otpw-gen - Online in the Cloud

PROGRAM:

NAME

otpw-gen - one-time password generator

SYNOPSIS

otpw-gen [ options ]

DESCRIPTION

OTPW is a one-time password authentication system. It can be plugged into any application
that needs to authenticate users interactively. One-time password authentication is a
valuable protection against password eavesdropping, especially for logins from untrusted
terminals.

Before you can use OTPW to log into your system, two preparation steps are necessary.
Firstly, your system administrator has to enable it. (This is usually done by configuring
your login software (e.g., sshd) to use OTPW via the Pluggable Authentication Module (PAM)
configuration files in /etc/pam.d/.)

Secondly, you need to generate a list of one-time passwords and print it out. This can be
done by calling

otpw-gen | lpr

or something like

otpw-gen -h 70 -s 2 | a2ps -1B -L 70 --borders no

if more control over the layout is desired.

You will be asked for a prefix password, which you need to memorize. It has to be entered
immediately before the one-time password. The prefix password reduces the risk that anyone
who finds or steals your password printout can use that alone to impersonate you.

Each one-time password will be printed behind a three digit password number. Such a number
will appear in the password prompt when OTPW has been activated:

Password 026:

When you see this prompt, enter the memorized prefix password, followed immediately by the
one-time password identified by the number. Any spaces within a password have only been
inserted to improve legibility and do not have to be copied. OTPW will ignore the
difference between the easily confused characters 0O and Il1 in passwords.

In some situations, for example if multiple logins occur simultaneously for the same user,
OTPW defends itself against the possibility of various attacks by asking for three random
passwords simultaneously.

Password 047/192/210:

You then have to enter the prefix password, followed immediately by the three requested
one-time passwords. This fall-back mode is activated by the existence of the lock file
~/.otpw.lock. If it was left over by some malfunction, it can safely be deleted manually.

Call otpw-gen again when you have used up about half of the printed one-time passwords or
when you have lost your password sheet. This will disable all remaining passwords on the
previous sheet.

OPTIONS

-h number Specify the total number of lines per page to be sent to standard output.
This number minus four header lines determines the number of rows of
passwords on each page. The maximum number of passwords that can be printed
is 1000. (Minimum: 5, default: 60)

-w number Specify the maximum width of lines to be sent to standard output. This
parameter determines together with the password length the number of columns
in the printed password matrix. (Minimum: 64, default: 79)

-s number Specify the number of form-feed separated pages to be sent to standard
output. (Default: 1)

-e number Specify the minimum entropy of each one-time password in bits. The length of
each password will be chosen automatically, such that there are at least two
to the power of the specified number possible passwords. A value below 30
might make the passwords vulnerable to a brute-force guessing attack. If the
attacke might have read access to the ~/.otpw file, the value should be at
least 48. Paranoid users might prefer long high-security passwords with at
least 60 bits of entropy. (Default: 48)

-p0 Generate passwords by transforming a random bit string into a sequence of
letters and digits, using a form of base-64 encoding (6 bits per character).
(Default)

-p1 Generate passwords by transforming a random bit string into a sequence of
English four-letter words, each chosen from a fixed list of 2048 words (2.75
bits per character).

-f filename Specify a file to be used instead of ~/.otpw for storing the hash values of
the generated one-time passwords.

Use otpw-gen online using onworks.net services