Não exatamente o que você está procurando, mas eu já vi o OTPW usado para esses cenários. É um pacote completo que se integra com um sistema Linux via módulos PAM.
trecho
The OTPW package consists of the one-time-password generator
otpw-gen
plus two verification routinesotpw_prepare()
andotpw_verify()
that can easily be added to programs such aslogin
orftpd
on POSIX systems. For platforms that support the Pluggable Authentication Method (PAM) interface, a suitable wrapper is included as well. Login software extended this way will allow reasonably secure user authentication over insecure network lines. The user carries a password list on paper. The scheme is designed to be robust against theft of the paper list and race-for-the-last-letter attacks. Cryptographic hash values of the one-time passwords are stored for verification in the user’s home directory.
No seu caso, você vai querer seguir as instruções nessa página detalhando a instalação do PAM.
trecho
If your system supports Pluggable Authentication Modules [Mor01,XSSO], then simply compile the shared library
pam_otpw.so
and copy it to the directory in which other PAM modules reside (under Linux usually/lib/security/
). Then edit the PAM configuration file for the application in which you want to use OTPW, as described in your PAM System Administrators’ Guide. Thepam_otpw.so
provides both an authentication and a session component. The authentication component asks for and verifies a one-time password, the session component prints after each successful login a reminder on how many unused passwords you have left.To use both components when login into your system via Secure Shell, you might have to add in
/etc/pam.d/sshd
the linesauth required pam_otpw.so session optional pam_otpw.so
With OpenSSH 3.4 for example, you need to make sure that your version has PAM support compiled in, and you will have to add in
/etc/ssh/sshd_config
the linesUsePrivilegeSeparation no PAMAuthenticationViaKbdInt yes
To force OpenSSH to use PAM authentication (instead of its own hostbased or publickey methods, which it normally tries first), use
“ssh -o PreferredAuthentications=keyboard-interactive”
.