Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

PAM ArduKey


First you have to install the server via your package manager. For example:

~# apt-get install libpam-ardukey

Important note: First you need to add the "PM Codeworks" repository. See this page for the instructions.

Manual package build and installation

If you don't want to use pre-build packages, you can easyly build your own packages using the tool debuild:

~$ cd ./src/
~$ debuild

After that, the generated packages can be found in the upper directory. You can install the packages with dpkg:

~# dpkg -i ../*.deb

And fix the dependency problems, if occurred:

~# apt-get -f install


Note: All changes will be done in file /etc/pam-ardukey.conf.

First we have to change the auth server list:

servers =,

In this case the PAM module will connect the servers which are listening on the addresses and (both on port 8080). If the first server in the list is not available, the next server will be tried to connect.

Important note: You never should provide the auth-server on the same machine as the PAM module (it doesn't add any security). So change the value to the address(es) of your auth-server(s). For example:

servers =,

Now we need to change the "API key" to provide signed communication between the PAM module and the auth-server. The API key (consisting of an API id and a shared secret) must be generated on the auth-server machine. For example:

api_id = 1

Setup SSH daemon for two factor authentication (2FA)

Important: You need a OpenSSH server > 6.2 for two factor feature.

First check if the parameter ChallengeResponseAuthentication is set to yes in the SSH server configuration /etc/ssh/sshd_config.

Add the following block to the SSH server configuration /etc/ssh/sshd_config:

Match Group twofactor
    AuthenticationMethods publickey,keyboard-interactive

Now we need to create the above user group:

~# addgroup twofactor

Create the PAM profile with following command:

~# echo "auth sufficient" > /etc/pam.d/ardukey-twofactor

Add the following block to /etc/pam.d/sshd (above @include common-auth):

# ArduKey two factor authentication:
@include ardukey-twofactor

And restart the SSH server:

~# /etc/init.d/ssh restart

Setup a user for SSH with 2FA

In this example the user root will be protected by 2FA.

Just use the following command to add the user root (the public ID of his ArduKey device must be entered). This means this ArduKey device will be assigned to the user - be sure this is the correct public ID!

~# pam-ardukey-conf --add-user root
Are you sure you want to assign an ArduKey device to the user "root"? (Y/n) Y
Please enter the public ID of your ArduKey device: cccccccccccb
Successfully assigned the ArduKey device to the user "root"!

Finally add the user root to the twofactor group:

~# adduser root twofactor

From now, the SSH login requires additional 2FA with ArduKey.

Further information

Additionally you can check out this article, which explains the complete ArduKey infrastructure in detail (the article is in German).


If you have any questions to this project, just ask me via email:


ArduKey PAM module for user authentication



Unknown, Unknown licenses found

Licenses found






No packages published