Setup oathtoolkit and libpam-oath on Debian Linux


The OATH Toolkit contains a shared library, command line tool and a PAM module that makes it possible to build one-time password authentication systems. Supported technologies include the event-based HOTP algorithm and the time-based TOTP algorithm. OATH is the Open AuTHentication organization which specifies the algorithms.

The components included in the package are:

  • liboath: A shared and static C library for OATH handling.
  • oathtool: A command line tool for generating and validating OTPs.
  • pam_oath: A PAM module for pluggable login authentication for OATH.

Compatible (and tested) Apps and hardware token on the client-side

Google Authenticator for Android, iOS and Blackberry (HOTP/T30/6 and HOTP/E/6)

Gooze c100 event based hardware token (HOTP/E/6)

Gooze c200 time based hardware token (HOTP/T60/6)

OATH Token iOS App (all variants)

As you can see, the OATH Toolkit includes support for Google-Authenticator. So if you want to build an OTP System you should use OATH Toolkit. The only additional option Google-Authenticator has is the ability to add scratchcodes. If you build a PAM-based system e.g. with freeradius, there is the possibility to combine google-authenticator (for scratchcodes) and OATH Toolkit for all kind of OTPs by adding them both as “auth optional” in /etc/pam.d/radiusd.

Install preriquisites

This document is based on:

Distributor ID: Debian
Description:    Debian GNU/Linux 6.0.5 (squeeze)
Release:        6.0.5
Codename:       squeeze

Depending on your system you need some packages on your machine before we begin. Since I wrote this documentation after I installed everything, it might be possible that I missed a dependency. If so, find out what is missing and install it. As far as I can remember I did:

apt-get install libqrencode3 datefudge

Get and install the OATH Toolkit for Debian

OATH Toolkit is not included in the stable version of Debian. I just downloaded it from the current testing version (wheezy). You can get it here:

Download the following packages for your architecture:

  • liboath0 - Unordered List ItemOATH Toolkit Liboath library
  • libpam-oath - OATH Toolkit libpam_oath PAM module
  • oathtool - OATH Toolkit oathtool command line tool

and install them from the command line with

dpkg -i liboath0_1.12.3-1_i386.deb
dpkg -i libpam-oath_1.12.3-1_i386.deb
dpkg -i oathtool_1.12.3-1_i386.deb

The names can slightly differ on your side.

You have now installed the OATH Toolkit including PAM support.

Try to use oathtool now:

oathtool -v dd23c3db653ba29ac533

The result should look exactly like this:
Hex secret: dd23c3db653ba29ac533
Base32 secret: 3UR4HW3FHORJVRJT
Digits: 6
Window size: 0
Start counter: 0x0 (0)


If you have the same output you know, your installation of the OATH Toolkit worked. Please verify also, that the PAM module has been placed in the correct location:

ls -l /lib/security/

should result in


This means, the PAM module is in the right place.

Security Hint

I would prefer using counter-based codes instead of time-based codes when using Software-Tokens. With counter-based codes you can reduce the possibility to duplicate the account on multiple devices, since it has “some kind” of protection against cloning due to the increasing of the counter on every good or bad login.

For hardware tokens I would recommend time-based tokens like the c200 from Gooze (HOTP/T60/6). This will reduce the administrative work on synchronising tokens.

Also take a look at this entry

I would generally say:
For cloneable tokens (Software Tokens) use event-based (HOTP/E).
For hardware tokens use time-based (HOTP/T).

public/linux/otp/setup_oath-toolkit.txt · Last modified: 2015/08/11 08:20 (external edit)
CC Attribution-Share Alike 3.0 Unported
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0