PAM OTP
Integrate OTP authentication with any PAM module using google-authenticator-libpam.
Prerequisites
You need the following in order to be able to use PAM OTP:
- python3
- python3-pip
- argparse
- google-authenticator-libpam (Your distro package manager is likely to have this)
Installation
- Clone this repo and cd into it
git clone https://github.com/DaniAsh551/pam-otp
cd pam-otp
- Install the dependencies mentioned in the Prerequisites and requirements.txt (
pip install -f ./requirements.txt) - Generate your secrets by running
google-authenticator. Pay attention, answer the questions and note the path where it generates the secret file. (Ususally~/.google_authenticator) - Run the install script as root. You need to know what these arguments are:
- secret: The path to the secret file generated in the previous step
- control: The control flag to use. See here for details.
- prefix: The root/prefix to use, it's a good idea to leave this alone if you are not sure what this is
- PAM_CONF: The path to the PAM config file where pam-otp should be added to
Example Scenarios
- Adding OTP to KDE Plasma login on debian stretch:
sudo apt update
sudo apt install -y libpam-google-authenticator
git clone https://github.com/DaniAsh551/pam-otp
cd pam-otp
google-authenticator
sudo ./install --secret $HOME/.google_authenticator /etc/pam.d/kde
- Adding OTP to OpenSSH on debian stretch (Also make sure UsePAM is set to
yesin/etc/ssh/sshd_config):
sudo apt update
sudo apt install -y libpam-google-authenticator
git clone https://github.com/DaniAsh551/pam-otp
cd pam-otp
google-authenticator
sudo ./install --secret $HOME/.google_authenticator /etc/pam.d/sshd