http://www.nongnu.org/oath-toolkit/pam_oath.html

First, install the necesssary packages:

    % apt-get install libpam-oath oathtool

Generate a key and write it to `/etc/users.oath` (NB the key will be in hexadecimal; if you are using [Authy](https://www.authy.com) you will want to convert it to BASE32):

    % KEY=$( head -c 1024 /dev/urandom | openssl sha1 | awk '{ print $2 }' )
    % echo "HOTP/T30/6 andrewlkho - ${KEY}" >> /etc/security/users.oath
    % chmod 600 /etc/users.oath
    
Configure use of libpam-oath in `/etc/pam.d/sshd` (and any other services you wish, such as sudo):

    # @include common-auth
    auth required pam_unix.so nullok_secure
    auth required pam_permit.so
    auth required pam_oath.so usersfile=/etc/security/users.oath

Note that we have excluded common-auth because otherwise it would leak information about whether or not the password is correct, as noted [here](http://mikeboers.com/blog/2011/05/28/one-time-passwords-for-ssh-on-ubuntu-and-os-x).

Enable PAM in `/etc/ssh/sshd_config`:

    Use PAM yes
    ChallengeResponseAuthentication yes

Restart ssh:

    % service ssh restart