Lots of people are replying about the advantages/disadvantages of using ssh **OR** otp. I fully agree; in fact I installed both here.
What I said is that it's nonsense to use ssh **AND** otp at the same time, for the same login. If I understood correctly, Peter's setup of ssh-pam would use otp for the ssh login. Did I miss something? <asbestos suit> Furthermore I usually recompile ssh without pam, because ssh is not just a login protocol. Perhaps this could help Peter. I also don't like the hack of making ssh refuse logins for valid RSA keys (I only use them, no plain passwords) by just putting an invalid password in /etc/passwd. I'm not sure this was done to ssh-nonfree, but I think it was for openssh. </asbestos suit> On the subject of authentication, I'd much like to have an authentication daemon (not running as root, preferably) that receives a login/password and says yes or no. I could use it for granting access to certain directories and other things. Can ldap do this? I thought about the ldap-pam module, but haven't explored it.