I search a way to use one-time–passwords for jabber/XMPP (ejabberd) on FreeBSD. I do not want to use PAM (local users on the machine). Currently I use the internal authentication, and I expect that not all users of the jabber server will use OTP if available, so the problem case is not that easy (migrating existing users to a new solution can be done by changing the password myself and then telling them to change their password, but there needs to be a way to let them change the non-OTP password).
I assume that OTP is not foreseen in the XMPP protocol, so where could I ask to have something like that considered as an extension (if such a place exists at all)?
Oh, yes, sending the passwords over SSL is not an option (that is already the only way to login there). The goals are to have
- an easy to remember password for an OTP app on the mobile to generate the real password
- the password expire fast, so that a stolen password does not cause much harm
- not the same login-password for different services (mail-pw != jabber-pw != user-pw)