Go to main content

man pages section 1M: System Administration Commands

Exit Print View

Updated: July 2017

otpadm (1M)


otpadm - Manage One-Time Password Authentication


otpadm [-u user] subcommand [subcommand-options]
otpadm [-u user] set <attribute[=value]> [<attribute>[=value]] ...
otpadm [-u user] get [attribute1] [attribute2] ...
otpadm [-u user] generate <attribute[=value]> [<attribute>[value]] ...
otpadm [-u user] expunge


The otpadm utility is used to display, configure and manage one-time password (OTP) based authentication. The OTP schemes based on IETF RFCs 4226 and 6238 are supported. It can also be used by an authorized administrator to manage the OTP configuration for any user.


The following option is supported:

–u user

Configures OTP for the specified user

Sub Commands

The following subcommands are supported:

set <attribute[=value]> [<attribute>[=value]] ...

The set subcommand is used to set/modify/reset the per-user OTP attributes. If the attribute value is present in the argument, the attribute is set to this new value. If the attribute value is omitted, that attribute gets reset to the default. For more information, see the OTP 'Attributes' section

Setting the secret attribute without a value securely generates a new, random secret. If the value to the secret attribute is a file path (secret=<file>), it is set to the value present in the file

get [attribute1] [attribute2] ...

The get subcommand is used to display the current value of the per-user OTP attributes. If no attributes are specified, it prints all the attributes relevant to the current mode (timer or counter) except secret

The value of the secret attribute can be requested by getting secret. The secret is printed in base32 encoding

generate <attribute[=value]> [<attribute>[value]] ...

The generate subcommand is used to generate the current OTP auth code. The attribute/value arguments temporarily override existing user configuration. It can be used to generate an auth code for a different secret provided through a file using secret=<file> syntax similar to the set subcommand


The expunge subcommand deletes and resets the OTP state for the specified user. If no user is specified, it expunges for the current user. This implicitly resets all configuration parameters to the defaults and destroys the shared secret. Users may not expunge OTP configuration, if doing so would prevent future authentication


The following attributes are supported:


The current mode of OTP auth code generation algorithm. It can be either counter or timer. The counter mode indicates that an incrementing counter is used to generate the code (see RFC 4226) and timer mode indicates that the code gets generated based on the current timestamp (see RFC 6238). The default value is timer


The hmac-sha algorithm in use to generate the OTP auth code. It can be hmac-sha1, hmac-sha256 or hmac-sha512. The default is hmac-sha1


The number of digits in an authentication code. The default and minimum value is 6. It must be in the inclusive range of 6 to 10


The current value of the HOTP counter to be used for code generation. Setting a new HOTP secret resets the counter. The counter value may be initialized when the secret is set by setting this property. The value of hotp-counter may not be modified except when a new secret is set


The number of seconds to add to current Unix time when generating the authentication codes. It gets adjusted automatically to account for the clock drift over time. This is enabled only when totp-resync-window is 2 or greater. The default value is 15 seconds


The time of the last successful timer based authentication. This is a read-only attribute


The secret key shared between the protected system and the auth code generating device


The length of the secret key shared


A constant value OTP code used to verify correct entry of the secret values into the authentication device. This is a read-only attribute


The following authorizations control which otpadm subcommands a user may execute on behalf of others.


Allows configuration of the OTP for all users on the system

It is required for:

  • otpadm –u <user> set

  • otpadm –u <user> get

  • otpadm –u <user> expunge


Allows reading of all the OTP secrets

It is required for:

  • otpadm –u <user> set secret=<file>

  • otpadm –u <user> get secret

  • otpadm –u <user> generate

A profile, "OTP Auth Manage All Users", is shipped with the system to facilitate granting administrative authorizations.

It should be noted that otpadm generate will also succeed if the user has read-access to the secret file in question. Authorization is only required to access a user's protected OTP secret, that is, the file maintained by otpadm for system access. Alternatively, the secret for otpadm generate may be read from any file to which the user has access.


Per-user configuration is stored under /var/share/user/$user/otp file. The contents of this directory include the user's shared secret. The exact location, format and contents of this directory may change in the future and should not be relied upon.

Exit Status






The generate subcommand is Volatile, intended for testing only. All other subcommands are Committed.

See Also

auth_attr(4), prof_attr(4), pam_otp_auth(5)