When you are not in your secure hacklab, and you login on your Debian systems (laptop, remote server), it’s not secure to enter your very private password (“please, could you see ceiling” is not a secure way).
Then you could use OTP (One Time Password) way.
On Debian system, do this :
# (apt-get|aptitude) install opie-server
Add pam_opie.so in your PAM info. For example, in pam.d/ssh (or pam.d/common-auth for all your pam.d/foo), modify to have :
auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.so
Your systeam is now ready for OTP.
To use it, log you and :
$ opiepasswd -f -c
(You must choose a secret pass phrase to generate your OTP)
Generate 10 passwords for example :
$ opiekey -n 10 497 ab1234
(Enter your secret pass phrase)
In this example, 497 is your current seq number and ab1234 is your seed. You could known them with opieinfo command (only if /etc/opiekeys is chmod 644).
Print your 10 passwords (with your printer or you hand if you are paranoiac) and you could use them. For example, OTP login :
homer login : jdoe
Password : [enter]
otp-md5 497 ab1234 ext, Response : [enter your OTP number 497][enter]
Welcome !!
jdoe@homer:~$