Greg Hewgill's questions

I have a FreeBSD server that I like to be able to get to from anywhere. Normally I use SSH publickey to log in, or if I don't have my SSH private key available then I might use regular password over SSH. However, when logging in from an untrusted machine there's always the risk of a keylogger capturing my login password as I type it.

FreeBSD already has support for OPIE which is a one-time password scheme. This works great, but the one-time password is the only authentication needed. If I print out a list of one-time passwords to use later, then if I lose that list then that's all somebody needs.

I'd like to set up the authentication so that I need a one-time password plus something I know (a password, except not my usual login password). I have a feeling the answer has something to do with PAM (and /etc/pam.d/sshd) but I'm not certain on the details.

How can I set up authentication where two methods are required?

I've got a Linux server (Red Hat Enterprise Linux AS release 4) that is running nfsd. Is there a way to find out which file(s) are currently in use on the server?

Occasionally the server CPU usage spikes to over 100% and the only thing using a nontrivial amount of CPU time is nfsd. I'm curious to find out what is causing that activity.