PAM_OCRA(8) BSD System Manager's Manual PAM_OCRA(8)NAME
pam_ocra — RFC6287 OCRA: OATH Challenge-Response Algorithm PAM module
SYNOPSIS
[service-name] module-type control-flag pam_ocra [options]
DESCRIPTION
The OCRA service module for PAM, pam_ocra provides functionality for only
one PAM category: authentication. In terms of the module-type parameter,
this is the “auth” feature. It also provides null functions for the
remaining module types.
OCRA Authentication Module
The OCRA authentication component (pam_sm_authenticate()) obtains OCRA
credentials from the the per-user file ~/.ocra. If this fails and the
dir parameter is set, directory/USERNAME will be used. It then provides
the user with an OCRA challenge and verifies the response.
The following options may be passed to the authentication module:
dir=directory
directory to search for OCRA credentials.
fake_prompt=suite_string
Use suite_string to generate fake challenges for users who do
not have OCRA credentials. Note that if this option is not
set, no fake challenges will be generated which can leak infor‐
mation to a hypothetical attacker about who uses OCRA and who
does not.
FILES
~/.ocra
OCRA credential file
SEE ALSOpam.conf(5), pam(8), ocra_tool(8)STANDARDS
RFC6287 OCRA: OATH Challenge-Response Algorithm
AUTHORS
The pam_ocra module and this manual page were developed by Stefan Grund‐
mann
BSD September 30, 2014 BSD