To use xscreensaver with PAM have xscreensaver installed and PAM linked. Most distributions configure xscreensaver this way. PAM needs to be extended with the pam_ocra plugin. As long as your distribution does not ship a package, build it from source using the Github pam_ocra_portable sourcecode.
pam_ocra_portable comes with the binary ocra_tool that is used to provision the configuration.
ocra_tool init -f /home/USER/.ocra \
-s OCRA-1:HOTP-SHA1-6:C-QN08-PSHA1 \
-k 00112233445566778899aabbccddeeff00112233 \
-c 1 -w 50 -p 1234 -q 4567
The parameters for the init action are described in more detail in the man page.
ocra_tool init -k key -s suite_string [-c counter] [-p pin | -P pin_hash] [-q kill_pin | -Q kill_pin_hash] [-w counter_window] [-t timestamp_offset] [-u user_name]
Sync the card counter
ocra_tool sync -f /home/USER/.ocra \ -c 12345678 -r 000000 -v 111111
The parameters for the sync action are described in more detail in the man page.
ocra_tool sync [-u user_name] -c challenge -r response -v second_response
Ensure /etc/pam.d/xscreensaver contains the line:
auth required /usr/local/lib/pam_ocra.so
- Start the xscreensaver: xscreensaver-command -activate -lock, move the mouse
- See challenge as prompt
- Enter challenge in OTP card
- Enter PIN in OTP card
- Enter response of OTP card in XScreenSaver prompt
- Check the desktop again
- Test with invalid responses
- Check permission denied
Be prepared if the initial challenge setup is incorrect. Save all data before testing.
When the challenge is not displayed, check that the PAM module is loaded and what other
statements are configured. Depending on your distribution other methods need to be disabled or reordered.