Provided by: otpw-bin_1.5-2_amd64 bug

NAME
       otpw-gen - one-time password generator


SYNOPSIS
       otpw-gen [ options ]


DESCRIPTION
       OTPW  is  a one-time password authentication system. It can be plugged into any application that needs to
       authenticate users interactively.  One-time password authentication  is  a  valuable  protection  against
       password eavesdropping, especially for logins from untrusted terminals.

       Before  you  can  use  OTPW  to  log into your system, two preparation steps are necessary. Firstly, your
       system administrator has to enable it. (This is usually done by configuring your  login  software  (e.g.,
       sshd) to use OTPW via the Pluggable Authentication Module (PAM) configuration files in /etc/pam.d/.)

       Secondly, you need to generate a list of one-time passwords and print it out. This can be done by calling

              otpw-gen | lpr

       or something like

              otpw-gen -h 70 -s 2 | a2ps -1B -L 70 --borders no

       if more control over the layout is desired.

       You  will  be  asked  for a prefix password, which you need to memorize. It has to be entered immediately
       before the one-time password. The prefix password reduces the risk that anyone who finds or  steals  your
       password printout can use that alone to impersonate you.

       Each one-time password will be printed behind a three digit password number. Such a number will appear in
       the password prompt when OTPW has been activated:

              Password 026:

       When  you  see  this  prompt,  enter  the memorized prefix password, followed immediately by the one-time
       password identified by the number. Any spaces within a  password  have  only  been  inserted  to  improve
       legibility  and  do  not  have to be copied.  OTPW will ignore the difference between the easily confused
       characters 0O and Il1 in passwords.

       In some situations, for example if multiple logins occur simultaneously for the same user,  OTPW  defends
       itself against the possibility of various attacks by asking for three random passwords simultaneously.

              Password 047/192/210:

       You  then  have  to  enter  the  prefix  password,  followed  immediately by the three requested one-time
       passwords. This fall-back mode is activated by the existence of the lock file ~/.otpw.lock.   If  it  was
       left over by some malfunction, it can safely be deleted manually using option -l.

       Call  otpw-gen  again when you have used up about half of the printed one-time passwords or when you have
       lost your password sheet. This will disable all remaining passwords on the previous sheet.


OPTIONS
       -h number     Specify the total number of lines per page to be sent to standard output. This number minus
                     four header lines determines the number of rows of passwords  on  each  page.  The  maximum
                     number of passwords that can be printed is 1000. (Minimum: 5, default: 60)

       -w number     Specify the maximum width of lines to be sent to standard output. This parameter determines
                     together  with  the  password  length the number of columns in the printed password matrix.
                     (Minimum: 64, default: 79)

       -s number     Specify the number of form-feed separated pages to be sent to standard output. (Default: 1)

       -e number     Specify the minimum entropy of each one-time password in bits. The length of each  password
                     will  be  chosen  automatically,  such  that  there  are  at  least two to the power of the
                     specified number possible passwords. A value below 30 might make the  passwords  vulnerable
                     to  a  brute-force  guessing  attack. If the attacker might have read access to the ~/.otpw
                     file, the value should be at least 48.  Paranoid  users  might  prefer  long  high-security
                     passwords with at least 60 bits of entropy.  (Default: 48)

       -p0           Generate  passwords  by  transforming  a  random  bit string into a sequence of letters and
                     digits, using a form of base-64 encoding (6 bits per character). (Default)

       -p1           Generate passwords by transforming a random bit string into a  sequence  of  English  four-
                     letter words, each chosen from a fixed list of 2048 words (2.75 bits per character).

       -p2           Generate passwords by transforming a random bit string into a sequence of lowercase letters
                     and  digits  (5  bits per character). These are easier to communicate by voice (e.g., using
                     the NATO alphabet).

       -f filename   Specify a file to be used instead of ~/.otpw for storing the hash values of  the  generated
                     one-time passwords.

       -n            Suppress  the  addition  of a header and footer line to each output page.  This reduces the
                     minimum value for option -h to 1.

       -m            Instead of generating each password randomly, generate a random master key and then  derive
                     each password from that in a deterministic way.  The master key will be printed to standard
                     error.  It  can  later be used with option -k to recreate another copy of the same one-time
                     password list. (Each password is generated from  the  output  of  a  secure  hash  function
                     applied to the master key and the challenge string.)

       -E number     Specify  the  minimum entropy of the master key in bits. (It contains in addition four bits
                     redundancy for error checking.)

       -P number     Choose the text format in which the master key will be displayed.  The supported values are
                     the same as with option -p.

       -k            Ask for a master key, as it was generated by option -m, and then recreate the same password
                     list from that. With this option, only a password list will be generated; the  hash  values
                     in ~/.otpw remain unmodified.

       -r            Output  a  suggestion for a random password, then exit. The length and type of password can
                     be selected with options -e and -p.

       -l            Remove any lock file left by previous authentication attempts, then exit.


PSEUDO-USER INSTALLATION
       If the otpw-gen binary, owned by some system pseudo user (e.g., “otpw”), has the SETUID bit set, then the
       password hash file will be owned by and  stored  in  the  home  directory  of  that  pseudo  user  (e.g.,
       “/var/lib/otpw”),  using  the  user's  name instead of “.otpw”. This way, the hash files are out of reach
       from the users, and cannot be manipulated by tools  other  than  otpw-gen,  which  can  help  to  enforce
       policies  about  how  passwords  are  generated.  Storing the password hash files outside the user's home
       directory can also be useful where the home directory may not yet be accessible during login.


AUTHOR
       The OTPW package, which includes the otpw-gen program, has been developed by Markus Kuhn. The most recent
       version is available from <http://www.cl.cam.ac.uk/~mgk25/otpw.html>.


SEE ALSO
       pam(8), pam_otpw(8)

                                                   2014-08-07                                        OTPW-GEN(1)