# $Id: README,v 1.3 2011/03/16 10:06:29 sthen Exp $

To use the OATH/TOTP authenticators, edit login.conf and create a
login class for the relevant users.

# The TOTP login class allows either TOTP or passwd authentication methods.
totp:\
        :auth=-totp,passwd:\
        :tc=default:

# The TOTPPW login class requires both TOTP and passwd; the user must
# supply the password in the format OTP/password, e.g. 816721/axlotl.
totppw:\
        :auth=-totp-and-pwd:\
        :tc=default:

Create a secret key and write it as a hex string in the file .totp-key
in the user's home directory, e.g.:

$ openssl rand -hex 20 > ~/.totp-key

You can either use oathtool to generate a OTP to login:

$ oathtool --totp <secret key goes here>

Or add the secret key to another (soft/hardware) authentication token.
Some tokens (e.g. Google Authenticator) require secrets in base32 format;
you can convert them with p5-Convert-Base32:

use Convert::Base32;
my $s = pack('H*', '99d12448129d1e8192e063d64714209137a13864');
print encode_base32($s)."\n";

For the reverse conversion you may use:

use Convert::Base32;
my $s = decode_base32('thisisastupidexampleofbase32code');
print unpack('H*', $s)."\n";

HOTP authenticators are a work-in-progress.
