OpenSSH with PAM

Install dependencies

To use OpenSSH with PAM have OpenSSH installed and PAM linked. Most distributions configure OpenSSH this way. PAM needs to be extended with the pam_ocra plugin. As long as your distribution does not ship a package, build it from source using the Github pam_ocra_portable sourcecode.

Setup environment

pam_ocra_portable comes with the binary ocra_tool that is used to provision the configuration. 

ocra_tool init -f /home/USER/.ocra \
-s OCRA-1:HOTP-SHA1-6:C-QN08-PSHA1 \
-k 00112233445566778899aabbccddeeff00112233 \
-c 1 -w 50 -p 1234 -q 4567

The parameters for the init action are described in more detail in the man page.

ocra_tool init -k key -s suite_string
          [-c counter] [-p pin | -P pin_hash]
          [-q kill_pin | -Q kill_pin_hash]
          [-w counter_window] [-t timestamp_offset]
          [-u user_name]

Sync the card counter

ocra_tool sync -f /home/USER/.ocra \
          -c 12345678 -r 000000 -v 111111

The parameters for the sync action are described in more detail in the man page.

ocra_tool sync [-u user_name]
          -c challenge
          -r response -v second_response

Configure PAM

Remove the pam_unix auth method from /etc/pam.d/sshd (or its includes) and ensure /etc/pam.d/sshd has the line:

auth required /usr/local/lib/

Configure SSH

Modify sshd config:

ChallengeResponseAuthentication yes
PasswordAuthentication no AuthenticationMethods publickey,keyboard-interactive:pam

The ',' for the AuthenticationMethods property means that both methods are required.

Restart SSH after the configuration was modified.


  • Connect to service
    • See a 8 digit challenge as prompt
  • Enter challenge in OTP card
  • Enter PIN in OTP card
  • Enter response of OTP card in ssh prompt
    • Verify the user logged in
  • Test with invalid responses
    • Verify the user login is denied


When the challenge is not displayed, check that the PAM module is loaded and what other

auth required

statements are configured. Depending on your distribution other methods need to be disabled or reordered.

When the default username and password prompt is not displayed after wrong response inputs, the AuthenticationMethods in the SSHd config needs to be checked.