This tutorial shows how to enable One Time PassWord in Ubuntu 24.04 for either local or remote SSH login.
One Time PassWord, OTPW in short, is a PAM module which is useful for allowing a user to login public or shared computer/server using a single-use password, that works only for one time.
By generating a list OTPW passwords, and configuring your system to allow OTPW logins, it will ask random one of the OTPW passwords on every login. And, that password will never work again once logged in successfully with it.
Step 1: Install OTPW package
The OTPW package is available in the universe repository for all current Ubuntu releases.
To install it, open terminal (Ctrl+Alt+T) or connect to remove server and run command:
sudo apt install libpam-otpw otpw-bin
Here, the libpam-otpw
package includes the PAM module that can enable OTPW password login. While otpw-bin
offers command to generate OTPW passwords.
Step 2: Generate a list of OTPW passwords
After installing the packages above, you can now run command below to generate random passwords:
otpw-gen > ~/otpw_passwords
The command will generate a file called “otpw_passwords
” in user home directory, which includes 280 random generated passwords.
And, it will ask you to set a prefix password. When login with OTPW module, you need to type this prefix password + OTPW password. So, others cannot access to your account even if you lost the password list.
At any time, you may re-run the last command to re-create the password list. Which, will override both the previous prefix and one-time passwords.
The passwords work only for the user account who generated them. For any other user, either run command su username
to switch to that user and re-run the otpw-gen
command, or use command below instead:
su -c "otpw-gen > ~/otpw_passwords" username
In command, replace username
with the target account name.
And, here’s an example password list. For yours, either take a photo using your phone, or print it out for later use.
Step 3: Tell your system to allow OTPW password login
1. First, run the command below to create a PAM config file and edit with nano command line text editor:
sudo nano /etc/pam.d/ssh-otpw
When it opens, past the lines below, which tell to authenticate with otpw module, and permit access immediately if succeed.
auth sufficient pam_otpw.so session optional pam_otpw.so
Finally, press Ctrl+S to save and Ctrl+X to exit.
Enable OTPW for SSH Login
2. To enable OTPW PAM module for SSH, then edit the sshd
PAM config file via command:
sudo nano /etc/pam.d/sshd
When file opens, include the config you just made, by adding @include ssh-otpw. NOTE that, you need to:
- either disable @include common-auth (add # at the beginning), so the classic static password login will NO longer work (for all users)! Be sure you have alternative authentication method in case of running out of OTPW passwords.
- or, make sure @include common-auth is below @include ssh-otpw, or it will ask for static password first!
3. After that, also edit the SSH daemon config file by running command:
sudo nano /etc/ssh/sshd_config
When file opens, find out the lines below and set (or add lines if they NOT exist) to use PAM authentication:
UsePAM yes
KbdInteractiveAuthentication yes
Also set PasswordAuthentication no
, though the static password will still work unless @include common-auth
is disabled in the PAM config or KbdInteractiveAuthentication
is also disabled in this sshd config.
4. When done editing the file, press Ctrl+S to save and Ctrl+X to exit. Finally, restart SSH to apply changes:
sudo systemctl daemon-reload sudo systemctl restart ssh.socket
For old Ubuntu 22.04 and earlier, only run sudo systemctl restart ssh
should work.
5. Next, you may try to start a SSH connection to this computer or server.
It should ask for password with 3 digital numbers. In the screenshot, it asked for password 004. While I set prefix password to “ade564”, and the password file shows me 004 Zh63 7Qyi. So, I need to input ade564Zh637Qyi to get pass.
NOTE 1: If you left @include common-auth
enabled in /etc/pam.d/sshd
config file, type user’s static password will also let you in!
NOTE 2: If someone else try to login at the same time when you login, it MAY ask for 3 passwords instead of one. The prompt may look like “Password 004/027/134”. In the case, you need to type prefix + the 3 passwords in the order. After login, you need to delete ~/.otpw.lock
or it always ask for 3 passwords.
(optional) Enable One Time Password for local desktop login
If you want to use one time password to log in Ubuntu Desktop, then, edit the common-auth
PAM config file instead by running command:
sudo nano /etc/pam.d/common-auth
When file opens, add @include ssh-otpw at top and save.
Next time in the login screen, when you click the user who has generated OTPW password list, it will show you “Password XXX” asking for the corresponding OTPW password (don’t forget to add prefix password while typing).
Also, input the static user password will also let you in!
Undo:
To disable one time password, simply remove the @include ssh-otpw line from either /etc/pam.d/sshd
or /etc/pam.d/common-auth
file depends on which one you enabled.
Optionally, you may remove the module package to save few disk space:
sudo apt remove --autormove libpam-otpw