Sudo with PAM
To use sudo with PAM have sudo installed and PAM linked. Most distributions configure sudo this way. PAM needs to be extended with the pam_ocra plugin. As long as your distribution does not ship a package, build it from source using the Github pam_ocra_portable sourcecode.
pam_ocra_portable comes with the binary ocra_tool that is used to provision the configuration.
ocra_tool init -f /home/USER/.ocra \
-s OCRA-1:HOTP-SHA1-6:C-QN08-PSHA1 \
-k 00112233445566778899aabbccddeeff00112233 \
-c 1 -w 50 -p 1234 -q 4567
The parameters for the init action are described in more detail in the man page.
ocra_tool init -k key -s suite_string [-c counter] [-p pin | -P pin_hash] [-q kill_pin | -Q kill_pin_hash] [-w counter_window] [-t timestamp_offset] [-u user_name]
Sync the card counter
ocra_tool sync -f /home/USER/.ocra \ -c 12345678 -r 000000 -v 111111
The parameters for the sync action are described in more detail in the man page.
ocra_tool sync [-u user_name] -c challenge -r response -v second_response
Ensure /etc/pam.d/sudo contains the line:
auth required /usr/local/lib/pam_ocra.so
- Open shell with user in wheel group
- sudo /bin/bash -c 'id'
- See challenge as prompt
- Enter challenge in OTP card
- Enter PIN in OTP card
- Enter response of OTP card into sudo prompt
- Check the 'uid=0' in output
- Test with invalid responses
- Check permission denied message
When the challenge is not displayed, check that the PAM module is loaded and what other
statements are configured. Depending on your distribution other methods need to be disabled or reordered.
Ensure that the user is in the appropriate sudo group.