You can make OATH as a requirement and let the rest of the PAM stack be processed if you use the following line instead:Īuth required pam_oath.so usersfile=/etc/users.oath window=30 digits=6įor SSH login to work, make sure these options are enabled in the file /etc/ssh/sshd_config:
This will allow authentication if you just enter the right OATH code. To enable OATH for a specific service only, like OpenSSH, you can edit the file /etc/pam.d/sshd and add at the beginning of the file the following line:Īuth sufficient pam_oath.so usersfile=/etc/users.oath window=30 digits=6 Make sure that the file can only be accessed by Root user:
etc/users.oath # Option User Prefix Seed If you need HOTP, use this configuration: Warning: Do not set T bigger than 60,otherwise you will get error:(OATH_UNKNOWN_USER: Cannot find information about user).
