Comment Re:Key AND Password (Score 2) 167
I use Mobile OTP (http://motp.sourceforge.net/) for two-factor auth at work. Once I figured out the PAM side of things, it was quite straight-forward. I installed it on my server at home as well, but I'm a little more relaxed about it -- I allow ssh from a few "trusted" boxes via ssh-keys, otherwise it requires password+OTP token authentication. Now, I just have to worry about keeping those "trusted" boxes safe. (I do have a password on the ssh keys, but wonder if I have a long-running login session with the keys installed into ssh-agent, I might be boned anyway if someone were to break in.)