PAMOTPW 8 "2014-08-07"
NAME
pam_otpw - verify one-time passwords
SYNOPSIS
pam_otpw [
arguments ]
DESCRIPTION
OTPW is a one-time password authentication system. It compares entered
passwords with hash values stored in the user's home directory in the
file
~/.otpw . Once a password was entered correctly, its hash value in
~/.otpw will be overwritten with hyphens, which disables its use in future
authentication. A lock file
~/.otpw.lock prevents that the same password challenge is issued on several
concurrent authentication sessions. This helps to prevent an
eavesdropper from copying a one-time password as it is entered
instantly into a second session, in the hope to get access by sending
the final newline character faster than the user could.
Both an authentication management and a session management function
are offered by this module. The authentication function asks for and
verifies one-time passwords. The session function prints a message
after login that reminds the user of the remaining number of one-time
passwords.
ARGUMENTS
debug
Turn on debugging via syslog(3).
nolock
Disable locking. This option tells the authentication function of
pam_otpw.so to ignore any existing
~/.otpw.lock lock file and not to generate any. With this option,
pam_otpw.so will never ask for several passwords simultaneously.
PSEUDO-USER INSTALLATION
If a system pseudo user “otpw” exists in the user database (with UID <
1000), then the password hash files will not be stored in the user's
home directory. Instead of looking for
~john/.otpw.lock the file has to be located in the home directory of the pseudo user
“otpw”, and be named after the user (e.g. “/var/lib/otpw/john”). It
will be accessed with the effective UID and GID of that pseudo user.
AUTHOR
The
OTPW package, which includes the
otpw-gen progam, has been developed by Markus Kuhn. The most recent version is
available from <http://www.cl.cam.ac.uk/~mgk25/otpw.html>.
SEE ALSO
otpw-gen(1), pam(8)