Loading...spinner

<-- docs

Screenshots/demo

An example passcard looks like this:

Example OTPasswd passcard

Example of authentication:

  user@host $ ssh user@cirrus
  Password: <user unix password>
  Passcode G6 [1]: Jw%
      
  user@cirrus $

Example of authentication with manually requested OOB message, warning is printed by PAM session stack.

  remoteserver ~ % ssh bla@thera.be 

  Password: <unix password entered>
  Passcode  5B [5]: .
  Static password: 
  Out-of-band message sent.
  Passcode  5B [5]: @#6v
  Last login: Wed Sep 29 11:02:13 CEST 2010 from 192.168.0.20 on pts/9
   _   _                    
  | |_| |__   ___ _ __ __ _ 
  | __| '_ \ / _ \ '__/ _` |
  | |_| | | |  __/ | | (_| |
   \__|_| |_|\___|_|  \__,_|
  
  *** OTP Warning: You have no printed passcodes left!
  thera ~ %                                          

Process of key creation:

  reactor ~ % otpasswd -c codelength=3 -c label=Home -k
  *********************************************************
  * This will irreversibly erase your current key, making *
  *    all already printed passcards worthless!           *
  *********************************************************
  
  Are you sure you want to continue? (yes/no): yes
  
  Your current set of flags:
  show=on disabled=off alphabet=1 code_length=3 (salt=on)
  Passcard label="Home", no contact information.
  
  
  HINT: To generate key we need to gather lots of random data.
  To make this process faster you can move your mouse or cause
  some network or disc activity
  Key generated successfully.
  
  *****************************************************
  * Print following passcard or at least make a note  *
  * with a few first passcodes so you won't loose     *
  * ability to log into your system!                  *
  *****************************************************
  
  Home                            [1]
      A   B   C   D   E   F   G   H  
   1: 2dM =78 o6! f8A uHF uHP Y%P :e+
   2: bq@ ff6 wSu ?LY TZf MB% coe MKR
   3: Xt8 R%r thT kav pmH zLo =mD V%?
   4: XhN %jD 8Fd dfs 56t qGR pDr %uy
   5: +y! 9s? 7?r MCC +By U=9 2A= ECC
   6: e8F Ejk n#i i#w e6R :Xm HhP XbK
   7: DPJ #3s D!p qTD d#x khz CF8 Jt%
   8: bLK MV: %Jr Vp4 rF@ Fby 8!! VTV
   9: cvJ 7z: kwR A=3 RmC tMh NT? u6o
  10: 8Fg 6qa JRD u4P =F@ #Y2 SsR SPA
  
  Are you ready to start using this one-time passwords? (yes/no): yes
  
  Key stored! One-time passwords enabled for this account.

Short description

The OTPasswd package consists of three primary components: a user utility, an agent which performs operation on behalf of the utility, and a PAM module.

  • Utility - manages user configuration: generates the user's cryptographic key, manages options affecting OTPasswd behavior, and prints passcards with one-time codes. The user's OTPasswd configuration is known as the user's "state", and can either be stored in the user's home directory or in the system-wide database.
  • PAM module - enables "PAM aware" applications, such as OpenSSH, to do OTP authentications.
  • Agent - performs actions on behalf of the utility. In some configurations it is required to be SUID-root. It exists solely to solve security issues. It works in similar manner to unix_chkpwd.