Arch Linux User Repository

This is is a tool that "deals" with security and PAM modules, https://en.wikipedia.org/wiki/OTPW

I cant find anything on the Internet about it "fresher" than 2014.

pacman -Ql otpw

otpw /usr/bin/otpw-gen
otpw /usr/lib/security/pam_otpw.so
otpw /usr/share/licenses/otpw/LICENSE

file /usr/bin/otpw-gen

/usr/bin/otpw-gen: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=15f81044d1daeaf395260371fa2db48331135c7f, for GNU/Linux 4.4.0, stripped

It should be the target of rigorous scrutiny.

I personally dont have the knowlegde and deep understanding to do that scrutiny.

Should anyonoe be interested in adopting this PKGBUILD, consider that https://www.cl.cam.ac.uk/~mgk25/otpw.html says,

Latest release: Version 1.5, 2014-08-07

Even the github repo, https://github.com/mgkuhn/otpw, has not seen activity in 10 years,

dea5e56  9Y Markus Kuhn o [master] {origin/master} {origin/HEAD} adding .
f68287e 10Y Markus Kuhn o otpw-gen.c: entropy_cmds changed to avoid error
bcd82c7 10Y Markus Kuhn o <v1.5> fixed segfault of “otpw-gen -h”
c3b6b78 10Y Markus Kuhn o version bumped to 1.5

Even his other projects github activity seems to stop in 2020, https://github.com/mgkuhn.

The Archwiki page , https://wiki.archlinux.org/title/One_Time_PassWord ,

Installation

Install the otpw^AUR package.

That Archwiki page was last updated in 2023.

There is no talk there about this being a 10 year old tool, https://wiki.archlinux.org/index.php?title=Talk:One_Time_PassWord&action=edit&redlink=1

That leaves us with interesting questions.

Is that Arch wiki page information still valid and up to date ?

Who can guarantee that this "otpw" tool after 10 years without updates still is a valid tool ?

Maybe this PKGBUILD should be simply removed from the AUR ?

Until someone the proper knowledge can validate all this ?

And crystal clearly documents these caveats on the Archwiki page ?

Generating random seed ...
sh: line 1: netstat: command not found

This PKGBUILD is broken. It is missing one dependency.

The tool otpw depends on the command "netstat" on its source code.

$ grep -C 3 netstat otpw-gen.c

  "ls -lu /etc/. /tmp/. / /usr/. /bin/. /usr/bin/.",
  "PATH=/usr/ucb:/bin:/usr/bin;ps lax",
  "last | head -50",
  "uptime;netstat -n;hostname;date;w",
  "cd $HOME; cat .pgp/randseed.bin .ssh/random_seed .otpw 2>&1"
  /* too slow: "PATH=/usr/bin/X11/;xwd -root -silent 2>&1||xwd -root 2>&1" */
};

Provided in Arch by

pacman -F /usr/bin/netstat

usr/bin/netstat is owned by core/net-tools 2.10-3

core/net-tools 2.10-3
    usr/bin/netstat

This should be updated

10 depends=('pam')

8  url="http://www.cl.cam.ac.uk/~mgk25/otpw.html"
11 source=("http://www.cl.cam.ac.uk/~mgk25/download/$pkgname-$pkgver.tar.gz"

http://www.cl.cam.ac.uk/~mgk25/download/otpw-1.5.tar.gz

$ curl -IL http://www.cl.cam.ac.uk/~mgk25/otpw.html

HTTP/1.1 302 Found Location: https://www.cl.cam.ac.uk/~mgk25/otpw.html HTTP/1.1 200 OK

$ curl -IL https://www.cl.cam.ac.uk/~mgk25/download/otpw-1.5.tar.gz

HTTP/1.1 200 OK

Should use https, not http.

Hhmmm, PKGBUILD was last updated 2 years ago. Strange .... Anyway lets try it.

pacman -Ql otpw

otpw /usr/
otpw /usr/bin/
otpw /usr/bin/otpw-gen
otpw /usr/lib/
otpw /usr/lib/security/
otpw /usr/lib/security/pam_otpw.so
otpw /usr/share/
otpw /usr/share/licenses/
otpw /usr/share/licenses/otpw/
otpw /usr/share/licenses/otpw/LICENSE

Got this little annoying error

   $ otpw-gen

Generating random seed ...
sh: line 1: netstat: command not found

Not sure if it's caused by this PKGBUILD, of if it's just the software that is too old and apparently not maintained ?, at its homepage, https://www.cl.cam.ac.uk/~mgk25/otpw.html

Latest release: Version 1.5, 2014-08-07

pacman -F netstat

core/net-tools 2.10-1
    usr/bin/netstat
community/munin-node 2.0.69-1
    usr/lib/munin/plugins/netstat

pacman -Fl net-tools

...
net-tools usr/bin/arp
net-tools usr/bin/ifconfig
net-tools usr/bin/ipmaddr
net-tools usr/bin/iptunnel
net-tools usr/bin/mii-tool
net-tools usr/bin/nameif
net-tools usr/bin/netstat

I wanted to try this setup. Apparently the Archwiki page, https://wiki.archlinux.org/title/OTPW seems maintained and updated.

I'm also not going to install net-tools, as it is an old and deprecated set of tools.

Is there any other tool or instructions for this "otpw" setup in Arch ? Anyone has any comments and recentt practical feedback experience on this ?

I'm actually not even interested in the SSH part. Just wanted to test OTP for local logins.

Got this error:

Aug 23 12:58:59 alarmpi sshd[6696]: Connection closed by authenticating user user 10.8.0.10 port 45752 [preauth]
Aug 23 12:59:20 alarmpi sshd[6949]: PAM unable to dlopen(/usr/lib/security/pam_otpw.so): /usr/lib/security/pam_otpw.so: undefined symbol: __aeabi_uidivmod
Aug 23 12:59:20 alarmpi sshd[6949]: PAM adding faulty module: /usr/lib/security/pam_otpw.so
Aug 23 12:59:27 alarmpi sshd[6949]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.0.10  user=lenni
Aug 23 12:59:27 alarmpi sshd[6949]: pam_systemd_home(sshd:auth): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
Aug 23 12:59:28 alarmpi sshd[6949]: Failed password for user from 10.8.0.10 port 45754 ssh2
Aug 23 12:59:34 alarmpi sshd[6949]: Connection closed by authenticating user user 10.8.0.10 port 45754 [preauth]
Aug 23 13:00:15 alarmpi sshd[7283]: PAM unable to dlopen(/usr/lib/security/pam_otpw.so): /usr/lib/security/pam_otpw.so: undefined symbol: __aeabi_uidivmod
Aug 23 13:00:15 alarmpi sshd[7283]: PAM adding faulty module: /usr/lib/security/pam_otpw.so
Aug 23 13:00:20 alarmpi sshd[7283]: Failed password for user from 192.168.0.166 port 50276 ssh2

This is on armv7h

Successfully built & used on armv7h, you can add that to the supported architectures