After installation, you need to configure your PAM stack to use the Barada module for authorization. In the /etc/pam.d/ directory you will find a list of programs which use PAM. If, for instance, you would like to use this in conjunction with SSH, you'd edit the file /etc/pam.d/sshd -- which should already exist. Just above the line: @include common-auth ...you would add the line: auth sufficient pam_barada.so This means that when sshd calls out to the PAM stack for authorization, the barada module will be used before the standard password-based authorization module. Here we have listed it as "sufficient," which means that should the authorization succeed it will be considered successful, but if it fails it will continue on with the rest of the PAM stack to try and find a success. This means that at any time you can use a OTP credential or your password. Once you have PAM configured, you need to setup the Barada credentials for the users you would like to make it available for. The program "barada-add" in /usr/bin/ should be run as such: $ sudo barada-add ...where username is the name of the user that you want to have Barada access, and pin is an arbitrary-length pin number for that user's credentials. barada-add should then print a result like: $ sudo barada-add someUser 1234 Added someUser with key: 94102985ae8690d28348702459ef4057 $ The key printed here needs to be installed on the user's device. The best way to do it is to read it off the screen here and type it in directly when the Android-based client software prompts you for it. This is the only time that you'll have to enter the key. After that, you'll just need to enter the PIN each time you want an OTP. At this point, you should be ready to go. Send questions, comments, concerns, suggestions to moxie@thoughtcrime.org