Set up OTP on Debian in minutes

As root install the packages:

apt-get install libpam-opie opie-server opie-client

My systems only permit ssh, so I ignore the other services. Enable it by editing /etc/pam.d/ssh. Comment out the inclusion of common-auth and add the lines so the file reads:

#@include common-auth
auth sufficient pam_opie.so
auth sufficient pam_unix.so nullok_secure
auth require pam_deny.so

It might be incovenient but you can enable it globally by editing /etc/pam.d/common-auth:

#auth required pam_unix.so nullok_secure.
auth sufficient pam_opie.so
auth sufficient pam_unix.so nullok_secure
auth require pam_deny.so

Enable it for the non-root account, by running on a secure console:

opiepasswd -c

That’s it, you’re done! On your next attempt to log in with ssh you should see similar to:

$ ssh myhost.example.com
otp-md5 495 wi01309 ext, Response: