PAM_OBC: out-of-band challenge-response authentication module

[paul]

The pam_obc module transmits a random challenge to the user via an 
out-of-band channel. The user authenticates by correctly answering the 
challenge.

pam_obc looks to pam_obc.conf for users and their associated actions. 
When called, pam_obc tries to find the user in the configuration file. 
If the user is found, pam_obc generates a one-time password (a random 
string), pipes it to the action's standard input and then executes the 
action. The action transmits the password to the user.

For instance, put pam_obc.so in the SSH stack and add the following line 
to pam_obc.conf:

someone:/bin/mail -s 'Out-of-band challenge' someone at someplace.com

In this case, when Someone tries to authenticate via SSH, pam_obc 
generates a random string and pipes it to /bin/mail's standard input. 
Then challenge is emailed to Someone who authenticates by proving 
knowledge of the challenge.

A more secure pam_obc configuration would email the challenge to 
Someone's cell phone or pager. Using a cell phone, for instance, 
achieves a channel physically separate from the SSH channel. That cell 
phone or pager channel is also inexpensive and ubiquitous.

I've used pam_obc to give visitors easily managed and secure user 
accounts on my servers. I'm also working on making PAM work with the 
OpenSSH "required methods" found at: 
https://bugzilla.mindrot.org/show_bug.cgi?id=983. When that works, 
pam_obc will give OpenSSH a true, two-factor authentication mechanism 
when coupled with two required authentication methods.

You can find pam_obc at http://sourceforge.net/projects/pamobc.

I hope this is an appropriate way to release this module. Please give me 
feedback.