Enable One Time Password in Ubuntu 24.04 for SSH or Local Login

This tutorial shows how to enable One Time PassWord in Ubuntu 24.04 for either local or remote SSH login.

One Time PassWord, OTPW in short, is a PAM module which is useful for allowing a user to login public or shared computer/server using a single-use password, that works only for one time.

By generating a list OTPW passwords, and configuring your system to allow OTPW logins, it will ask random one of the OTPW passwords on every login. And, that password will never work again once logged in successfully with it.

Step 1: Install OTPW package

The OTPW package is available in the universe repository for all current Ubuntu releases.

To install it, open terminal (Ctrl+Alt+T) or connect to remove server and run command:

Advertisements
sudo apt install libpam-otpw otpw-bin

Here, the libpam-otpw package includes the PAM module that can enable OTPW password login. While otpw-bin offers command to generate OTPW passwords.

Step 2: Generate a list of OTPW passwords

After installing the packages above, you can now run command below to generate random passwords:

otpw-gen > ~/otpw_passwords

The command will generate a file called “otpw_passwords” in user home directory, which includes 280 random generated passwords.

And, it will ask you to set a prefix password. When login with OTPW module, you need to type this prefix password + OTPW password. So, others cannot access to your account even if you lost the password list.

At any time, you may re-run the last command to re-create the password list. Which, will override both the previous prefix and one-time passwords.

The passwords work only for the user account who generated them. For any other user, either run command su username to switch to that user and re-run the otpw-gen command, or use command below instead:

su -c "otpw-gen > ~/otpw_passwords" username

In command, replace username with the target account name.

And, here’s an example password list. For yours, either take a photo using your phone, or print it out for later use.

Step 3: Tell your system to allow OTPW password login

1. First, run the command below to create a PAM config file and edit with nano command line text editor:

sudo nano /etc/pam.d/ssh-otpw

When it opens, past the lines below, which tell to authenticate with otpw module, and permit access immediately if succeed.

auth sufficient pam_otpw.so
session optional pam_otpw.so

Finally, press Ctrl+S to save and Ctrl+X to exit.

Enable OTPW for SSH Login

2. To enable OTPW PAM module for SSH, then edit the sshd PAM config file via command:

sudo nano /etc/pam.d/sshd

When file opens, include the config you just made, by adding @include ssh-otpw. NOTE that, you need to:

  • either disable @include common-auth (add # at the beginning), so the classic static password login will NO longer work (for all users)! Be sure you have alternative authentication method in case of running out of OTPW passwords.
  • or, make sure @include common-auth is below @include ssh-otpw, or it will ask for static password first!

3. After that, also edit the SSH daemon config file by running command:

sudo nano /etc/ssh/sshd_config

When file opens, find out the lines below and set (or add lines if they NOT exist) to use PAM authentication:

UsePAM yes

KbdInteractiveAuthentication yes

Also set PasswordAuthentication no, though the static password will still work unless @include common-auth is disabled in the PAM config or KbdInteractiveAuthentication is also disabled in this sshd config.

4. When done editing the file, press Ctrl+S to save and Ctrl+X to exit. Finally, restart SSH to apply changes:

sudo systemctl daemon-reload

sudo systemctl restart ssh.socket

For old Ubuntu 22.04 and earlier, only run sudo systemctl restart ssh should work.

5. Next, you may try to start a SSH connection to this computer or server.

It should ask for password with 3 digital numbers. In the screenshot, it asked for password 004. While I set prefix password to “ade564”, and the password file shows me 004 Zh63 7Qyi. So, I need to input ade564Zh637Qyi to get pass.

NOTE: If you left @include common-auth enabled in /etc/pam.d/sshd config file, type user’s static password will also let you in!

(optional) Enable One Time Password for local desktop login

If you want to use one time password to log in Ubuntu Desktop, then, edit the common-auth PAM config file instead by running command:

sudo nano /etc/pam.d/common-auth

When file opens, add @include ssh-otpw at top and save.

Next time in the login screen, when you click the user who has generated OTPW password list, it will show you “Password XXX” asking for the corresponding OTPW password (don’t forget to add prefix password while typing).

Also, input the static user password will also let you in!

Undo:

To disable one time password, simply remove the @include ssh-otpw line from either /etc/pam.d/sshd or /etc/pam.d/common-auth file depends on which one you enabled.

Optionally, you may remove the module package to save few disk space:

sudo apt remove --autormove libpam-otpw