-
Notifications
You must be signed in to change notification settings - Fork 4
/
pam_otpw.8
61 lines (57 loc) · 2.01 KB
/
pam_otpw.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
.TH PAMOTPW 8 "2014-08-07"
.SH NAME
pam_otpw \- verify one-time passwords
.SH SYNOPSIS
.B pam_otpw
[
.I arguments
]
.SH DESCRIPTION
.I OTPW
is a one-time password authentication system. It compares entered
passwords with hash values stored in the user's home directory in the
file
.BR ~/.otpw .
Once a password was entered correctly, its hash value in
.B ~/.otpw
will be overwritten with hyphens, which disables its use in future
authentication. A lock file
.B ~/.otpw.lock
prevents that the same password challenge is issued on several
concurrent authentication sessions. This helps to prevent an
eavesdropper from copying a one-time password as it is entered
instantly into a second session, in the hope to get access by sending
the final newline character faster than the user could.
Both an authentication management and a session management function
are offered by this module. The authentication function asks for and
verifies one-time passwords. The session function prints a message
after login that reminds the user of the remaining number of one-time
passwords.
.SH ARGUMENTS
.IP debug
Turn on debugging via \fBsyslog(3)\fR.
.IP nolock
Disable locking. This option tells the authentication function of
.I pam_otpw.so
to ignore any existing
.B ~/.otpw.lock
lock file and not to generate any. With this option,
.I pam_otpw.so
will never ask for several passwords simultaneously.
.SH PSEUDO-USER INSTALLATION
If a system pseudo user “otpw” exists in the user database (with UID <
1000), then the password hash files will not be stored in the user's
home directory. Instead of looking for
.B ~john/.otpw.lock
the file has to be located in the home directory of the pseudo user
“otpw”, and be named after the user (e.g. “/var/lib/otpw/john”). It
will be accessed with the effective UID and GID of that pseudo user.
.SH AUTHOR
The
.I OTPW
package, which includes the
.I otpw-gen
progam, has been developed by Markus Kuhn. The most recent version is
available from <http://www.cl.cam.ac.uk/~mgk25/otpw.html>.
.SH SEE ALSO
otpw-gen(1), pam(8)