{"id":47209,"date":"2024-09-11T16:19:38","date_gmt":"2024-09-11T16:19:38","guid":{"rendered":"https:\/\/ubuntuhandbook.org\/?p=47209"},"modified":"2024-09-17T11:57:01","modified_gmt":"2024-09-17T11:57:01","slug":"one-time-password-ubuntu","status":"publish","type":"post","link":"https:\/\/ubuntuhandbook.org\/index.php\/2024\/09\/one-time-password-ubuntu\/","title":{"rendered":"Enable One Time Password in Ubuntu 24.04 for SSH or Local Login"},"content":{"rendered":"

\"\"<\/a><\/p>\n

This tutorial shows how to enable One Time PassWord in Ubuntu 24.04 for either local or remote SSH login.<\/p>\n

One Time PassWord, OTPW in short, is a PAM module which is useful for allowing a user to login public or shared computer\/server using a single-use password, that works only for one time.<\/p>\n

By generating a list OTPW passwords, and configuring your system to allow OTPW logins, it will ask random one of the OTPW passwords on every login. And, that password will never work again once logged in successfully with it.<\/p>\n

<\/p>\n

Step 1: Install OTPW package<\/h3>\n

The OTPW package is available in the universe repository for all current Ubuntu releases.<\/p>\n

To install it<\/b>, open terminal (Ctrl+Alt+T) or connect to remove server and run command:<\/p>\n

sudo apt install libpam-otpw otpw-bin<\/pre>\n
Here, the libpam-otpw<\/code> package includes the PAM module that can enable OTPW password login. While otpw-bin<\/code> offers command to generate OTPW passwords.<\/p>\n
\"\"<\/a><\/p>\n
Step 2: Generate a list of OTPW passwords<\/h3>\n
After installing the packages above, you can now run command below to generate random passwords:<\/p>\n
otpw-gen > ~\/otpw_passwords<\/pre>\n
The command will generate a file called “otpw_passwords<\/code>” in user home directory, which includes 280 random generated passwords.<\/p>\n
And, it will ask you to set a prefix password<\/b>. When login with OTPW module, you need to type this prefix password<\/b> + OTPW password<\/b>. So, others cannot access to your account even if you lost the password list.<\/p>\n
\"\"<\/a><\/p>\n
At any time, you may re-run the last command to re-create the password list. Which, will override both the previous prefix and one-time passwords.<\/p>\n
The passwords work only for the user account who generated them.<\/b> For any other user, either run command su username<\/code> to switch to that user and re-run the otpw-gen<\/code> command, or use command below instead:<\/p>\n
su -c \"otpw-gen > ~\/otpw_passwords\" username<\/pre>\n
In command, replace username<\/code> with the target account name.<\/p>\n
And, here’s an example password list. For yours, either take a photo using your phone, or print it out for later use.<\/p>\n
\"\"<\/a><\/p>\n
Step 3: Tell your system to allow OTPW password login<\/h3>\n
1.<\/b> First, run the command below to create a PAM config file and edit with nano command line text editor:<\/p>\n
sudo nano \/etc\/pam.d\/ssh-otpw<\/pre>\n
When it opens, past the lines below, which tell to authenticate with otpw module, and permit access immediately if succeed.<\/p>\n
auth sufficient pam_otpw.so\r\nsession optional pam_otpw.so<\/pre>\n
Finally, press Ctrl+S to save and Ctrl+X to exit.<\/p>\n
\"\"<\/a><\/p>\n
Enable OTPW for SSH Login<\/h4>\n
2. To enable OTPW PAM module for SSH<\/b>, then edit the sshd<\/code> PAM config file via command:<\/p>\n
sudo nano \/etc\/pam.d\/sshd<\/pre>\n
When file opens, include the config you just made, by adding @include ssh-otpw<\/b>. NOTE that, you need to:<\/p>\n