I’ll be on vacation later this summer and will want to get to my home systems to check email, upload pictures and the like but I don’t want to drag my laptop around with me (which also means carrying around an international power converter suitable for extended use and they’re bulky). My idea was to use whatever unsecured or public access terminal I can find and SSH. Fine, except that I already don’t trust the host so I don’t want to put my public key on it meaning I have to use password authentication. But using SSH this way means typing my reusable password and I already don’t trust the host I’m logging in from. Solution? Use a One-Time Password (otp) authentication system. Read the man pages and I had it set up in about sixty seconds on my *BSD systems. Works great! I can print out a list of single use passwords and keep it in my wallet or load an OTP client on my palm pilot and generate them on the fly. Cool. My Linux host, however, is a different story. Seems that PAM, the pluggable authentication module system, SSH and challenge/response authentication don’t work together and haven’t since at least mid-2002. First, Privilege Separation doesn’t work if PAM is used. Annoying, since dropping root privs by the SSH daemon is a good idea. There is no generally working exploit (yet) against a patched non-PrivSep sshd but I’d rather not find out the hard way when it emerges. Second, you can only use one of challenge/response or password but not both unless you intend to use both together, i.e. you first authenticate with a otp and then with the reusable password. That sucks. I might use OTP with SSH to get to one of the OpenBSD hosts and put a public key to an account on the firewalled Linux box (and install keys to jump to the others, so I don’t expose passwords) but that stinks of creating a new security hole. I might just disable password authentication to the Linux box and only use OTP for the duration of my trip.