Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
OTPW-GEN(1)		    General Commands Manual		   OTPW-GEN(1)

NAME
       otpw-gen	- one-time password generator

SYNOPSIS
       otpw-gen	[ options ]

DESCRIPTION
       OTPW  is	 a  one-time password authentication system. It	can be plugged
       into any	application that needs to  authenticate	 users	interactively.
       One-time	password authentication	is a valuable protection against pass-
       word eavesdropping, especially for logins from untrusted	terminals.

       Before  you can use OTPW	to log into your system, two preparation steps
       are necessary. Firstly, your system administrator  has  to  enable  it.
       (This  is  usually done by configuring your login software (e.g., sshd)
       to use OTPW via the Pluggable Authentication Module (PAM) configuration
       files in	/etc/pam.d/.)

       Secondly, you need to generate a	list of	one-time passwords  and	 print
       it out. This can	be done	by calling

	      otpw-gen | lpr

       or something like

	      otpw-gen -h 70 -s	2 | a2ps -1B -L	70 --borders no

       if more control over the	layout is desired.

       You will	be asked for a prefix password,	which you need to memorize. It
       has  to be entered immediately before the one-time password. The	prefix
       password	reduces	the risk that anyone who finds or steals your password
       printout	can use	that alone to impersonate you.

       Each one-time password will be printed behind a	three  digit  password
       number.	Such a number will appear in the password prompt when OTPW has
       been activated:

	      Password 026:

       When you	see this prompt, enter the memorized prefix password, followed
       immediately by the one-time password  identified	 by  the  number.  Any
       spaces  within a	password have only been	inserted to improve legibility
       and do not have to be copied.  OTPW will	ignore the difference  between
       the easily confused characters 0O and Il1 in passwords.

       In some situations, for example if multiple logins occur	simultaneously
       for the same user, OTPW defends itself against the possibility of vari-
       ous attacks by asking for three random passwords	simultaneously.

	      Password 047/192/210:

       You then	have to	enter the prefix password, followed immediately	by the
       three requested one-time	passwords. This	fall-back mode is activated by
       the  existence  of  the lock file ~/.otpw.lock.	If it was left over by
       some malfunction, it can	safely be deleted manually using option	-l.

       Call otpw-gen again when	you have used up about	half  of  the  printed
       one-time	passwords or when you have lost	your password sheet. This will
       disable all remaining passwords on the previous sheet.

OPTIONS
       -h number     Specify  the total	number of lines	per page to be sent to
		     standard output. This number minus	four header lines  de-
		     termines  the  number  of rows of passwords on each page.
		     The maximum number	of passwords that can  be  printed  is
		     1000. (Minimum: 5,	default: 60)

       -w number     Specify the maximum width of lines	to be sent to standard
		     output. This parameter determines together	with the pass-
		     word length the number of columns in the printed password
		     matrix. (Minimum: 64, default: 79)

       -s number     Specify  the  number  of  form-feed separated pages to be
		     sent to standard output. (Default:	1)

       -e number     Specify the minimum entropy of each one-time password  in
		     bits. The length of each password will be chosen automat-
		     ically,  such that	there are at least two to the power of
		     the specified number possible passwords. A	value below 30
		     might make	the  passwords	vulnerable  to	a  brute-force
		     guessing  attack.	If the attacker	might have read	access
		     to	the ~/.otpw file, the value should  be	at  least  48.
		     Paranoid  users might prefer long high-security passwords
		     with at least 60 bits of entropy.	(Default: 48)

       -p0	     Generate passwords	by transforming	a  random  bit	string
		     into  a  sequence	of letters and digits, using a form of
		     base-64 encoding (6 bits per character). (Default)

       -p1	     Generate passwords	by transforming	a  random  bit	string
		     into a sequence of	English	four-letter words, each	chosen
		     from  a  fixed  list of 2048 words	(2.75 bits per charac-
		     ter).

       -p2	     Generate passwords	by transforming	a  random  bit	string
		     into  a  sequence of lowercase letters and	digits (5 bits
		     per character). These are easier to communicate by	 voice
		     (e.g., using the NATO alphabet).

       -f filename   Specify  a	file to	be used	instead	of ~/.otpw for storing
		     the hash values of	the generated one-time passwords.

       -n	     Suppress the addition of a	header and footer line to each
		     output page.  This	reduces	the minimum value  for	option
		     -h	to 1.

       -m	     Instead  of generating each password randomly, generate a
		     random master key and then	derive each password from that
		     in	a deterministic	way.  The master key will  be  printed
		     to	standard error.	It can later be	used with option -k to
		     recreate another copy of the same one-time	password list.
		     (Each  password  is generated from	the output of a	secure
		     hash function applied to the master key and the challenge
		     string.)

       -E number     Specify the minimum entropy of the	master	key  in	 bits.
		     (It  contains  in addition	four bits redundancy for error
		     checking.)

       -P number     Choose the	text format in which the master	 key  will  be
		     displayed.	 The supported values are the same as with op-
		     tion -p.

       -k	     Ask  for  a master	key, as	it was generated by option -m,
		     and then recreate the same	password list from that.  With
		     this  option, only	a password list	will be	generated; the
		     hash values in ~/.otpw remain unmodified.

       -r	     Output a suggestion for a random password,	then exit. The
		     length and	type of	password can be	selected with  options
		     -e	and -p.

       -l	     Remove  any lock file left	by previous authentication at-
		     tempts, then exit.

PSEUDO-USER INSTALLATION
       If the otpw-gen binary, owned by	some system pseudo user	(e.g.,	otpw),
       has  the	 SETUID	 bit set, then the password hash file will be owned by
       and  stored  in	the  home  directory  of  that	pseudo	 user	(e.g.,
       /var/lib/otpw),	using  the user's name instead of .otpw. This way, the
       hash files are out of reach from	the users, and cannot  be  manipulated
       by  tools other than otpw-gen, which can	help to	enforce	policies about
       how passwords are generated.  Storing the password hash	files  outside
       the  user's  home directory can also be useful where the	home directory
       may not yet be accessible during	login.

AUTHOR
       The OTPW	package, which includes	the otpw-gen progam, has  been	devel-
       oped  by	 Markus	 Kuhn.	The  most  recent  version  is	available from
       <http://www.cl.cam.ac.uk/~mgk25/otpw.html>.

SEE ALSO
       pam(8), pam_otpw(8)

				  2014-08-07			   OTPW-GEN(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=otpw-gen&sektion=1&manpath=FreeBSD+Ports+15.0.quarterly>

home | help