OpenSSH with PAM
To use OpenSSH with PAM have OpenSSH installed and PAM linked. Most distributions configure OpenSSH this way. PAM needs to be extended with the pam_ocra plugin. As long as your distribution does not ship a package, build it from source using the Github pam_ocra_portable sourcecode.
pam_ocra_portable comes with the binary ocra_tool that is used to provision the configuration.
ocra_tool init -f /home/USER/.ocra \
-s OCRA-1:HOTP-SHA1-6:C-QN08-PSHA1 \
-k 00112233445566778899aabbccddeeff00112233 \
-c 1 -w 50 -p 1234 -q 4567
The parameters for the init action are described in more detail in the man page.
ocra_tool init -k key -s suite_string [-c counter] [-p pin | -P pin_hash] [-q kill_pin | -Q kill_pin_hash] [-w counter_window] [-t timestamp_offset] [-u user_name]
Sync the card counter
ocra_tool sync -f /home/USER/.ocra \ -c 12345678 -r 000000 -v 111111
The parameters for the sync action are described in more detail in the man page.
ocra_tool sync [-u user_name] -c challenge -r response -v second_response
Remove the pam_unix auth method from /etc/pam.d/sshd (or its includes) and ensure /etc/pam.d/sshd has the line:
auth required /usr/local/lib/pam_ocra.so
Modify sshd config:
PasswordAuthentication no AuthenticationMethods publickey,keyboard-interactive:pam
The ',' for the AuthenticationMethods property means that both methods are required.
Restart SSH after the configuration was modified.
- Connect to service
- See a 8 digit challenge as prompt
- Enter challenge in OTP card
- Enter PIN in OTP card
- Enter response of OTP card in ssh prompt
- Verify the user logged in
- Test with invalid responses
- Verify the user login is denied
When the challenge is not displayed, check that the PAM module is loaded and what other
statements are configured. Depending on your distribution other methods need to be disabled or reordered.
When the default username and password prompt is not displayed after wrong response inputs, the AuthenticationMethods in the SSHd config needs to be checked.