Real one-time passwords (OTP) on Linux other than S/Key? [closed]
Surely it is no good idea to log into a remote system from an untrusted computer. But sometimes it is plain necessary. Exposing an unencrypted SSH keyfile is no option of course. Entering a regular password is none either.
S/Key seems to be the "usual" solution but it requires strictly following the order of passwords on a list. This is undesirable for shared accounts as all parties would need to synchronize use of the list.
Any way to make OTPs with no requirements regarding order of usage? Other ideas?
Background: Two admins share an account. Another one should be given an "emergency envelope" that is sealed and contains information for that account. Breaking the seal is allowed only in case the other admins are unavailable.
We use OTPW for this. Simple implementation. Easy to replicate the password list. The system requests passwords by number, so no problems trying to keep the lists in sync.
S/Key is ideal for this scenario, but you need to do a little more work.
Create special accounts for each emergency envelope. Those accounts are added to sudoers and can assume root. That gives you the audit trail that you should have (one account per envelope, one envelope per user) and the flexibility that you need.
After an emergency, the admin has to bring back the envelope for the next password, which gives you the audit trail.