one time passwords

[Wayne]

"Michael Vilain " wrote:

>>>>how do i set up one time passwords for logins in solaris 8?
>>>
>>>I don't think you can. Closest I imaging is setting the account to
>>>expire within a certain time period. They can login as many times as
>>>they want until it expires. Don't know if they can still get in via ftp
>>>if the account is expired as I never tried it.

>>...
>> With local files, could probably add a script, invoked by
>> default login or such that grabs the line out of the
>> shadow file and stomps on the password with something
>> like "BeenHereOnce".

> ...
> That script would have to run as root. I can see this working for local
> files (good idea, btw!) but would be much harder on NIS or NIS+.
>
> What about putting an expect script that changes the password via passwd
> in the .login or .profile, leaving a $HOME/.BeenHereOnce file or
> something. You could run the expect script in such a way as to capture
> or throw away it's output. It would change the password to something
> random or unknown to the user, thereby locking them out.

Could this also be done with a custom PAM module, that locks
an account after the first use?

-Wayne