Provided by: otpw-bin_1.3-2_i386 bug

NAME

       otpw-gen - one-time password generator

SYNOPSIS

       otpw-gen [ options ]

DESCRIPTION

       OTPW  is  a  one-time password authentication system. It can be plugged
       into any application that needs to  authenticate  users  interactively.
       One-time  password  authentication  is  a  valuable  protection against
       password eavesdropping, especially for logins from untrusted terminals.

       Before you can use OTPW to log into your system, two preparation  steps
       are  necessary.  Firstly,  your  system administrator has to enable it.
       (This is usually done by configuring your login software  (e.g.,  sshd)
       to use OTPW via the Pluggable Authentication Module (PAM) configuration
       files in /etc/pam.d/.)

       Secondly, you need to generate a list of one-time passwords  and  print
       it out. This can be done by calling

              otpw-gen | lpr

       or something like

              otpw-gen -h 70 -s 2 | a2ps -1B -L 70 --borders no

       if more control over the layout is desired.

       You will be asked for a prefix password, which you need to memorize. It
       has to be entered immediately before the one-time password. The  prefix
       password reduces the risk that anyone who finds or steals your password
       printout can use that alone to impersonate you.

       Each one-time password will be printed behind a  three  digit  password
       number.  Such a number will appear in the password prompt when OTPW has
       been activated:

              Password 026:

       When you see this prompt, enter the memorized prefix password, followed
       immediately  by  the  one-time  password  identified by the number. Any
       spaces within a password have only been inserted to improve  legibility
       and  do not have to be copied.  OTPW will ignore the difference between
       the easily confused characters 0O and Il1 in passwords.

       In some situations, for example if multiple logins occur simultaneously
       for  the  same  user,  OTPW  defends  itself against the possibility of
       various attacks by asking for three random passwords simultaneously.

              Password 047/192/210:

       You then have to enter the prefix password, followed immediately by the
       three requested one-time passwords. This fall-back mode is activated by
       the existence of the lock file ~/.otpw.lock.  If it was  left  over  by
       some malfunction, it can safely be deleted manually.

       Call  otpw-gen  again  when  you have used up about half of the printed
       one-time passwords or when you have lost your password sheet. This will
       disable all remaining passwords on the previous sheet.

OPTIONS

       -h number     Specify  the total number of lines per page to be sent to
                     standard output. This  number  minus  four  header  lines
                     determines  the number of rows of passwords on each page.
                     The maximum number of passwords that can  be  printed  is
                     1000. (Minimum: 5, default: 60)

       -w number     Specify the maximum width of lines to be sent to standard
                     output.  This  parameter  determines  together  with  the
                     password  length  the  number  of  columns in the printed
                     password matrix. (Minimum: 64, default: 79)

       -s number     Specify the number of form-feed  separated  pages  to  be
                     sent to standard output. (Default: 1)

       -e number     Specify  the minimum entropy of each one-time password in
                     bits.  The  length  of  each  password  will  be   chosen
                     automatically,  such  that  there are at least two to the
                     power of the specified number possible passwords. A value
                     below  30 might make the passwords vulnerable to a brute-
                     force guessing attack. If the  attacke  might  have  read
                     access  to the ~/.otpw file, the value should be at least
                     48.  Paranoid  users  might  prefer  long   high-security
                     passwords  with  at  least 60 bits of entropy.  (Default:
                     48)

       -p0           Generate passwords by transforming a  random  bit  string
                     into  a  sequence  of letters and digits, using a form of
                     base-64 encoding (6 bits per character). (Default)

       -p1           Generate passwords by transforming a  random  bit  string
                     into a sequence of English four-letter words, each chosen
                     from  a  fixed  list  of  2048  words  (2.75   bits   per
                     character).

       -f filename   Specify  a file to be used instead of ~/.otpw for storing
                     the hash values of the generated one-time passwords.

AUTHOR

       The  OTPW  package,  which  includes  the  otpw-gen  progam,  has  been
       developed  by  Markus  Kuhn.  The most recent version is available from
       <http://www.cl.cam.ac.uk/~mgk25/otpw.html>.

SEE ALSO

       pam(8), pam_otpw(8)

                                  2003-09-30                       OTPW-GEN(1)