Install dependencies

To use xscreensaver with PAM have xscreensaver installed and PAM linked. Most distributions configure xscreensaver this way. PAM needs to be extended with the pam_ocra plugin. As long as your distribution does not ship a package, build it from source using the Github pam_ocra_portable sourcecode.

Setup environment

pam_ocra_portable comes with the binary ocra_tool that is used to provision the configuration. 

ocra_tool init -f /home/USER/.ocra \
-s OCRA-1:HOTP-SHA1-6:C-QN08-PSHA1 \
-k 00112233445566778899aabbccddeeff00112233 \
-c 1 -w 50 -p 1234 -q 4567

The parameters for the init action are described in more detail in the man page.

ocra_tool init -k key -s suite_string
          [-c counter] [-p pin | -P pin_hash]
          [-q kill_pin | -Q kill_pin_hash]
          [-w counter_window] [-t timestamp_offset]
          [-u user_name]

Sync the card counter

ocra_tool sync -f /home/USER/.ocra \
          -c 12345678 -r 000000 -v 111111

The parameters for the sync action are described in more detail in the man page.

ocra_tool sync [-u user_name]
          -c challenge
          -r response -v second_response

Configure PAM

Ensure /etc/pam.d/xscreensaver contains the line:

auth required /usr/local/lib/pam_ocra.so

Configure XScreensaver

XScreensaver does not need to be configured. It will display the challenge and request a response in the XScreensaver UI.


  • Start the xscreensaver: xscreensaver-command -activate -lock, move the mouse
    • See challenge as prompt
  • Enter challenge in OTP card
  • Enter PIN in OTP card
  • Enter response of OTP card in XScreenSaver prompt
    • Check the desktop again
  • Test with invalid responses
    • Check permission denied

Be prepared if the initial challenge setup is incorrect. Save all data before testing.


When the challenge is not displayed, check that the PAM module is loaded and what other

auth required

statements are configured. Depending on your distribution other methods need to be disabled or reordered.