On Tue, Dec 29, 2009 at 12:05:20PM -0500, Luke Faraone wrote:
> Unlike OPIE, otpasswd uses modern hashing algotrithms and supports offline
> / out-of-band use.
A compare/contrast with the libpam-otpw package would also be
interesting.
I might not be the best person to do this, so I've CC'd the otpasswd-talk discussion list to solicit better explanations.
otpasswd allows both the use of a optional (via ~/.otpasswd) and global policy-enforced system. In the "global" system, it would be SGID (SUID as well?) to a shared otpasswd user. Via such a centralized database, the systems administrator can prevent passcard reuse as well as length requirements etc. From what I've such an architecture makes it easier to use one-time-passwords on a LDAP backend as well, but I haven't tried it.
otpasswd, when set to be PPP-compatible, also allows interoperability with a variety of client applications.
That said, I have not studied OTPW nor the security of otpasswd closely, and would advise anybody making a choice between the two to perform their own research.