pam_otpw - verify one-time passwords
is a one-time password authentication system. It compares entered
passwords with hash values stored in the user's home directory in the file
. Once a password was entered correctly, its hash value in
will be overwritten with hyphens, which disables its use in
future authentication. A lock file ~/.otpw.lock
prevents that the same
password challenge is issued on several concurrent authentication sessions.
This helps to prevent an eavesdropper from copying a one-time password as it
is entered instantly into a second session, in the hope to get access by
sending the final newline character faster than the user could.
Both an authentication management and a session management function are offered
by this module. The authentication function asks for and verifies one-time
passwords. The session function prints a message after login that reminds the
user of the remaining number of one-time passwords.
- Turn on debugging via syslog(3).
- Disable locking. This option tells the authentication
function of pam_otpw.so to ignore any existing ~/.otpw.lock
lock file and not to generate any. With this option, pam_otpw.so
will never ask for several passwords simultaneously.
If a system pseudo user “otpw” exists in the user database (with
UID < 1000), then the password hash files will not be stored in the user's
home directory. Instead of looking for ~john/.otpw.lock
the file has to
be located in the home directory of the pseudo user “otpw”, and
be named after the user (e.g. “/var/lib/otpw/john”). It will be
accessed with the effective UID and GID of that pseudo user.
package, which includes the otpw-gen
progam, has been
developed by Markus Kuhn. The most recent version is available from