Comment by nickdothutton
3 months ago
Had my mind drifting back to days of S/Key [1] and little scraps of paper with crossings out on them.
3 months ago
Had my mind drifting back to days of S/Key [1] and little scraps of paper with crossings out on them.
It's still a very valid solution.
I used S/KEY for years when I wanted to log into a remote system from a machine I didn't control. I didn't care so much about keystrokes being intercepted; I did care about my password being intercepted. S/KEY (or OPIE, depending on system) let me log in/sudo without exposing said password. I never carried around a preprinted list of codes, rather using a generator on my PDA.
It's possible to do the same thing with `pam_google_authenticator`; that is, having that OTP being the only required password, for the same reason. Nowadays this is the easier solution to go with,[1] because there are multiple OTP generator clients on all platforms, but almost all tutorials assume OTP being used for 2FA and not the only password so some more familarity with PAM beyond the tutorials is needed.
[1] Barring the requirement for read/write access to the secrets file, which SELinux complicates