On Tue, Dec 29, 2009 at 12:22, The Fungi <fu...@yuggoth.org> wrote: > On Tue, Dec 29, 2009 at 12:05:20PM -0500, Luke Faraone wrote: > > Unlike OPIE, otpasswd uses modern hashing algotrithms and supports > offline > > / out-of-band use. > > A compare/contrast with the libpam-otpw package would also be > interesting. >
I might not be the best person to do this, so I've CC'd the otpasswd-talk discussion list to solicit better explanations. otpasswd allows both the use of a optional (via ~/.otpasswd) and global policy-enforced system. In the "global" system, it would be SGID (SUID as well?) to a shared otpasswd user. Via such a centralized database, the systems administrator can prevent passcard reuse as well as length requirements etc. From what I've such an architecture makes it easier to use one-time-passwords on a LDAP backend as well, but I haven't tried it. otpasswd, when set to be PPP-compatible, also allows interoperability with a variety of client applications <https://www.grc.com/ppp/software.htm>. That said, I have not studied OTPW nor the security of otpasswd closely, and would advise anybody making a choice between the two to perform their own research. Luke Faraone http://luke.faraone.cc