Sudo with PAM

Install dependencies

To use sudo with PAM have sudo installed and PAM linked. Most distributions configure sudo this way. PAM needs to be extended with the pam_ocra plugin. As long as your distribution does not ship a package, build it from source using the Github pam_ocra_portable sourcecode.

Setup environment

pam_ocra_portable comes with the binary ocra_tool that is used to provision the configuration. 

ocra_tool init -f /home/USER/.ocra \
-s OCRA-1:HOTP-SHA1-6:C-QN08-PSHA1 \
-k 00112233445566778899aabbccddeeff00112233 \
-c 1 -w 50 -p 1234 -q 4567

The parameters for the init action are described in more detail in the man page.

ocra_tool init -k key -s suite_string
          [-c counter] [-p pin | -P pin_hash]
          [-q kill_pin | -Q kill_pin_hash]
          [-w counter_window] [-t timestamp_offset]
          [-u user_name]

Sync the card counter

ocra_tool sync -f /home/USER/.ocra \
          -c 12345678 -r 000000 -v 111111

The parameters for the sync action are described in more detail in the man page.

ocra_tool sync [-u user_name]
          -c challenge
          -r response -v second_response

Configure PAM

Ensure /etc/pam.d/sudo contains the line:

auth required /usr/local/lib/

Configure Sudo

Make sure that the users that need to sudo are in the wheel group if this is in your requirements.


  • Open shell with user in wheel group
  • sudo /bin/bash -c 'id'
    • See challenge as prompt
  • Enter challenge in OTP card
  • Enter PIN in OTP card
  • Enter response of OTP card into sudo prompt
    • Check the 'uid=0' in output
  • Test with invalid responses
    • Check permission denied message


When the challenge is not displayed, check that the PAM module is loaded and what other

auth required

statements are configured. Depending on your distribution other methods need to be disabled or reordered.

Ensure that the user is in the appropriate sudo group.