[Otpasswd-talk] Re: Bug#562968: ITP: otpasswd -- one-time passwords implementation for PAM

[Luke Faraone]

On Tue, Dec 29, 2009 at 12:22, The Fungi <address@hidden> wrote:

On Tue, Dec 29, 2009 at 12:05:20PM -0500, Luke Faraone wrote:
> Unlike OPIE, otpasswd uses modern hashing algotrithms and supports offline
> / out-of-band use.

A compare/contrast with the libpam-otpw package would also be
interesting.

I might not be the best person to do this, so I've CC'd the otpasswd-talk discussion list to solicit better explanations. 

otpasswd allows both the use of a optional (via ~/.otpasswd) and global policy-enforced system. In the "global" system, it would be SGID (SUID as well?) to a shared otpasswd user. Via such a centralized database, the systems administrator can prevent passcard reuse as well as length requirements etc. From what I've such an architecture makes it easier to use one-time-passwords on a LDAP backend as well, but I haven't tried it.

otpasswd, when set to be PPP-compatible, also allows interoperability with a variety of client applications.

That said, I have not studied OTPW nor the security of otpasswd closely, and would advise anybody making a choice between the two to perform their own research. 
 
Luke Faraone
http://luke.faraone.cc