OTP Local Login & SSH on Ubuntu

Hi new to privacyIDEA here,

I am trying to configure privacyIDEA OTP for local login and ssh. I am currently running on Ubuntu 22.04.2 LTS and running on Apache webserver

Below is my pi.cfg

import logging
# The realm, where users are allowed to login as administrators
# Your database
#SQLALCHEMY_DATABASE_URI = 'sqlite:////etc/privacyidea/data.sqlite'
# This is used to encrypt the auth_token
#SECRET_KEY = 't0p s3cr3t'
# This is used to encrypt the admin passwords
#PI_PEPPER = "Never know..."
# This is used to encrypt the token data and token passwords
PI_ENCFILE = '/etc/privacyidea/enckey'
# This is used to sign the audit log
# This is the dummy base class
#PI_AUDIT_MODULE = 'privacyidea.lib.auditmodules.base'
# This is the default
#PI_AUDIT_MODULE = 'privacyidea.lib.auditmodules.sqlaudit'
# This is used to sign the audit log
PI_AUDIT_KEY_PRIVATE = '/etc/privacyidea/private.pem'
PI_AUDIT_KEY_PUBLIC = '/etc/privacyidea/public.pem'
# The Class for managing the SQL connection pool

PI_LOGFILE = '/var/log/privacyidea/privacyidea.log'
PI_PEPPER = 'hello'
SECRET_KEY = 'there'
SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://pi:cNjD2hb2MFkT@localhost/pi?charset=utf8'

So far I have only configured the realm and enrolled a token following the First Steps in the Documentaton

I am following this old tutorial and the PAM part of the documentation

I installed both libpam and the pam_python and below is the command entered into etc/pam.d/common-auth

auth    sufficient                      pam_python.so /root/pam_python/privacyidea_pam.py url=https://localhost prompt=privacyIDEA_Authentication nosslverify try_first_pass

When trying to login via command line the prompt was not updated to what I set and I am only able to login via the previously set password and not the OTP.

How could I fix this? Also how could I change this to ask for both the password and OTP upon local login/ssh?

EDIT : While using an older version of python the prompt changes to what was set. I have also tested PAM config is working and I can login with password+OTP when using the login command but I cannot use the password+OTP on local login(when you boot up the machine) and ssh. Could i get some help on this and also on how to use later version of python.

Nevermind! I decided to use pam_radius instead. At first, didn’t want to do it because of my lack of knowledge in that area. However, it was surprisingly easy and I managed to make it work!


Were you able to add PrivacyIDEA TOTP to Ubuntu desktop user login to the operating system?