. Here is the modified /etc/pam.d/sshd
for reference:
/etc/pam.d/sshd
#%PAM-1.0 #auth required pam_securetty.so #disable remote root auth include ssh-otpw #auth include system-remote-login #NOTE: This must be disabled to completely disable password logins. account include system-remote-login password include system-remote-login session include system-remote-login
sshd configuration
OTPW uses Keyboard-Interactive logins for SSH sessions, which are enabled by adding these lines to /etc/ssh/sshd_config
:
UsePAM yes UsePrivilegeSeparation yes ChallengeResponseAuthentication yes
/etc/ssh/sshd_config
! For instance, make sure there are not two UsePAM lines, etc.If you wish to allow static password logins as well, ensure /etc/ssh/sshd_config
contains a line like this:
PasswordAuthentication yes
Otherwise, set it to no. See the above info on editing /etc/pam.d/sshd
to fully disable static password auth, as PAM will otherwise allow a static password if OTPW fails (e.g. when a user runs out of passwords).
If you allow password authentication, then after failing one authentication method, ssh clients will fall back to the other. Note that by default, ssh allows you three attempts at a password per login method.
OTPW configuration
OTPW is configured independently for each user account. If a given account does not have OTPW configured, that account will simply use a static password as usual. To configure OTPW for an account, run as that user:
$ otpw-gen > ~/otpw_passwords
otpw-gen
will ask for a password prefix, which must be typed at the beginning of all otpw passwords. This is to ensure that if someone else gets your OTPW list, they cannot use it to login to your account without knowing your prefix.
After running the above command, there should be a file in the user's home directory called otpw_passwords
which contains all of the user's OTPW passwords. There will also be a file ~/.otpw
which contains the password hashes. otpw_passwords
can be printed and referenced when logging in.
Usage
After completing the configuration above, ssh should use OTPW automatically for users who have it configured. An OTPW login prompt looks like so:
Password 041:
To log in, simply look up password 41 in your otpw_passwords
list, for example:
041 lYr0 g7QR
And type in your prefix followed by both halves of the password. The space is provided for readability and may or may not be included in the typed password. Do not enter a space between the prefix and the single-use password.
To specify to the ssh client which login method you would like to use, add -o PreferredAuthentication=keyboard-interactive
to use OTPW, or -o PreferredAuthentication=password
for static passwords. These options can also be specified in ~/.ssh/config
per-server.
To prevent someone from shoulder-surfing your OTPW and quickly using it to login to your account before you login, OTPW requires a concurrent login to enter three passwords instead of just one. This will usually not be an issue, but if OTPW should give a prompt like this:
Password 072/251/152:
Then simply enter your prefix, and the three requested passwords in the order they are requested in. When a login is initiated, OTPW creates a file ~/.otpw.lock
to detect concurrent logins. If a second login is initiated when this file exists, OTPW will request the three passwords.
~/.otpw.lock
file will not be deleted if the user cancels an SSH login using Ctrl-C or the like, and OTPW will always ask for triple passwords after this. The bug is marked as fixed, but it still affects me. As a workaround, one may simply delete the lock file manually, and OTPW will resume normal single-password requests.