[Beowulf] One time passwords and two factor authentication for a HPC setup (might be offtopic? )

[Rahul Nabar]

In all the tiny clusters I've managed so far I've had primitive (I
think) access control by strong [sic] passwords. How practical is it
for a small HPC setup to think about rolling out a two-factor,
one-time-password system?

[I apologize if this might be somewhat offtopic for HPC;it could be
termed a generic Linux logon problem but I couldn't find many leads in
my typical linux.misc group.]

I've used RSA type cards in the past for accessing larger
supercomputing environments and they seem fairly secure but I suspect
that kind of setup is too large (expensive, proprietary, complicated)
for us. Are there any good open source alternatives? The actual
time-seeded random-number generation key fobs seem pretty cheap (less
than $20 a piece e.g. http://www.yubico.com/products/yubikey/ ). So
the hardware is OK  but I still need the backend software to tie it in
to /etc/passwd or PAM or some such mechanism. The software I found was
either Win-based or catered to apache or email etc. I did find VASCO
and CryptoCard but am not sure they are the right fit.

I looked around at open source but couldn't find much. Are other
sys-admins using some form of OTP. What options do I have?

Of course, I know that OTP and two-factor is not some magic bullet
that makes my  security watertight; but I still think its more secure
than static user passwords.

-- 
Rahul